Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-a5hj5sef5w
Target 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike
SHA256 9d9bebef53e23af5dbd251c31a53e7a5beda04d4baec31bb1c5d81dab29985c8
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d9bebef53e23af5dbd251c31a53e7a5beda04d4baec31bb1c5d81dab29985c8

Threat Level: Known bad

The file 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 00:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 00:47

Reported

2024-06-07 00:50

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rEIhKod.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JYLpnqS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nyKEpQc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MuvEfYm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBFRtvj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SXsqyCu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QNyYuEj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bLFGMfL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\umtEkgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFwSNPy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jzsWxpF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OsqGpgj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HsVIZVO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yPtBYWc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SXgMiCv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUIahGc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KofWoVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PSetYrP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yVflcIX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jAgzgIX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LUxanxe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\OsqGpgj.exe
PID 3584 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\OsqGpgj.exe
PID 3584 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXsqyCu.exe
PID 3584 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXsqyCu.exe
PID 3584 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HsVIZVO.exe
PID 3584 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HsVIZVO.exe
PID 3584 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPtBYWc.exe
PID 3584 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPtBYWc.exe
PID 3584 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\rEIhKod.exe
PID 3584 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\rEIhKod.exe
PID 3584 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\KofWoVZ.exe
PID 3584 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\KofWoVZ.exe
PID 3584 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYLpnqS.exe
PID 3584 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYLpnqS.exe
PID 3584 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nyKEpQc.exe
PID 3584 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\nyKEpQc.exe
PID 3584 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSetYrP.exe
PID 3584 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSetYrP.exe
PID 3584 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\QNyYuEj.exe
PID 3584 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\QNyYuEj.exe
PID 3584 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yVflcIX.exe
PID 3584 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yVflcIX.exe
PID 3584 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MuvEfYm.exe
PID 3584 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MuvEfYm.exe
PID 3584 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBFRtvj.exe
PID 3584 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBFRtvj.exe
PID 3584 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLFGMfL.exe
PID 3584 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLFGMfL.exe
PID 3584 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXgMiCv.exe
PID 3584 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXgMiCv.exe
PID 3584 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAgzgIX.exe
PID 3584 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAgzgIX.exe
PID 3584 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUxanxe.exe
PID 3584 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUxanxe.exe
PID 3584 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUIahGc.exe
PID 3584 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUIahGc.exe
PID 3584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\umtEkgm.exe
PID 3584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\umtEkgm.exe
PID 3584 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFwSNPy.exe
PID 3584 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFwSNPy.exe
PID 3584 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzsWxpF.exe
PID 3584 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzsWxpF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\OsqGpgj.exe

