Malware Analysis Report

2025-01-22 19:45

Sample ID 240601-m9qsjabf67
Target 2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike
SHA256 1c9dc5c9e0599ee12ddb7980edbc543501f37b6d7bc8a80a97337fdbe9ac2965
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c9dc5c9e0599ee12ddb7980edbc543501f37b6d7bc8a80a97337fdbe9ac2965

Threat Level: Known bad

The file 2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Xmrig family

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:10

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:10

Reported

2024-06-01 11:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FVLchfs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RIYArul.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmheTyK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LChICbg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Oypyrub.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zxXppEx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\otZYKAW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\igpBVPj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JoxfHYX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IvgshXj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HUGsjGz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nnsHtob.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nIwjFPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mgFuxQh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dWuBpej.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BjyLQxu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JcUZrNY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mTZGICu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oUZuuot.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ClUQyLV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\taxWioa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\ClUQyLV.exe
PID 1060 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\ClUQyLV.exe
PID 1060 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\nIwjFPk.exe
PID 1060 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\nIwjFPk.exe
PID 1060 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\LChICbg.exe
PID 1060 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\LChICbg.exe
PID 1060 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\igpBVPj.exe
PID 1060 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\igpBVPj.exe
PID 1060 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\JoxfHYX.exe
PID 1060 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\JoxfHYX.exe
PID 1060 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\taxWioa.exe
PID 1060 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\taxWioa.exe
PID 1060 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxXppEx.exe
PID 1060 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxXppEx.exe
PID 1060 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWuBpej.exe
PID 1060 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWuBpej.exe
PID 1060 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjyLQxu.exe
PID 1060 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjyLQxu.exe
PID 1060 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oypyrub.exe
PID 1060 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oypyrub.exe
PID 1060 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgFuxQh.exe
PID 1060 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgFuxQh.exe
PID 1060 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcUZrNY.exe
PID 1060 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcUZrNY.exe
PID 1060 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\otZYKAW.exe
PID 1060 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\otZYKAW.exe
PID 1060 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVLchfs.exe
PID 1060 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVLchfs.exe
PID 1060 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\RIYArul.exe
PID 1060 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\RIYArul.exe
PID 1060 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTZGICu.exe
PID 1060 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTZGICu.exe
PID 1060 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUZuuot.exe
PID 1060 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUZuuot.exe
PID 1060 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmheTyK.exe
PID 1060 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmheTyK.exe
PID 1060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvgshXj.exe
PID 1060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvgshXj.exe
PID 1060 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUGsjGz.exe
PID 1060 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUGsjGz.exe
PID 1060 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnsHtob.exe
PID 1060 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnsHtob.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ClUQyLV.exe

C:\Windows\System\ClUQyLV.exe

C:\Windows\System\nIwjFPk.exe

C:\Windows\System\nIwjFPk.exe

C:\Windows\System\LChICbg.exe

C:\Windows\System\LChICbg.exe

C:\Windows\System\igpBVPj.exe

C:\Windows\System\igpBVPj.exe

C:\Windows\System\JoxfHYX.exe

C:\Windows\System\JoxfHYX.exe

C:\Windows\System\taxWioa.exe

C:\Windows\System\taxWioa.exe

C:\Windows\System\zxXppEx.exe

C:\Windows\System\zxXppEx.exe

C:\Windows\System\dWuBpej.exe

C:\Windows\System\dWuBpej.exe

C:\Windows\System\BjyLQxu.exe

C:\Windows\System\BjyLQxu.exe

C:\Windows\System\Oypyrub.exe

C:\Windows\System\Oypyrub.exe

C:\Windows\System\mgFuxQh.exe

C:\Windows\System\mgFuxQh.exe

C:\Windows\System\JcUZrNY.exe

C:\Windows\System\JcUZrNY.exe

C:\Windows\System\otZYKAW.exe

C:\Windows\System\otZYKAW.exe

C:\Windows\System\FVLchfs.exe

C:\Windows\System\FVLchfs.exe

C:\Windows\System\RIYArul.exe

C:\Windows\System\RIYArul.exe

C:\Windows\System\mTZGICu.exe

C:\Windows\System\mTZGICu.exe

C:\Windows\System\oUZuuot.exe

C:\Windows\System\oUZuuot.exe

C:\Windows\System\XmheTyK.exe

C:\Windows\System\XmheTyK.exe

C:\Windows\System\IvgshXj.exe

C:\Windows\System\IvgshXj.exe

C:\Windows\System\HUGsjGz.exe

C:\Windows\System\HUGsjGz.exe

C:\Windows\System\nnsHtob.exe

C:\Windows\System\nnsHtob.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/1060-0-0x00007FF7208C0000-0x00007FF720C14000-memory.dmp

