Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-2al3madh86
Target 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike
SHA256 bb7e98681e0fa5c70515989a29b492392c48c83e0cb41e505eccc6e71408d4b4
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb7e98681e0fa5c70515989a29b492392c48c83e0cb41e505eccc6e71408d4b4

Threat Level: Known bad

The file 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobaltstrike

Xmrig family

Cobaltstrike family

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 22:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 22:22

Reported

2024-06-06 22:28

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fjzPiXT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRuPPpf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iscjGGR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dlBLvsy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bvFXWpt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IsWCUGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sQPsBQz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tgDTONA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZmpHGwy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hRgCHIi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ropVOqb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dplpwIn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LdJjERU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZYktjwb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iDDcGHa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xCIkquB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RqyeXLY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\diBDrhz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AtGKlQa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tUVSrsK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\phYEEAb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmpHGwy.exe
PID 4476 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmpHGwy.exe
PID 4476 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUVSrsK.exe
PID 4476 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUVSrsK.exe
PID 4476 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hRgCHIi.exe
PID 4476 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hRgCHIi.exe
PID 4476 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlBLvsy.exe
PID 4476 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlBLvsy.exe
PID 4476 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\phYEEAb.exe
PID 4476 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\phYEEAb.exe
PID 4476 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\RqyeXLY.exe
PID 4476 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\RqyeXLY.exe
PID 4476 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRuPPpf.exe
PID 4476 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRuPPpf.exe
PID 4476 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\diBDrhz.exe
PID 4476 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\diBDrhz.exe
PID 4476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iscjGGR.exe
PID 4476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iscjGGR.exe
PID 4476 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvFXWpt.exe
PID 4476 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvFXWpt.exe
PID 4476 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsWCUGA.exe
PID 4476 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsWCUGA.exe
PID 4476 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDDcGHa.exe
PID 4476 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDDcGHa.exe
PID 4476 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\xCIkquB.exe
PID 4476 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\xCIkquB.exe
PID 4476 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ropVOqb.exe
PID 4476 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ropVOqb.exe
PID 4476 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dplpwIn.exe
PID 4476 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dplpwIn.exe
PID 4476 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQPsBQz.exe
PID 4476 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQPsBQz.exe
PID 4476 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdJjERU.exe
PID 4476 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdJjERU.exe
PID 4476 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtGKlQa.exe
PID 4476 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtGKlQa.exe
PID 4476 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgDTONA.exe
PID 4476 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgDTONA.exe
PID 4476 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjzPiXT.exe
PID 4476 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjzPiXT.exe
PID 4476 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYktjwb.exe
PID 4476 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYktjwb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZmpHGwy.exe

C:\Windows\System\ZmpHGwy.exe

C:\Windows\System\tUVSrsK.exe

C:\Windows\System\tUVSrsK.exe

C:\Windows\System\hRgCHIi.exe

C:\Windows\System\hRgCHIi.exe

C:\Windows\System\dlBLvsy.exe

C:\Windows\System\dlBLvsy.exe

C:\Windows\System\phYEEAb.exe

C:\Windows\System\phYEEAb.exe

C:\Windows\System\RqyeXLY.exe

C:\Windows\System\RqyeXLY.exe

C:\Windows\System\bRuPPpf.exe

C:\Windows\System\bRuPPpf.exe

C:\Windows\System\diBDrhz.exe

C:\Windows\System\diBDrhz.exe

C:\Windows\System\iscjGGR.exe

C:\Windows\System\iscjGGR.exe

C:\Windows\System\bvFXWpt.exe

C:\Windows\System\bvFXWpt.exe

C:\Windows\System\IsWCUGA.exe

C:\Windows\System\IsWCUGA.exe

C:\Windows\System\iDDcGHa.exe

C:\Windows\System\iDDcGHa.exe

C:\Windows\System\xCIkquB.exe

C:\Windows\System\xCIkquB.exe

C:\Windows\System\ropVOqb.exe

C:\Windows\System\ropVOqb.exe

C:\Windows\System\dplpwIn.exe

C:\Windows\System\dplpwIn.exe

C:\Windows\System\sQPsBQz.exe

C:\Windows\System\sQPsBQz.exe

C:\Windows\System\LdJjERU.exe

C:\Windows\System\LdJjERU.exe

C:\Windows\System\AtGKlQa.exe

C:\Windows\System\AtGKlQa.exe

C:\Windows\System\tgDTONA.exe

C:\Windows\System\tgDTONA.exe

C:\Windows\System\fjzPiXT.exe

C:\Windows\System\fjzPiXT.exe

C:\Windows\System\ZYktjwb.exe

C:\Windows\System\ZYktjwb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.229.48:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/4476-0-0x00007FF768BE0000-0x00007FF768F34000-memory.dmp