C:\Windows\System\OsqGpgj.exe

C:\Windows\System\SXsqyCu.exe

C:\Windows\System\SXsqyCu.exe

C:\Windows\System\HsVIZVO.exe

C:\Windows\System\HsVIZVO.exe

C:\Windows\System\yPtBYWc.exe

C:\Windows\System\yPtBYWc.exe

C:\Windows\System\rEIhKod.exe

C:\Windows\System\rEIhKod.exe

C:\Windows\System\KofWoVZ.exe

C:\Windows\System\KofWoVZ.exe

C:\Windows\System\JYLpnqS.exe

C:\Windows\System\JYLpnqS.exe

C:\Windows\System\nyKEpQc.exe

C:\Windows\System\nyKEpQc.exe

C:\Windows\System\PSetYrP.exe

C:\Windows\System\PSetYrP.exe

C:\Windows\System\QNyYuEj.exe

C:\Windows\System\QNyYuEj.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8

C:\Windows\System\yVflcIX.exe

C:\Windows\System\yVflcIX.exe

C:\Windows\System\MuvEfYm.exe

C:\Windows\System\MuvEfYm.exe

C:\Windows\System\HBFRtvj.exe

C:\Windows\System\HBFRtvj.exe

C:\Windows\System\bLFGMfL.exe

C:\Windows\System\bLFGMfL.exe

C:\Windows\System\SXgMiCv.exe

C:\Windows\System\SXgMiCv.exe

C:\Windows\System\jAgzgIX.exe

C:\Windows\System\jAgzgIX.exe

C:\Windows\System\LUxanxe.exe

C:\Windows\System\LUxanxe.exe

C:\Windows\System\eUIahGc.exe

C:\Windows\System\eUIahGc.exe

C:\Windows\System\umtEkgm.exe

C:\Windows\System\umtEkgm.exe

C:\Windows\System\vFwSNPy.exe

C:\Windows\System\vFwSNPy.exe

C:\Windows\System\jzsWxpF.exe

C:\Windows\System\jzsWxpF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3584-0-0x00007FF7BC7C0000-0x00007FF7BCB14000-memory.dmp

memory/3584-1-0x000002102C370000-0x000002102C380000-memory.dmp

C:\Windows\System\OsqGpgj.exe

MD5 20dda93a22448d83bfbd24c788407352
SHA1 090bb20a8771eab0736fe731f3441cc0e6e20bf8
SHA256 4f0850c79b5c5ea243a72c32c1160bac5b3d5bac382ceb9796919bcb6dc424d6
SHA512 3b7e2d6c463192c5860bc0f6a13a5c1409113396b4eff0c7a6e7ca07c5cf46dc245f3079f7308e5aace8d027e40c483c3f463dd21fb240538f84b83d517bd240

memory/3024-8-0x00007FF7C8210000-0x00007FF7C8564000-memory.dmp

C:\Windows\System\SXsqyCu.exe

MD5 ff2c7ce5fb2dcfccc93e9e5c5aeb7996
SHA1 1cf2d04a1b92f8acfabe6adbfa5d20454970406c
SHA256 15808b5447334ba4aca55211cdae0daae256ac04c89d9f148eb91d5b09cdd62a
SHA512 2c50d644f8bf9c86f2cdd4cc33a4c7a34432f091511a17de9ee98a84779dcb30412b64112de86530a7abdd5308e1320717aeb7d6e185b0e9978c5414a2a8a1a4

C:\Windows\System\HsVIZVO.exe

MD5 0a239391a1b6e2ca83c647eae2f75c67
SHA1 a824b2ee3c6f3accbb30810250c8bf5be5ff7187
SHA256 7a8ec44d2d36f65069af0b6ffb8c3ef6a81e059b97818cbd8f640fd83a5ee205
SHA512 363cd345ef4ac9a85e87b7e776aa629443d5d6f5230df13f1442bc4dc74b689804ab76ae9fd4976a6c9f71491835f55271804ac17e4cc33b036c3e6107522e77

memory/208-14-0x00007FF726280000-0x00007FF7265D4000-memory.dmp

memory/1692-18-0x00007FF62B290000-0x00007FF62B5E4000-memory.dmp

C:\Windows\System\yPtBYWc.exe

MD5 b60ed1f305d8dcb0c57b93a40209c4cb
SHA1 2eeb58c83b97d34576fa739fce7598147d3ad248
SHA256 2c7ac8020cbd4dfdae8207d69431f55d8fab063082c1612a7002849b83efcbb8
SHA512 c09c3a1a60e4b950768953464312052426cedd5defc694ee8b4834780bf668b70e5f91da1eb6fe8d3a45596eb9e6c54e7e899229dabd8ceab1891d74fc8b3c0d

memory/2232-26-0x00007FF79A910000-0x00007FF79AC64000-memory.dmp

C:\Windows\System\rEIhKod.exe

MD5 230276141accb4b50016562f073aec9b
SHA1 c7cd1ac7eba78dbf67d83f0502d466705838b96f
SHA256 e0a345610b267c5d24043211addf8ef242f5e72605f31af3b4e11fcc065db723
SHA512 a72696a3c8d488cad7cb3750606ce6c8b844d634ae8affdff45ec03b534f2cda526c5a3a0955875e81cd48ba4fa506515e4357f6c7aa6ff570b41fcef8cf4221