memory/1060-1-0x0000016EABD80000-0x0000016EABD90000-memory.dmp

C:\Windows\System\ClUQyLV.exe

MD5 720efed83f7250bd39b9a9438952c1c3
SHA1 a2d8c03a60ec0d71fe41dff6e8c8500c92438293
SHA256 4007f31ca08129c7dcd663fe7044e4852638b84614b86d3f1a625fac409c9144
SHA512 eba68e2e1967d30719a70dcb6fe4a2ef68c5607649e12947c896baf1076e1a2a7455b09287142b6d4c77e8c49f03d0a7ad7691a0c7e32ed0c2d35ee72a7da623

memory/4056-8-0x00007FF742C60000-0x00007FF742FB4000-memory.dmp

C:\Windows\System\LChICbg.exe

MD5 cf50e281e240fb32a0fd01268baaff1e
SHA1 3246e614147956ce34f5347654fd87ca8539985e
SHA256 576e164e314bafaaf10ae9adbfe19c4bc06379bd78440dc8408d58ce29a70bc8
SHA512 33634a5fd4c5891b1f1a8a8d30ac64332042191948ead6816d005fcb9d33176ed4abbef759d26e3e7f53cd74437d1e2b1e818e1c000bceb06a00af6b28a9d55f

C:\Windows\System\nIwjFPk.exe

MD5 6128719134a2cbf55be639e8adb1bc54
SHA1 15c4096e40e2330405206f4f095c07c7d34759a1
SHA256 371fa14192f361bea47e406fb3b547c8173d803b11c9f6353eed3cfbf05e2a85
SHA512 21798c8d7bd1cb5b696dc921e45c05c806689b77251f6ed7ccdcbbad247d8a5396c17b1b0a1b50f7b6186b2e4d9f2614a962b22d3914dd4f77110e7680bdcc4b

C:\Windows\System\igpBVPj.exe

MD5 1a919f49abe5b579ecb03b655dcf2c92
SHA1 324de2503d26883f5105913b4bb76f89ed4e1005
SHA256 21250c9d91fc02774a16f85f806f770b3c59081211edd318e7f8f4f26f7a8276
SHA512 81ba2b2b1b5d84120ead638b1210d1a7cf50cd4206486f1b98e7c32e11d92391556b61b17c1b5d1a72696c8e09b11af51048859bc97c7ed4bc559b2b48a82df5

C:\Windows\System\JoxfHYX.exe

MD5 168771d618abcf4c5a042d9bb5641bad
SHA1 261c5e06850adb3464a80bca23e74e7a652c96c3
SHA256 2509b7674c3d1abbd5d8ea9e376a7a8eaae5c2c526f17a92cb57217d5577ac74
SHA512 c3d8b0704ed1b70c3a964a710bdcd7212bfe4f91fb4e3d290539b3678596ce7914acf40509f99583b32ed7c4bd40b48b712b0a7a71ccd5393d49fc003824af97

memory/2620-29-0x00007FF73F590000-0x00007FF73F8E4000-memory.dmp

memory/2816-30-0x00007FF656B70000-0x00007FF656EC4000-memory.dmp

memory/3604-20-0x00007FF6AB260000-0x00007FF6AB5B4000-memory.dmp

memory/3504-14-0x00007FF623FA0000-0x00007FF6242F4000-memory.dmp

C:\Windows\System\taxWioa.exe

MD5 3367e7dc53cecd41b1ad7e4a46f8b1e4
SHA1 dd811ecea307fe1ee809557e70000bf65ab05c40
SHA256 91b4574d8bab8dda1294139dfb298de062e5a2dda39094c180aad9c5a44de08d
SHA512 deed06030a05f51945103692560fe4731aae1fb25843cee7d18e14227a763070703b496015cb4d9345fa5046df2e0909afec73850e9b35395b3db9d397699325

memory/2004-38-0x00007FF725920000-0x00007FF725C74000-memory.dmp

C:\Windows\System\zxXppEx.exe

MD5 5f1b11c62a6274cf20f745daefd8f2d0
SHA1 15e96b5e75cc54e27f91b2d775a6487b8ac8bbca
SHA256 4a956f7c3fbfc7959b45ca09a6e10b67a84c5265654e8316f0e3af3cc9299986
SHA512 df78d75a628544b18fb7acd3b5ca8ea73a5057c45b5b9a52618d8d59f7d8a5fa5163baf19561838b125372ac2f74545315c8df93a60c828e022116c9f0fbbe09