memory/4476-1-0x0000021B2A800000-0x0000021B2A810000-memory.dmp

C:\Windows\System\ZmpHGwy.exe

MD5 d3837ca3413f4d20dc77c300ad94bf7b
SHA1 5edb0290bb49eebe78382797deb751c35ada0f2e
SHA256 b8684428e6d0602a5a0ae01f4fefbc058e0f7a274b072f4dc06fc74bb2bee322
SHA512 0a6886de3310457e99409e144bd9702c17e905523c9c76ffbcf077d1d2be8a48d5cfb28a7a54919d7bbe79362504be1bbdc3b2d22c40e1842cd31b89fd9fa46a

memory/1788-7-0x00007FF796670000-0x00007FF7969C4000-memory.dmp

C:\Windows\System\ZmpHGwy.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

memory/4376-14-0x00007FF7FB510000-0x00007FF7FB864000-memory.dmp

C:\Windows\System\hRgCHIi.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/468-20-0x00007FF655CD0000-0x00007FF656024000-memory.dmp

C:\Windows\System\hRgCHIi.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/4832-26-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp

C:\Windows\System\dlBLvsy.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\phYEEAb.exe

MD5 3ed5a609fc99609f477b127cb1075f8e
SHA1 efbe9eae011603d0818e0ea87d848f4505a8ca00
SHA256 f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939
SHA512 adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18

C:\Windows\System\tUVSrsK.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/1164-30-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp

C:\Windows\System\bvFXWpt.exe

MD5 cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA1 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA256 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA512 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

C:\Windows\System\iDDcGHa.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

C:\Windows\System\IsWCUGA.exe

MD5 c665d55523745ebd550a2c4296ad8ec9
SHA1 43f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA256 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA512 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

memory/1788-71-0x00007FF796670000-0x00007FF7969C4000-memory.dmp

memory/4836-76-0x00007FF684E40000-0x00007FF685194000-memory.dmp

memory/2512-74-0x00007FF77EEA0000-0x00007FF77F1F4000-memory.dmp

C:\Windows\System\iDDcGHa.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

C:\Windows\System\xCIkquB.exe

MD5 d872631fef320bcfe95799f5b4c466cb
SHA1 451a1400f207f69d35ba907e243aed76879dcd2c
SHA256 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438
SHA512 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d

memory/4552-81-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp

memory/4996-65-0x00007FF78F8F0000-0x00007FF78FC44000-memory.dmp

memory/4476-64-0x00007FF768BE0000-0x00007FF768F34000-memory.dmp

memory/2588-59-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp

C:\Windows\System\iscjGGR.exe

MD5 8b592ebc427ce6b4826fa180a69cff56
SHA1 acfc770de548ae9c41e951ebf8abf5982f9294d6
SHA256 81a46b1e4dd2171ddec998b02bdfd73ebdac717ca7fd10ee232b057422b63dfd
SHA512 8643954ce51286995297408025887a21e022256d16986e79cc5da9d8bfa1a3d6a134715963c7034b704067d4d6faac5b6f2e0c5f8fc35e4eb33d354c717e50f8