memory/3416-32-0x00007FF763960000-0x00007FF763CB4000-memory.dmp

C:\Windows\System\KofWoVZ.exe

MD5 31dc10b199b26b1a0456e44862ebdd01
SHA1 b7f6dc88d1ab475ac6dafba445440bab8a595ac0
SHA256 8e59be3c56d89c1499799c82910271b994c1045815b2241e33370db0269dc104
SHA512 650354baae3f610a7a792e6f77f18d9a140c05257d1260e072f51ad6b339ce2cf9222ad4ca5273ea4fe6387fb1789e95fd53029af1133cf9d1abd17beebccff5

memory/2172-38-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp

memory/2720-42-0x00007FF68FBF0000-0x00007FF68FF44000-memory.dmp

C:\Windows\System\nyKEpQc.exe

MD5 09f3ba12a6721fd74409fdb2b3c9213b
SHA1 08de95296a9d2477bba5484dd4b2f807bea8efce
SHA256 d7bf3820b3c46bb99c15f3ef6a014ff22f2e28e03fc6ededc50e477e0a94461e
SHA512 224326cab022202c5a202b99fba87ee5cab250a614e8d8018b427cf8810ec05a02224e22e672ce0ed19d6f94c79ec12abc5de979d932edf4764173bfe88ff2d4

C:\Windows\System\PSetYrP.exe

MD5 4d6c99977a6b38963fc3a5c414464333
SHA1 cdd0e8a3e3a6e3ab3b80d219402a67364ef3a818
SHA256 94218806e5e6dd4bf74389cf9e5f9a3a4f5bb902c129aa19f78f4f93fc5d0fb9
SHA512 57934e0b60d12c0d7ce24864cafc488785523b2c45fe39f8fcd948145afce7d9d3f90a3b7e3bc7df2e921bc3a0ac474b24444257edb5551f0c21e6fb3ae138a2

memory/3908-49-0x00007FF7D8DC0000-0x00007FF7D9114000-memory.dmp

C:\Windows\System\JYLpnqS.exe

MD5 dd136e5838b8ad25b9841ebde5e8a6a6
SHA1 c4706dd40c520c4552907ca3f608b13fa78fdfcd
SHA256 9590cfb68e30337db006f16d56a2974bb5654c47a6e0ce4cd78090aac8039ddb
SHA512 f40509c00466c4849a830ddc25dc85edcadc9fd187143bc5ab4d67520b50115b5bb883f7c882b3482ae65013d706b7ae39b45ef47729e4d69db92186e369aba9

memory/3584-60-0x00007FF7BC7C0000-0x00007FF7BCB14000-memory.dmp

C:\Windows\System\QNyYuEj.exe

MD5 c9a0330562a5059a1c5d580a1decca71
SHA1 47e2acb9fcf826e9494ed95a14e63f08de68eb85
SHA256 d787b99946bc23323b19ae8f519b1b6c5634ca6c520bdd093ca61f275b782106
SHA512 77cc8e500d34ee588dc3548150ea527e2a20e38137d057b42c1593f8e0e9cf0cfe40db9fa7118b3b55eda2667b9a71fe08ecc2b014b43290f2368ef442a3dc45

C:\Windows\System\yVflcIX.exe

MD5 c6840b1117677214b78f3e2f75bc3ba9
SHA1 b8d10a4429ca5504c52f9db4a682695fe4620e73
SHA256 d7d1491151325a399cb7167fbc9a4457a4ea8a2e37749a6f4cad942e5dec1180
SHA512 ae37a2d58c2443fe6dc2e02642fa8c6b90665c888a06f0b93487e2c404b57caceb3968325efa6a5f2d523d278c4b16cd1477db00819db5b1f6c5066d8316cb46