C:\Windows\System\dWuBpej.exe

MD5 1d5e7d8345fe0a6c501aca4e28b84952
SHA1 4f1cfb0bd415caaf4b72b1792ec585f3c333eff8
SHA256 81ae9fbf6e42c03d052dce3b2480ec0c00d913ac23380b5d6d014bd81125a23a
SHA512 5787f0a099ba1a892dac123225b2ef5b3fbeae30189164329c11fc046c14c784cdc45cceeb6ca8fd59020fcff5262a517ead32b7cd4896679814ffff5a3995d7

memory/4980-43-0x00007FF7CEE70000-0x00007FF7CF1C4000-memory.dmp

memory/1748-50-0x00007FF6A9DB0000-0x00007FF6AA104000-memory.dmp

C:\Windows\System\BjyLQxu.exe

MD5 b68961278f58c2e6ae545c9f65e29444
SHA1 5b9e5d2d252dbce03e9d9e6a34553b379d1be052
SHA256 d5b94f4364c1dd93858ad51f5c7593eb0929f9839d8c49cdc850ae24c067111e
SHA512 2778953151c77c343a5780aead9a229b739894dead6013bf52691b93713d7daae61aadeb730ab5053c606986b0ad9dd757dc1e6da68a7a8fe23504527b31c56e

memory/3388-56-0x00007FF7538E0000-0x00007FF753C34000-memory.dmp

C:\Windows\System\Oypyrub.exe

MD5 eebbc4a3862ebf9ff174e0bf2cec34b6
SHA1 8bdde4ac2dbe0ab540d0368425e5692219782994
SHA256 4f385677d571377e65488dac25eae6da6d4099d398ae04e2fdc5331c714a8f9f
SHA512 0d1057ec7dabd7789c5d4842f6d368eb67915582dc6aba36e521599f83c6f89e56a8fd63b3eb78ef6493b0f350661257bb9e2350e6f0031d7a3458d4780f2757

C:\Windows\System\mgFuxQh.exe

MD5 898fd6bc130e59b87343e3dacaaf9c6d
SHA1 99164e623fbe6af0bbda6dfaa92dbb926e9b5d1b
SHA256 6ceda3d14b582fe8fbf375c1d1c04771f44a123a6e782e54d02a972dce716153
SHA512 e9a1b3489accfbde00ba2c86e30568bf409ff47b75f3efe06927feb2b8686ec76eec6b7a2206b587cdff9bb85472731d220bb409bb0ccf454483d474e2c10e49

memory/1060-66-0x00007FF7208C0000-0x00007FF720C14000-memory.dmp

C:\Windows\System\JcUZrNY.exe

MD5 93b5f916ee4cc428998e01f8c6375070
SHA1 7ba7889d44a297279952e4eaf9cdb9fbc690ba23
SHA256 c4eabedd31b53e951420f3ba4009fc2601d1fa3aa006a09d2e9664194c8ad325
SHA512 3853ab66ee30979b02018529b276c546ed5968c0b167493b026f07ab07ebb0cf0d614519e6ae636bd900d75d8d767d9c15662f9f7de44c52dd5a118805ef6d1a

memory/2212-73-0x00007FF6BEDC0000-0x00007FF6BF114000-memory.dmp

memory/1400-67-0x00007FF663BC0000-0x00007FF663F14000-memory.dmp

memory/4604-62-0x00007FF613CE0000-0x00007FF614034000-memory.dmp

C:\Windows\System\otZYKAW.exe

MD5 6d1573839ba65e5647fcc8b98b424ffe
SHA1 0c939cb8a31e905b3a569ae65c464a9d15315335
SHA256 a925aa7de234cc586e6c5138cabc4eb1fead9891e7e7e3c6bedafb591278f02b
SHA512 48859041ca465a46dd253f4c749818b065d4a68c39b64cdbee38dac692513a858db4e658b6c92f9b5c7d7bb711876fbd7e12a09f47599857d45ff333a0e359e6

C:\Windows\System\FVLchfs.exe

MD5 f00ff2c0e0111e3cd2e322b8954f0fc1
SHA1 3b8519aed036603f7bcd4b1e8ace9ff5001e97c0
SHA256 7e5a9febeb3aa6c5e84191d98d3d613d2ed79b1a0bb24c439e4c98d5b567b90f
SHA512 a311dc89ccb0af958f358293f99ce8ecd277de8b54a6274a7ca8c18249045591c1659655c99410dd8b33364c8eb8df57375f168ccb713533c15f7fd74458e0cc

memory/4340-83-0x00007FF7A5E20000-0x00007FF7A6174000-memory.dmp

memory/4728-87-0x00007FF790DD0000-0x00007FF791124000-memory.dmp

C:\Windows\System\RIYArul.exe

MD5 64aab9e81f9af4338c2be277cfcdfa22
SHA1 4f75bea3e6f8e322e71d2a1a9449f3626f778c58
SHA256 3b12970f858cd0e7359a6bc5d2f2cc884f4b7d23b2fd3d15a9408e24ba7ef84e
SHA512 0c73cd58c6b236b3aa678b0bf7b95fd1678c4db9d278c444f82678977714484d89e7c0ed9622070c7a15ab3d3949651f4625ed5a84d6d60d797e79078749de68