C:\Windows\System\dplpwIn.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/2212-101-0x00007FF77B7D0000-0x00007FF77BB24000-memory.dmp

memory/3204-108-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp

memory/4280-107-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp

C:\Windows\System\AtGKlQa.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/2588-117-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp

memory/1316-121-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp

memory/1660-119-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

C:\Windows\System\ZYktjwb.exe

MD5 743c7a20f2416269c3c8d975e4f19d3c
SHA1 ec03184ed7d21e18ad8febd61a391967dd7c43fa
SHA256 5268a9f9c3d42bc7a82775797a6ec28c7588a17d79fc51326d6588568564e10a
SHA512 b1cd99523c5be9a534c9ef28e57b8e1e140d71839b403f162bfe939de2f7f0ebf35a9df380b91846f3d2e9d464027806147a61b7c336973bd2a0e93c87567250

memory/1216-134-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp

memory/4128-129-0x00007FF710D30000-0x00007FF711084000-memory.dmp

C:\Windows\System\AtGKlQa.exe

MD5 4ebd1901e669a14d40cee031fd206e82
SHA1 48b4d9303ce77228a3ead5a9a71386291542a98f
SHA256 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512 c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

memory/2620-106-0x00007FF798E90000-0x00007FF7991E4000-memory.dmp

memory/1476-102-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp

C:\Windows\System\sQPsBQz.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

C:\Windows\System\sQPsBQz.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/1164-97-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp

memory/2008-87-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp

memory/4832-86-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp

memory/4540-52-0x00007FF6CD0A0000-0x00007FF6CD3F4000-memory.dmp

C:\Windows\System\diBDrhz.exe

MD5 b5d6c8b472f6137523570f20868f4041
SHA1 61a520c4e5802e3278d223745c0d5b53798489c3
SHA256 df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324
SHA512 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229

C:\Windows\System\bRuPPpf.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

memory/4280-41-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp

C:\Windows\System\RqyeXLY.exe

MD5 fad07c7a375cc77c8bad2ea403df7368
SHA1 8200f7b45ecaed3456453756d4786a31808f3cfd
SHA256 848657e546ac40e70071a28e39a41e9f0cee0588a6bdcdef5b8fb03d5de4f894
SHA512 d89f63fb6b3890d9d0d0450493738c1a7fd582703900f09647482ca9fef7f0381cd65a49803cbe6b29cf051716ac782e278d093757a86d15a4e9b25cc419cbe6