memory/5100-63-0x00007FF7A6310000-0x00007FF7A6664000-memory.dmp

memory/5056-58-0x00007FF746940000-0x00007FF746C94000-memory.dmp

C:\Windows\System\MuvEfYm.exe

MD5 3ddd6345fec51bf2515f9b22f710933d
SHA1 fef80061c90d79f4e680cd2bec5d970e80916ecd
SHA256 d57a604719c8cddbc6ae67385e0f6fb5724d8ec2fc9f926b59ab535a5e2f1eb3
SHA512 866de44b4349e1614494665c10d4760544406eb6f994393194b22e408df438f54856f9829d0f364f4c934074a67c3c88e211c2498f72d48686cfa5e4ac0819f0

C:\Windows\System\HBFRtvj.exe

MD5 071c176e8d71bcd6d40ccac971c66e4a
SHA1 ca7e084e8084f40bb9a0473d5936bd5cd2dabcf7
SHA256 866a2a10dbc01b323e7c6b15140f36d26a0cee3d1c556bca4e7b074e9a603d9e
SHA512 303c7c9a7aff715a5b06d8716484405df811962b0aabdd76bb8ce407e0a58e544b1277dc8aadcc9cf5b7fcca2b1f97f2f2d2d21a21e895ae7bf2f79343b555cb

memory/1692-79-0x00007FF62B290000-0x00007FF62B5E4000-memory.dmp

memory/2900-81-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp

C:\Windows\System\bLFGMfL.exe

MD5 885f95d509cfeb380675bf79317320a2
SHA1 45ab3d28b17ef223810001c4653d40e3446634fb
SHA256 1cfb63512823741ca5f07050819279436fcf2246f525a26c5e20e5ab7f241f66
SHA512 42533ce7b93c750491c991472592172e25c0941e9e26b385dfa72b1c8e827db7cfae3c4e3fccb404a4bf9e98f6be047d808900274b031cd1cee9435d30120525

C:\Windows\System\SXgMiCv.exe

MD5 6bb5b56727e791dee9f332f665f89f12
SHA1 e2d7c7a9a85b0d5f4374ba01a710ca8212c66dc7
SHA256 4a06558906d3d8dee3959f191cb922d3b349398fff5c01d3c664cb305c0d7271
SHA512 873d28067791f9739920f52b2d2218d09d446fb39ad219772d2deaa29848f86674b4e19f77c2b659155a3d7d0397d8710fa8db9b84208522d5e901267687fa0e

memory/4940-95-0x00007FF797B80000-0x00007FF797ED4000-memory.dmp

memory/1128-97-0x00007FF6A3A60000-0x00007FF6A3DB4000-memory.dmp

C:\Windows\System\jAgzgIX.exe

MD5 6a58e1d39f0aa6f7ba5edb2990d32596
SHA1 b26ed65fe8eb18768d2d2becf0318d85cb8e07e3
SHA256 8b4e224daa1c09974aa99b6bef1d4b5af3d9fca9d296d00f1448077e4c7f1a58
SHA512 e92a8f22fd3fe621f27c78498b7eca4fd9d4005337fa0e52243a6f1760f7cca3a796afb11e97320d80adc75d7f5036bfac5da988b77059379ef83eb218103987

memory/2260-98-0x00007FF6C75A0000-0x00007FF6C78F4000-memory.dmp

memory/4828-74-0x00007FF75C8B0000-0x00007FF75CC04000-memory.dmp

memory/3780-70-0x00007FF714430000-0x00007FF714784000-memory.dmp

C:\Windows\System\LUxanxe.exe

MD5 23f8d3b2f31382962b0d12ad1cc129ee
SHA1 72aa263fca4190d85c063845962b015217959712
SHA256 98b26573452f611b45f82e4bfd140b7b09c4b10a7731bd3cd14b8b25ff3ef303
SHA512 2ba79156d6bfb71c3a44ead55e3976aeb063b397a87f9b987b07377dd5ed7ff9272e040909db74d33078e3a8005f58ba847cec8d81592a2511a63b056313b40e