memory/4456-97-0x00007FF6D1AB0000-0x00007FF6D1E04000-memory.dmp

memory/2004-98-0x00007FF725920000-0x00007FF725C74000-memory.dmp

C:\Windows\System\mTZGICu.exe

MD5 8fad9628694958105527ccea1a071946
SHA1 cd367a0d2b9f722c7df8831bd01c0e6eff642a1f
SHA256 4fd7b1621f6f4616c52162ae2b1a0ca6a8aee4d975676f4ffc93d624d36d7526
SHA512 56f07ad52c7fcd65c6c9fb1a14e27852e23a56bb50c9c1bea8877ba5395dec1c03b5df25f91552967c4264f82cf39cd1446066cc5fae9e158c17375d1abb8344

memory/3784-99-0x00007FF6EDAC0000-0x00007FF6EDE14000-memory.dmp

memory/2816-93-0x00007FF656B70000-0x00007FF656EC4000-memory.dmp

C:\Windows\System\oUZuuot.exe

MD5 310266ad939a995b53058f74abbfaa6d
SHA1 52825dc1bf87b41180acac3f5263da9b24747ca1
SHA256 f404d4c402a85380203d8fe7212013373ff84ac60a2e4127132ceade642f98c0
SHA512 fdf1b6fc440c5af7a46ffab646987b2d5045c66999cfea09399a69acef204ea025b89c89221829b939c2fbc30e47807b924feccfdfb343f8f6a6ddec5176a5fa

C:\Windows\System\XmheTyK.exe

MD5 808157beef9c9a61d969f4d1fb92887e
SHA1 e8994b2f892437fa4512f63f4cbb14f90bd3b2fd
SHA256 1d41515ba7f3c6a4a6bcfbe41fd513336e9a7914122cbafba9c4a7daf8066db7
SHA512 5c11fef2b6b2d81e5005d0610114126832dabe817132d2e5c0b61e6e68bce58c2eb54be64617d780e453267446f96c1184c920f338a7d8cd4099e54fe5ad5a98

C:\Windows\System\IvgshXj.exe

MD5 4146ef7e7e83fc48dcc3c0af4083942a
SHA1 83f87f25b20c60d0f6925cbee87b2517bb1bed4c
SHA256 e082aae594a1205e8c43936904f04b5f3fa57750fca561d3479618589bb8bcc3
SHA512 ea75af17d9b2edffb65a0a8204298aee658b3fabe4b84ff4112d93ebd6c6e2806e54e95bfdd7155ce34010d0876b32f8141a8f47cd0c51a1463f1666affc1874

memory/880-108-0x00007FF76EC10000-0x00007FF76EF64000-memory.dmp

memory/4980-107-0x00007FF7CEE70000-0x00007FF7CF1C4000-memory.dmp

memory/2240-119-0x00007FF6EAB80000-0x00007FF6EAED4000-memory.dmp

memory/2956-125-0x00007FF64EF40000-0x00007FF64F294000-memory.dmp

C:\Windows\System\nnsHtob.exe

MD5 5edd1c39b9d81ca671fbb2c0431e26c9
SHA1 4eec64884efa801857c55cc7c57116f799d6ccf3
SHA256 db61fdd96ddbb17b193b26985b82dc9da041f319e106fb62e8200e106ca43c86
SHA512 7237490e53f0e782683c18bc68990d2d7d3e0580578081a941bc2ed8b0cf1c96dcecd01357360d367a2d7d43dbf458d43c1d8bd3a71482b918e4233b73d93a84

C:\Windows\System\HUGsjGz.exe

MD5 d7efd64af4c2ea5244fb65380e288b7d
SHA1 0e422682d358e9a17e7eb3abd0279e6b0e26b3a9
SHA256 59ef90ffc641f8571aec5bebdfc0f8a92f03ff7017f2719fd78ddfe2174548fe
SHA512 27b193a41c596713219b9a3634515022da362ccced22332dd91e3777d6535c0c5cc0efe5896cb26ed0fabf000de9319d288c0a399e889f14829c8e6389641412