memory/1476-36-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp

C:\Windows\System\tUVSrsK.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

memory/4552-135-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp

memory/2008-136-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp

memory/1660-138-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

memory/3204-137-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp

memory/1316-139-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp

memory/1216-140-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp

memory/4376-142-0x00007FF7FB510000-0x00007FF7FB864000-memory.dmp

memory/468-143-0x00007FF655CD0000-0x00007FF656024000-memory.dmp

memory/1788-141-0x00007FF796670000-0x00007FF7969C4000-memory.dmp

memory/4832-144-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp

memory/1164-145-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp

memory/4540-148-0x00007FF6CD0A0000-0x00007FF6CD3F4000-memory.dmp

memory/4280-147-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp

memory/1476-146-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp

memory/2588-149-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp

memory/4996-150-0x00007FF78F8F0000-0x00007FF78FC44000-memory.dmp

memory/2512-151-0x00007FF77EEA0000-0x00007FF77F1F4000-memory.dmp

memory/4836-152-0x00007FF684E40000-0x00007FF685194000-memory.dmp

memory/4552-153-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp

memory/2008-154-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp

memory/2212-155-0x00007FF77B7D0000-0x00007FF77BB24000-memory.dmp

memory/2620-156-0x00007FF798E90000-0x00007FF7991E4000-memory.dmp

memory/3204-157-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp

memory/1660-158-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

memory/1316-159-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp

memory/4128-160-0x00007FF710D30000-0x00007FF711084000-memory.dmp

memory/1216-161-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 22:22

Reported

2024-06-06 22:28

Platform

win7-20240508-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hRgCHIi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dlBLvsy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RqyeXLY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iscjGGR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bvFXWpt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xCIkquB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tUVSrsK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AtGKlQa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tgDTONA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fjzPiXT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\diBDrhz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRuPPpf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZYktjwb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZmpHGwy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IsWCUGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iDDcGHa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ropVOqb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dplpwIn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sQPsBQz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LdJjERU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\phYEEAb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmpHGwy.exe
PID 2176 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmpHGwy.exe
PID 2176 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmpHGwy.exe
PID 2176 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUVSrsK.exe
PID 2176 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUVSrsK.exe
PID 2176 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUVSrsK.exe
PID 2176 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hRgCHIi.exe
PID 2176 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hRgCHIi.exe
PID 2176 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\hRgCHIi.exe
PID 2176 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlBLvsy.exe
PID 2176 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlBLvsy.exe
PID 2176 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlBLvsy.exe
PID 2176 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\phYEEAb.exe
PID 2176 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\phYEEAb.exe
PID 2176 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\phYEEAb.exe
PID 2176 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\RqyeXLY.exe
PID 2176 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\RqyeXLY.exe
PID 2176 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\RqyeXLY.exe
PID 2176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRuPPpf.exe
PID 2176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRuPPpf.exe
PID 2176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRuPPpf.exe
PID 2176 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\diBDrhz.exe
PID 2176 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\diBDrhz.exe
PID 2176 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\diBDrhz.exe
PID 2176 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iscjGGR.exe
PID 2176 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iscjGGR.exe
PID 2176 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iscjGGR.exe
PID 2176 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvFXWpt.exe
PID 2176 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvFXWpt.exe
PID 2176 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvFXWpt.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsWCUGA.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsWCUGA.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsWCUGA.exe
PID 2176 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDDcGHa.exe
PID 2176 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDDcGHa.exe
PID 2176 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDDcGHa.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\xCIkquB.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\xCIkquB.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\xCIkquB.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ropVOqb.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ropVOqb.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ropVOqb.exe
PID 2176 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dplpwIn.exe
PID 2176 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dplpwIn.exe
PID 2176 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\dplpwIn.exe
PID 2176 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQPsBQz.exe
PID 2176 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQPsBQz.exe
PID 2176 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQPsBQz.exe
PID 2176 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdJjERU.exe
PID 2176 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdJjERU.exe
PID 2176 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdJjERU.exe
PID 2176 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtGKlQa.exe
PID 2176 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtGKlQa.exe
PID 2176 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtGKlQa.exe
PID 2176 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgDTONA.exe
PID 2176 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgDTONA.exe
PID 2176 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgDTONA.exe
PID 2176 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjzPiXT.exe
PID 2176 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjzPiXT.exe
PID 2176 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjzPiXT.exe
PID 2176 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYktjwb.exe
PID 2176 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYktjwb.exe
PID 2176 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYktjwb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZmpHGwy.exe

C:\Windows\System\ZmpHGwy.exe

C:\Windows\System\tUVSrsK.exe

C:\Windows\System\tUVSrsK.exe

C:\Windows\System\hRgCHIi.exe

C:\Windows\System\hRgCHIi.exe

C:\Windows\System\dlBLvsy.exe

C:\Windows\System\dlBLvsy.exe

C:\Windows\System\phYEEAb.exe

C:\Windows\System\phYEEAb.exe

C:\Windows\System\RqyeXLY.exe

C:\Windows\System\RqyeXLY.exe

C:\Windows\System\bRuPPpf.exe

C:\Windows\System\bRuPPpf.exe

C:\Windows\System\diBDrhz.exe

C:\Windows\System\diBDrhz.exe

C:\Windows\System\iscjGGR.exe

C:\Windows\System\iscjGGR.exe

C:\Windows\System\bvFXWpt.exe

C:\Windows\System\bvFXWpt.exe

C:\Windows\System\IsWCUGA.exe

C:\Windows\System\IsWCUGA.exe

C:\Windows\System\iDDcGHa.exe

C:\Windows\System\iDDcGHa.exe

C:\Windows\System\xCIkquB.exe

C:\Windows\System\xCIkquB.exe

C:\Windows\System\ropVOqb.exe

C:\Windows\System\ropVOqb.exe

C:\Windows\System\dplpwIn.exe

C:\Windows\System\dplpwIn.exe

C:\Windows\System\sQPsBQz.exe

C:\Windows\System\sQPsBQz.exe

C:\Windows\System\LdJjERU.exe

C:\Windows\System\LdJjERU.exe

C:\Windows\System\AtGKlQa.exe

C:\Windows\System\AtGKlQa.exe

C:\Windows\System\tgDTONA.exe

C:\Windows\System\tgDTONA.exe

C:\Windows\System\fjzPiXT.exe

C:\Windows\System\fjzPiXT.exe

C:\Windows\System\ZYktjwb.exe

C:\Windows\System\ZYktjwb.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2176-0-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2176-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\ZmpHGwy.exe