memory/4428-106-0x00007FF67CAF0000-0x00007FF67CE44000-memory.dmp

C:\Windows\System\eUIahGc.exe

MD5 0a315cb8824997a804c2208e23fda5fe
SHA1 d41d332d46c4d8c2db4d1816b973c495a6a84479
SHA256 46cdbfc66de8275ca4ec91057d7d0069bac89e16048f1c6bf78631f358bb515b
SHA512 111cb51520ba79081955ba0e63fb6746d0418fa50eb6af4dca27ab52c95d0933733770dbccc4354628ada97611ce9490b0e556606ebf1311e119e5a17acff6bb

C:\Windows\System\umtEkgm.exe

MD5 7a086580c5ed6c7c88d8d8f37fb2ed32
SHA1 a0774fe966b197bf3cfa7803f57e0805deb10b14
SHA256 8b483238607d0638b9de3c189b983e78adf3dd1611c4d3aa63d32348a1ef3fdf
SHA512 a3e552e96b6901a90da423dc08d55999bad73e4e023a20abf1e69f42cf99461a400edc036d64d076e55ca7d106f00977806269fcb20f0bd14a515013f7028e87

memory/3048-111-0x00007FF6011D0000-0x00007FF601524000-memory.dmp

memory/2720-110-0x00007FF68FBF0000-0x00007FF68FF44000-memory.dmp

memory/3908-119-0x00007FF7D8DC0000-0x00007FF7D9114000-memory.dmp

memory/2620-120-0x00007FF63BBD0000-0x00007FF63BF24000-memory.dmp

C:\Windows\System\jzsWxpF.exe

MD5 8d1e891ccab1999369c4110b28dea216
SHA1 af256f0a2897dfaf71e372d11c5f04998cbc6a86
SHA256 afc851ffeeaaef53cdb86944b9eb1f1680299d2c5fbc9cbc0e894f3bddd9c98d
SHA512 e3ee69b4268c704f38d9a16e9c53eaf8f301004b8644fe9dacb7bb6586d812f1c4e19a7e3f390ce615b436a01108f16e8443f5e3f6f1f76bd0a466c6988b09f7

memory/2264-127-0x00007FF725B30000-0x00007FF725E84000-memory.dmp

C:\Windows\System\vFwSNPy.exe

MD5 5ac449747060d6ea1d4d1e88788b314e
SHA1 3955850af1c8f6a62684ab5fd9dc7f46c646a879
SHA256 09a2571078d16045302bb905f7bb5821cecc3bd5c67efbd616bcc00749ec4962
SHA512 a02313f1390045239ff79ebeacbb8267e7551fa646f2149991d079c15f3ff3dd6fd7ec828951697ffa7753bff82907ea5738b6bea284f9f9bc9bde6dc2abff90