memory/1748-118-0x00007FF6A9DB0000-0x00007FF6AA104000-memory.dmp

memory/3452-131-0x00007FF6FB1A0000-0x00007FF6FB4F4000-memory.dmp

memory/1924-132-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp

memory/4604-133-0x00007FF613CE0000-0x00007FF614034000-memory.dmp

memory/1400-134-0x00007FF663BC0000-0x00007FF663F14000-memory.dmp

memory/2212-135-0x00007FF6BEDC0000-0x00007FF6BF114000-memory.dmp

memory/3784-136-0x00007FF6EDAC0000-0x00007FF6EDE14000-memory.dmp

memory/880-137-0x00007FF76EC10000-0x00007FF76EF64000-memory.dmp

memory/4056-138-0x00007FF742C60000-0x00007FF742FB4000-memory.dmp

memory/3504-139-0x00007FF623FA0000-0x00007FF6242F4000-memory.dmp

memory/3604-140-0x00007FF6AB260000-0x00007FF6AB5B4000-memory.dmp

memory/2620-141-0x00007FF73F590000-0x00007FF73F8E4000-memory.dmp

memory/2816-142-0x00007FF656B70000-0x00007FF656EC4000-memory.dmp

memory/2004-143-0x00007FF725920000-0x00007FF725C74000-memory.dmp

memory/4980-144-0x00007FF7CEE70000-0x00007FF7CF1C4000-memory.dmp

memory/1748-145-0x00007FF6A9DB0000-0x00007FF6AA104000-memory.dmp

memory/3388-146-0x00007FF7538E0000-0x00007FF753C34000-memory.dmp

memory/4604-147-0x00007FF613CE0000-0x00007FF614034000-memory.dmp

memory/1400-148-0x00007FF663BC0000-0x00007FF663F14000-memory.dmp

memory/2212-149-0x00007FF6BEDC0000-0x00007FF6BF114000-memory.dmp

memory/4340-150-0x00007FF7A5E20000-0x00007FF7A6174000-memory.dmp

memory/4728-151-0x00007FF790DD0000-0x00007FF791124000-memory.dmp

memory/4456-152-0x00007FF6D1AB0000-0x00007FF6D1E04000-memory.dmp

memory/3784-153-0x00007FF6EDAC0000-0x00007FF6EDE14000-memory.dmp

memory/2240-154-0x00007FF6EAB80000-0x00007FF6EAED4000-memory.dmp

memory/2956-155-0x00007FF64EF40000-0x00007FF64F294000-memory.dmp

memory/880-156-0x00007FF76EC10000-0x00007FF76EF64000-memory.dmp

memory/1924-157-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp

memory/3452-158-0x00007FF6FB1A0000-0x00007FF6FB4F4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:10

Reported

2024-06-01 11:12

Platform

win7-20240220-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WEoWYCE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IrqjHyZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tuInTmj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZXuScya.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DTyawPo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aZGGAyD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IslTkDc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCQPXwP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hiQHnKH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QgBxnJV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vzFKPmx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FUmlYKZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zhAeAzA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FVwDRmN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IgTMqqd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vscKwWm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IiUZhmG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wlfxmoE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nBpkeNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UrMebXX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVYFfqA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVwDRmN.exe
PID 2184 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVwDRmN.exe
PID 2184 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FVwDRmN.exe
PID 2184 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IrqjHyZ.exe
PID 2184 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IrqjHyZ.exe
PID 2184 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IrqjHyZ.exe
PID 2184 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuInTmj.exe
PID 2184 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuInTmj.exe
PID 2184 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\tuInTmj.exe
PID 2184 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgTMqqd.exe
PID 2184 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgTMqqd.exe
PID 2184 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgTMqqd.exe
PID 2184 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXuScya.exe
PID 2184 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXuScya.exe
PID 2184 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZXuScya.exe
PID 2184 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\vscKwWm.exe
PID 2184 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\vscKwWm.exe
PID 2184 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\vscKwWm.exe
PID 2184 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiUZhmG.exe
PID 2184 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiUZhmG.exe
PID 2184 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiUZhmG.exe
PID 2184 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\wlfxmoE.exe
PID 2184 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\wlfxmoE.exe
PID 2184 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\wlfxmoE.exe
PID 2184 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTyawPo.exe
PID 2184 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTyawPo.exe
PID 2184 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTyawPo.exe
PID 2184 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZGGAyD.exe
PID 2184 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZGGAyD.exe
PID 2184 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZGGAyD.exe
PID 2184 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IslTkDc.exe
PID 2184 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IslTkDc.exe
PID 2184 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\IslTkDc.exe
PID 2184 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCQPXwP.exe
PID 2184 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCQPXwP.exe
PID 2184 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCQPXwP.exe
PID 2184 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBpkeNQ.exe
PID 2184 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBpkeNQ.exe
PID 2184 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBpkeNQ.exe
PID 2184 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\hiQHnKH.exe
PID 2184 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\hiQHnKH.exe
PID 2184 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\hiQHnKH.exe
PID 2184 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgBxnJV.exe
PID 2184 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgBxnJV.exe
PID 2184 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgBxnJV.exe
PID 2184 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzFKPmx.exe
PID 2184 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzFKPmx.exe
PID 2184 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzFKPmx.exe
PID 2184 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUmlYKZ.exe
PID 2184 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUmlYKZ.exe
PID 2184 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\FUmlYKZ.exe
PID 2184 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrMebXX.exe
PID 2184 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrMebXX.exe
PID 2184 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrMebXX.exe
PID 2184 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVYFfqA.exe
PID 2184 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVYFfqA.exe
PID 2184 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVYFfqA.exe
PID 2184 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEoWYCE.exe
PID 2184 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEoWYCE.exe
PID 2184 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEoWYCE.exe
PID 2184 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\zhAeAzA.exe
PID 2184 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\zhAeAzA.exe
PID 2184 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe C:\Windows\System\zhAeAzA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FVwDRmN.exe