MD5 d3837ca3413f4d20dc77c300ad94bf7b
SHA1 5edb0290bb49eebe78382797deb751c35ada0f2e
SHA256 b8684428e6d0602a5a0ae01f4fefbc058e0f7a274b072f4dc06fc74bb2bee322
SHA512 0a6886de3310457e99409e144bd9702c17e905523c9c76ffbcf077d1d2be8a48d5cfb28a7a54919d7bbe79362504be1bbdc3b2d22c40e1842cd31b89fd9fa46a

memory/2176-6-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1780-12-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1704-15-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2176-14-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\tUVSrsK.exe

MD5 7f137236dd2cc1e0ac3fb43e16d8232a
SHA1 d5ec712c50813d1ee7fbadaaa492af94e0802c98
SHA256 cc672fa6f5ca39338d4d9a306502b6c69a9b7ee1fc20600ce8af1121304df47e
SHA512 4a10ea7be4dc0944456ecd29d17f5147ee57c2564b20bdd3030e880da74cea86c36edd64c09d19112b99f776aeed1f4811c2ca08a67dec8cd44bf608a382f287

C:\Windows\system\hRgCHIi.exe

MD5 6382b8d80701be693179837316888184
SHA1 4e81e1e65504fb9cb078830f42ca28222182ea10
SHA256 bc22484f396ed8e830eccdb571fc9d169571f489f06093a6a572b90a87a32ca0
SHA512 d46b0b3583ae584e29f68d0a3b60c4dcb9733abb60c5dae627864d03f3b3a9dbd9878d01d3746752c353e865573fcab5e13a8eabac9b76189a051a55b62ff54d

\Windows\system\dlBLvsy.exe

MD5 982deaa5f753f2aa854a6b24f6843ebd
SHA1 c4357138a2a2e93c00b9f0122b640f5d62aa7d02
SHA256 59f11b6174d1be66f957966490a9bb2e2cc152635550700b00af068e7c9687d9
SHA512 204545fb205f71d818e8654fd1938da6c1befd083a54547bbb9bc1b0a192fd9c3323a38c4a2252ac1f9a85a52f34b4df689614fd18b1bd6eb5648737455dee3e

memory/2868-29-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\RqyeXLY.exe

MD5 fad07c7a375cc77c8bad2ea403df7368
SHA1 8200f7b45ecaed3456453756d4786a31808f3cfd
SHA256 848657e546ac40e70071a28e39a41e9f0cee0588a6bdcdef5b8fb03d5de4f894
SHA512 d89f63fb6b3890d9d0d0450493738c1a7fd582703900f09647482ca9fef7f0381cd65a49803cbe6b29cf051716ac782e278d093757a86d15a4e9b25cc419cbe6

memory/3032-36-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/3024-42-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2176-55-0x000000013F030000-0x000000013F384000-memory.dmp

\Windows\system\iscjGGR.exe

MD5 8b592ebc427ce6b4826fa180a69cff56
SHA1 acfc770de548ae9c41e951ebf8abf5982f9294d6
SHA256 81a46b1e4dd2171ddec998b02bdfd73ebdac717ca7fd10ee232b057422b63dfd
SHA512 8643954ce51286995297408025887a21e022256d16986e79cc5da9d8bfa1a3d6a134715963c7034b704067d4d6faac5b6f2e0c5f8fc35e4eb33d354c717e50f8

C:\Windows\system\iDDcGHa.exe

MD5 9360c7aa91d330680ed2ff744139e9c6
SHA1 a05cb03b5b5eef3e929e2247c7408ecd9cc37ccd
SHA256 eb06f91068c3c0ad1116cf697a1f2a093d0fc53e89c7997503372fd56083c59c
SHA512 e0bdebbe9746bafaa6ad958bf1d32123ddc51d063a4b47e9234a7044e34eda44ad7cc8938a1383d46800cfbd2be8ecd97d57c903beba9e1d1c7b019329163134

memory/1668-87-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2176-101-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2812-102-0x000000013F2C0000-0x000000013F614000-memory.dmp