C:\Windows\System\FVwDRmN.exe

C:\Windows\System\IrqjHyZ.exe

C:\Windows\System\IrqjHyZ.exe

C:\Windows\System\tuInTmj.exe

C:\Windows\System\tuInTmj.exe

C:\Windows\System\IgTMqqd.exe

C:\Windows\System\IgTMqqd.exe

C:\Windows\System\ZXuScya.exe

C:\Windows\System\ZXuScya.exe

C:\Windows\System\vscKwWm.exe

C:\Windows\System\vscKwWm.exe

C:\Windows\System\IiUZhmG.exe

C:\Windows\System\IiUZhmG.exe

C:\Windows\System\wlfxmoE.exe

C:\Windows\System\wlfxmoE.exe

C:\Windows\System\DTyawPo.exe

C:\Windows\System\DTyawPo.exe

C:\Windows\System\aZGGAyD.exe

C:\Windows\System\aZGGAyD.exe

C:\Windows\System\IslTkDc.exe

C:\Windows\System\IslTkDc.exe

C:\Windows\System\JCQPXwP.exe

C:\Windows\System\JCQPXwP.exe

C:\Windows\System\nBpkeNQ.exe

C:\Windows\System\nBpkeNQ.exe

C:\Windows\System\hiQHnKH.exe

C:\Windows\System\hiQHnKH.exe

C:\Windows\System\QgBxnJV.exe

C:\Windows\System\QgBxnJV.exe

C:\Windows\System\vzFKPmx.exe

C:\Windows\System\vzFKPmx.exe

C:\Windows\System\FUmlYKZ.exe

C:\Windows\System\FUmlYKZ.exe

C:\Windows\System\UrMebXX.exe

C:\Windows\System\UrMebXX.exe

C:\Windows\System\uVYFfqA.exe

C:\Windows\System\uVYFfqA.exe

C:\Windows\System\WEoWYCE.exe

C:\Windows\System\WEoWYCE.exe

C:\Windows\System\zhAeAzA.exe

C:\Windows\System\zhAeAzA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2184-0-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2184-1-0x0000000000300000-0x0000000000310000-memory.dmp

\Windows\system\FVwDRmN.exe

MD5 17908edd7aa61f3da5b66b8b35eed218
SHA1 71e23ac4099ead0b53c4cc6bc9c3cb65ab2e4dfe
SHA256 0d4ed4260b9fcf217d9786814f34160d96606d2aab1c18f5e44442f1fabbb29b
SHA512 f069825b71feb10be31194cc1665d7382c14a36ab9bdc015fb0cec573d4aaee0c4d7cc11058b962b684dbbfbcbd93b1ca227269fdb08c62d98582c8289714e28

memory/1748-8-0x000000013FE40000-0x0000000140194000-memory.dmp

\Windows\system\IrqjHyZ.exe

MD5 f4b1cc89e12d9ba9cdce3d6b1bc79f11
SHA1 56f18421fed0fb74e72dd724dda446459fe72b07
SHA256 7627494312b39a5c92c9fa5c287afeabc78f0319c6d0c3d6208b2618e5db5f6a
SHA512 4c0b6be6dd98f7bb677e9088a214fc37b7be2dd568fc196a9228c1e91d3f9c4c25c76296fcaccc73cb982a86d99813c61a6d6ef7e0f83c927bb92398ac4f4cb2

memory/2288-15-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2184-13-0x000000013F900000-0x000000013FC54000-memory.dmp

C:\Windows\system\tuInTmj.exe

MD5 706972b4396cd7df39ac41404dde88b9
SHA1 9e58ce3fea5a314d0420f8b76c80a41f19dad17e
SHA256 165eed39e384f14efb1a238e8699ea8a7b7121049f14096767a28fa084b182a9
SHA512 b75c2b1aca2c2b84ed815a02ef56244d7427fefe3194a841be5051b306a8b686f9a2e8f4fa97bb19acde59239531f615e0a25c082ab653ffff0b13f27194fbae

memory/2524-22-0x000000013F990000-0x000000013FCE4000-memory.dmp

C:\Windows\system\IgTMqqd.exe

MD5 395d0b76c523ffe2b41ffcb124b811a4
SHA1 7b772fa2bc5b2d2a4034f3f8a464747e835762ab
SHA256 4dda2787a7ea276803c98cbe918bef3e2e6c93aeef4a8ce4e7c146fe6e9fdf8d
SHA512 542cedf36723c59c48ea9ecdfe4b1f79decc13a7f1742d2c84fbfcb4b104466de778d577a11426eb20e00c2182c737a168e39c98a93da417a9cdb3fff4e57a82

memory/2560-29-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2184-27-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\ZXuScya.exe