C:\Windows\system\dplpwIn.exe

MD5 40f2e1cbf0aaee4b63729f29181c69c9
SHA1 98c1949489e6136a4076aad17b21d7a117fa8bb6
SHA256 5960a9b38b19e11da49dd1684aaa8e5425df5cddb2f4cd960f0f061ba3637527
SHA512 75ba53fe069f442d35bf37fbac92ebe6b57a72f2dac6ab1cd71a4d54018f61093d8d3918c835b142cd9f8ad2db837c43150b715f307027c3662597262d8a311b

C:\Windows\system\sQPsBQz.exe

MD5 0e4a4a3a1c884eb44bde038e9dba5c47
SHA1 dc9f41cb1f02dea88be3f46036b932d4ee6719c9
SHA256 acc75072333b77bc829b9863eab7d01c443d0a88906f738da547dacb54e5f19c
SHA512 f98fa2534afde5372a4c90a8683f5bfc630305c910305b20c74eb84dd10c45141817d079660c9102aff7872676a1aa54cdcac760afc99e0eb89e0d76c716c2ff

C:\Windows\system\fjzPiXT.exe

MD5 d49a317c0f13c8cc2482a44c071a728d
SHA1 e65b30a32e2e0d31ea943b43de9dec0bd5d0b2b8
SHA256 a996f588f60b17ed209bb26f398d18d16fd5d4861b95819a72d8b6f9ea63c21c
SHA512 f5d1d365b2deb9bab04465062453a363b70b75dd137dcfa8f9ede0d8b352d0bd1f2608f9c7c4fd2f7c0b1f7fd060be35fad579dd581fd5092aa8cc6310fca46f

\Windows\system\ZYktjwb.exe

MD5 743c7a20f2416269c3c8d975e4f19d3c
SHA1 ec03184ed7d21e18ad8febd61a391967dd7c43fa
SHA256 5268a9f9c3d42bc7a82775797a6ec28c7588a17d79fc51326d6588568564e10a
SHA512 b1cd99523c5be9a534c9ef28e57b8e1e140d71839b403f162bfe939de2f7f0ebf35a9df380b91846f3d2e9d464027806147a61b7c336973bd2a0e93c87567250

C:\Windows\system\tgDTONA.exe

MD5 2640ca0daf45c349ec3ea1b5c8a09b62
SHA1 010621664bb654656f91df9b0c62b87159fd2950
SHA256 4a68470d740853dbba0cdfa3c3bf0fc165e3d11570707f075170bb53cf51de54
SHA512 67ba07bd7f82ac1f072114a412f7e1f17313e88d74a281be4cfb47f4cd8d9d9752adf715acf34829709c496d7696507ffdb29a98426008e473a7e5f9e0ac84fe

C:\Windows\system\LdJjERU.exe

MD5 dfb22040632befc536fb4b04910902d5
SHA1 4ea6d476c6b0e142b11e9e79dd34d05453213d6a
SHA256 1edfd6e700302e26c236ff80db3648fcf56128e1b73645a45d3d54cc88975155
SHA512 6a89a2952f3e2efaf24354c962b535264af510af0d953538d3ca0137ca22ab3cf9de14d7415c6c5c06fb9b75b3ebc08e210ef00dc727a8b2a1f621f9e155e9c7

C:\Windows\system\AtGKlQa.exe

MD5 f10f9781909f4c7a37617576f2ebaa69
SHA1 821802e1bea0bc577d1d174fd88e688f1bcbb612
SHA256 5d4610dd1f6569524a45a012370518f87aecc59c698bbbf5aaf0da35d80c889b
SHA512 fe13574f419cc08cc1e3419928e42cf6595035861153c50acae727224ac9db07b3f86e92caa45e241c7ce16e5dbf0f8305b07ddf4d91cee2cee7c1f74ba59d77

memory/3024-108-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2560-95-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2176-94-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2868-93-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/3032-100-0x000000013F830000-0x000000013FB84000-memory.dmp

C:\Windows\system\ropVOqb.exe

MD5 49eac8a46ed93a4a81bb7ff95a186c47
SHA1 55e40c0b686b1b1a715178ae90e6bce4e20cca6d
SHA256 9f9fbe481f3ba8a1a7d4e318e84b6d7b7714e50db7f0a040ef85a9db3a78a741
SHA512 3ac6c36b1d5c9b1daecc547e7f7f776558fc9dda88ea1affd9b114cb65b42b43e6e3ea3f97ec9aea6908a087fef4cc8d2af03c7982550005d291ac9af9c3ebe4