MD5 3bbfc5c6f1f9a0e1d420c81720c94c28
SHA1 63fbdaf37672a96518f7ec9404425df4d6c4fb53
SHA256 2c1300be186261b6daa837540ff2215b740ee4389bc95429503b9f84c7303bfa
SHA512 6207825ae7ef45f7c78bd9534dcb18a18817df4fd9502ccf2a17ed8caaa7dc029a11e169fbcfdc614844505a0c3703a352619027020b05368afafe0e2d6f0e7b

C:\Windows\system\vscKwWm.exe

MD5 47409d8cd2675f45a758da86dd01983d
SHA1 e34648b6f0aa33e35eaf4dd03d41449373b1d409
SHA256 d19f66a345979af95ad1b8db6de128baaeaa6010e47865e702790469e31460fa
SHA512 5f00e1060a46c0d52bb20b12b2a33a367b76e8c7d69de352bff9ba6d29fd30cb0baba7c5724716b3cafdb76bc91003ec998fcdb287d7e8cd9b52944d81e87d60

memory/2700-41-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\wlfxmoE.exe

MD5 8aa091567ae249fb9f300c5da1d713f8
SHA1 67082b4d2fe2d308161dc4209a3478e8b0069900
SHA256 b098b3a93bf0631af6632bc328e776cb76e63425c14d54497104217e90ac5fc2
SHA512 5281e53ff886a6b9def662c15478dc8bb9b30511f12e1aa7d00e161433b5d67463e8b7dc865d6fb6901634f1c343887fc61764e927520963c2822732a789c522

memory/2184-51-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\IiUZhmG.exe

MD5 08609b3d21568158df9b12311349d7d9
SHA1 1a91ced16dce2aac0ccf5dbaf05343e9f856f1e7
SHA256 73dd33cfe8bf77fae951febe00ae8c3a66e9669b6994f4d6e1b766d7d38c1be2
SHA512 4d28fc29ab9fd54758adc1ca895c63aad1166ce721f9ffcf98bbcfc442a0838b67e86066bc827b3742c8a3bc2f97aa35a30adbef958796185ed53994cf9607e1

memory/2568-60-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2604-67-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2184-66-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2184-79-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2520-82-0x000000013F370000-0x000000013F6C4000-memory.dmp

C:\Windows\system\QgBxnJV.exe

MD5 fcb0a413900185af9fd3d9511486a9ad
SHA1 98df0984d1c25f931cf34bd145ebebf15545eaa6
SHA256 d8d0677b2a3d4798b02d1c8863258644a48597baccdf787594e8e8c80db4777d
SHA512 b3612222656812428b4aabafaf04cfe0490aaf7faf06ee9e8a00869fcfefc796f2e25005150626c17339c98d48f25784eea98578c2079d93424a255f11657b1d

C:\Windows\system\uVYFfqA.exe

MD5 cf6b47aac1fb9d004533073531162e56
SHA1 f2a1eb1db56980a86617f60225e052ce60081a2e
SHA256 62ca4a8b19f359919d91614bb65b90ce172340023a7b591d66ca7bec272639bc
SHA512 0adc00c9ff121836b575b7f8bfc8d8d44acd9d563e98679893856f844d418f9806fcdca80ac82c000271af38a39653422885780d8ec235d19d4a450ea08b12a4

\Windows\system\zhAeAzA.exe

MD5 162bf524b7ef34b80f3fade429731816
SHA1 bd4950358633bea37db6b52a1b2bbeb5346da036
SHA256 e5db2d32870a2c7d6c83481435a6848c56010acba37c38ee258cc23cea52534e
SHA512 214a5445290a48f24a9b89c3d3b1543a92e9025954a5ab850f3dc0976804d9d3d4fd8cf9582c0931bf832c64c2e54d1b8d50e977efb5dd905c5b10a34911a233

C:\Windows\system\WEoWYCE.exe

MD5 ae12af31477dbed28a78fb449bc0067a
SHA1 32e5c0c9ce3ab25da1b86607c83a19f0ecb0a6aa
SHA256 c5d645b1f1b7f6192264924ff9f9eb04fa21067711ba5353a8b9818e1c211b04
SHA512 b98178876829afff38502dacd948239e644888c550573a602da8f0224855338f27fdfeaa77e1e7b944b1171ec0d18ab03589982c259044b2d5c6fdda5fd62b77

C:\Windows\system\UrMebXX.exe

MD5 b5780bb55f382ddf3741a92a7b8632be
SHA1 a98d75c8fadd73835f7bf5aadca2b47de1166dc7
SHA256 b068d62adec4f7eacc26f835e85b19c8003c084d99b9f220319a9c6f9eefff78
SHA512 a6f6d289c2209cdae238e44feeaf6f60d00d5bdbce04899ea0233385b1e5156694e8ab71dc9fee4243e271b86dd47781063772bd85f98e865b48541b75eb3811

C:\Windows\system\FUmlYKZ.exe

MD5 a252056a0289d5da6d582250261060e9
SHA1 13afb3408f398d3fef0d5ae04131f40c3f9cefbe
SHA256 e6b367e3125443cf08f6c71b50e6b6a9f762689da8130a407191ced126ec9271
SHA512 ad4e7ce7f44ef0e03158fe3b79c69048e965e8066b47e5048268833489dfc654188a273ed53b93979a39a8afe45bedf8415a8775260fff614c39567ed8dcfc76

C:\Windows\system\vzFKPmx.exe

MD5 f4821c6053e33071aac4794abec78b82
SHA1 23321f4c95b6a6db5214b8bfe91c3c7476f182cc
SHA256 e0284d523cf9e82953910426a2024e09c285d6a76106e490bce5862504c6d79e
SHA512 9101b1028d02bafa4fa6910853a97cc2924555a615a4827e85aaa0677544429bec045d95e5efce616074943c6aac52b867d6381d807955d4787a4071e9417539

memory/2184-102-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2700-101-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1992-96-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2184-95-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2656-94-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\hiQHnKH.exe

MD5 47ecd874d00737a868f75ea527b5f86d
SHA1 ba0d86b436accebfaa72aeb4a64b2e077307c578
SHA256 7cb79755f761e2dbeb7f14f489790f7fa190a432d4afe1885cbb7104ca17b897
SHA512 cd830db480b6968e803864d0bb108ea48a5a0a5ee77a726d5574e0ad5422ef9caa8594bd0dc383c221d1d5acb945a06fcb89b9f5dc7cca7e22dcea4971b2c133

memory/2824-89-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2184-88-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2560-87-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\nBpkeNQ.exe

MD5 e17e8e369059dad2a42fa71f6d74bba1
SHA1 15d76629504eaf280cf789bde09d7e0f04499edd
SHA256 f31c1f9fe0d9c1064b1f5237c7a9c984401a7e5d275aa3688eaecf606011363b
SHA512 fcc2e90f1c6c2ef92e681ed33da18ecabf9305158e9ff53e86953363fbe32de10ac7da52023a9a9aceee13844b1a21ac02f736a05c7b4ec8218ea33b4ad1b012

memory/2184-81-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2380-80-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\IslTkDc.exe

MD5 1d6b5adc96cbbf0fe85f0eaf4fad96d8
SHA1 92204fd944eeff9c98dfe662d59dbdcfa6171b14
SHA256 e2f0b8224fdd0236deed9f9df520badf6cd7bf7d00909a7dfb13106680f9f683
SHA512 ea9ea609b69bcd9ec7c4f66e3120f07ca66359575a8760d0cd44cee36f105819c508805ae48e7120ed7b9ac1b55b9310ea649c5f39c4da784e54620fefcc2308

memory/2184-73-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2288-72-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2184-71-0x000000013F900000-0x000000013FC54000-memory.dmp

C:\Windows\system\JCQPXwP.exe

MD5 4a83d652fd50415df404d1318aff153e
SHA1 f8f5456146ec69cf7b50a9646f5a34e0b67cb37b
SHA256 b635328b25d2a80b905dddc07e04f6a79e762a5c77871d5229eceef420eb3e5c
SHA512 d41185bd30d27c643369c7963f2fd3ced531a9f5b720a2322e13ff61b23e97f2f735019443af8b29e24bb85fdcd31f4800132b6ca3bb904fa0c42ca3f642db5d

memory/1748-65-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\aZGGAyD.exe

MD5 74ca1fe3a683186c414bc6de0a5b4de3
SHA1 805180c52eba10376101994e91bfd4d578bb5cd0
SHA256 56189773d62276000fd4bf4390d1e89d1f620d2bd5f63fcdce2c5bc2ea94429a
SHA512 3e8c120051dc247455b0622d1fadf33fd46dd7aca4f83110611fbc290c6a562e9641d858e7e3219b3682ae443d2bd8e2fe8e89a27c1992bf2a54fdf9a049a894

C:\Windows\system\DTyawPo.exe

MD5 a3e33f972e04708c047db6e963d759d6
SHA1 23031a9439c4f761ac5f09037591efc8d745b57a
SHA256 719464d2fe8f817a570b006c233f92c78e4a94d350efdbf92d5da98642dac4a1
SHA512 1d470cf5ca174d94c2a5d3a86f77f1ae2b2c3f4679a244f7fcb8adc4712386681525ea261e750049916990fe27b9338ad1a404e80e29b42efa864a24efe7f0ab

memory/2184-56-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2692-52-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1620-50-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2184-40-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2656-35-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2184-34-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2184-21-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/1620-126-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2692-127-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2568-143-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2184-144-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2604-145-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2380-146-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2520-147-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2184-148-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2824-149-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2184-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1992-151-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2184-152-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/1748-153-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2288-154-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2524-155-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2560-156-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2700-157-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1620-158-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1992-162-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2692-164-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2824-163-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2520-161-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2604-160-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2656-159-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2568-165-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2380-166-0x000000013F270000-0x000000013F5C4000-memory.dmp