C:\Windows\system\xCIkquB.exe

MD5 f2749639e9f6aa9d14ed594aaf791ffc
SHA1 78998bf19c8194dd06c821829f663f3d00872ed4
SHA256 cfda5bff0da088ffa8b3924936233207e04777eb1fc8d5b5ae2af274bef35303
SHA512 3b6198a3d362fc2b1bda143d85b6f1f066040fdf56945c7052225ca58827f55ee0ecd72de8d0ff461575becefd447eef022f6947d0dc6ac1673d6a66a87b3bff

memory/2176-86-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2756-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2940-79-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2176-78-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\IsWCUGA.exe

MD5 ec71120cbfc10f49093095afb1a71850
SHA1 2e7b767cfdf5680daf1331945a680cb14ba5a0b8
SHA256 dcfec9b120f1f32a75fc814e267c70f7ca8b01b9f267d01d3f71cfbcffa5c41f
SHA512 27deb70c8a1b17af351ac9f62d1f7e48d755db1b84033e538510c4d9cb66084071c2aa44b8bf6c4920c791a5f7978f2855c839b4e29c91e956d232cec91b861f

memory/2552-72-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2176-71-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\bvFXWpt.exe

MD5 519d83a9330bf4ba505d6cef7e259d32
SHA1 aa1d27b13a1e3662f724940c177c64e658abf9f8
SHA256 7c542484d7a766d139eb82df8ecea5614727e330f89544ea62dd33441271419f
SHA512 7f35379ae8bf1b0f7cf4d14f0337ebf20af490ab06033db2a035722da0c16a15310dd1db95b420094ff42e3711918aa754eb8d3356be17378c9e3be05141a8f8

memory/2228-66-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2176-65-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/1704-64-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2756-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2176-50-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\bRuPPpf.exe

MD5 ec1a7c97e4c3824076d540df8370d463
SHA1 9ec960dbb5806a59972d49b98b1c58ab6d05f01c
SHA256 29602631921766b0dee9a973fcea361b3f66055e96fad3f87a9474961e4f2ab9
SHA512 e37a1bf7b6029f2fa8be28c6e6bc3be6feb1097f920fc96a024da545a5264632ae2d727cfe955e42e9d23fbbde15a45f95471c6a267570d76dc4d64fd578a606

memory/1780-48-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2468-56-0x000000013F030000-0x000000013F384000-memory.dmp

C:\Windows\system\diBDrhz.exe

MD5 20125ec96db5ec18235046e0dbbbe96e
SHA1 5282f4680dfb0e5699231115c94f970fff3e4b4e
SHA256 365d612cbbeaab6443093ee20a266e347c7087062e39e654176d646a434e8469
SHA512 96106d81988fff93baee58964df68c706d693c4cce7463e438271d6fdfb5a9cd698e088093f2e0239794b513a5cd424d6ab9fa7ab37bab666adbfc8324b2086c

memory/2176-35-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\phYEEAb.exe

MD5 0902836f90a08627f4485ee213b45737
SHA1 03a05adfd86b3f5b1b731698dcf17c48c12f88a0
SHA256 8b8e14e9e2feacfb1186a1a678c36c51b7775f196673848c80ff25f5e81fd1d6
SHA512 73ad38c2513db92afd7aa55d00043a1349f188d7a0f5c155c09a75801fe5ffff69a5fe14203e10b88b989f8425ec94d445aca6ece7b1d65d828232f2a289d631

memory/2176-41-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2176-25-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2648-23-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2176-19-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2468-141-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2176-142-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2228-143-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2176-144-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2552-145-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2940-146-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/1668-148-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2176-147-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2560-149-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2812-150-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2176-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1780-152-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2648-154-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/1704-153-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2868-155-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/3032-156-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/3024-157-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2756-159-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2468-158-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2228-160-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2552-161-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2940-162-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/1668-163-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2560-165-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2812-164-0x000000013F2C0000-0x000000013F614000-memory.dmp