memory/5100-131-0x00007FF7A6310000-0x00007FF7A6664000-memory.dmp

memory/2372-132-0x00007FF784CE0000-0x00007FF785034000-memory.dmp

memory/2900-134-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp

memory/4828-133-0x00007FF75C8B0000-0x00007FF75CC04000-memory.dmp

memory/2260-135-0x00007FF6C75A0000-0x00007FF6C78F4000-memory.dmp

memory/3048-136-0x00007FF6011D0000-0x00007FF601524000-memory.dmp

memory/3024-137-0x00007FF7C8210000-0x00007FF7C8564000-memory.dmp

memory/208-138-0x00007FF726280000-0x00007FF7265D4000-memory.dmp

memory/1692-139-0x00007FF62B290000-0x00007FF62B5E4000-memory.dmp

memory/2232-140-0x00007FF79A910000-0x00007FF79AC64000-memory.dmp

memory/3416-141-0x00007FF763960000-0x00007FF763CB4000-memory.dmp

memory/2172-142-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp

memory/2720-143-0x00007FF68FBF0000-0x00007FF68FF44000-memory.dmp

memory/3908-145-0x00007FF7D8DC0000-0x00007FF7D9114000-memory.dmp

memory/5056-144-0x00007FF746940000-0x00007FF746C94000-memory.dmp

memory/5100-146-0x00007FF7A6310000-0x00007FF7A6664000-memory.dmp

memory/3780-147-0x00007FF714430000-0x00007FF714784000-memory.dmp

memory/4828-148-0x00007FF75C8B0000-0x00007FF75CC04000-memory.dmp

memory/2900-150-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp

memory/1128-149-0x00007FF6A3A60000-0x00007FF6A3DB4000-memory.dmp

memory/4940-151-0x00007FF797B80000-0x00007FF797ED4000-memory.dmp

memory/2260-152-0x00007FF6C75A0000-0x00007FF6C78F4000-memory.dmp

memory/4428-153-0x00007FF67CAF0000-0x00007FF67CE44000-memory.dmp

memory/3048-154-0x00007FF6011D0000-0x00007FF601524000-memory.dmp

memory/2620-155-0x00007FF63BBD0000-0x00007FF63BF24000-memory.dmp

memory/2264-156-0x00007FF725B30000-0x00007FF725E84000-memory.dmp

memory/2372-157-0x00007FF784CE0000-0x00007FF785034000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 00:47

Reported

2024-06-07 00:50

Platform

win7-20240221-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yozivTF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bdTmpHj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cBzMpVc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BthFRqy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yGAcGAx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BFtzmFV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YGkzpep.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LIOaWFr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YIHqDur.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\znOEvIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EmgQtAG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uUrrRcq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gBudILL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UjRIsOH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NindsaN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MUzOzqD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bzwOfwL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aUAvRZU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hXlbZhW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AfAjanN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fUOoQTt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIOaWFr.exe
PID 2664 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIOaWFr.exe
PID 2664 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIOaWFr.exe
PID 2664 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yozivTF.exe
PID 2664 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yozivTF.exe
PID 2664 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yozivTF.exe
PID 2664 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBudILL.exe
PID 2664 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBudILL.exe
PID 2664 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\gBudILL.exe
PID 2664 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIHqDur.exe
PID 2664 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIHqDur.exe
PID 2664 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\YIHqDur.exe
PID 2664 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdTmpHj.exe
PID 2664 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdTmpHj.exe
PID 2664 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdTmpHj.exe
PID 2664 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfAjanN.exe
PID 2664 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfAjanN.exe
PID 2664 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfAjanN.exe
PID 2664 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\znOEvIJ.exe
PID 2664 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\znOEvIJ.exe
PID 2664 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\znOEvIJ.exe
PID 2664 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UjRIsOH.exe
PID 2664 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UjRIsOH.exe
PID 2664 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\UjRIsOH.exe
PID 2664 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NindsaN.exe
PID 2664 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NindsaN.exe
PID 2664 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\NindsaN.exe
PID 2664 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmgQtAG.exe
PID 2664 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmgQtAG.exe
PID 2664 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmgQtAG.exe
PID 2664 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\cBzMpVc.exe
PID 2664 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\cBzMpVc.exe
PID 2664 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\cBzMpVc.exe
PID 2664 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUzOzqD.exe
PID 2664 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUzOzqD.exe
PID 2664 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUzOzqD.exe
PID 2664 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BthFRqy.exe
PID 2664 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BthFRqy.exe
PID 2664 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BthFRqy.exe
PID 2664 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGAcGAx.exe
PID 2664 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGAcGAx.exe
PID 2664 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGAcGAx.exe
PID 2664 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzwOfwL.exe
PID 2664 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzwOfwL.exe
PID 2664 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzwOfwL.exe
PID 2664 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUAvRZU.exe
PID 2664 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUAvRZU.exe
PID 2664 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUAvRZU.exe
PID 2664 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUrrRcq.exe
PID 2664 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUrrRcq.exe
PID 2664 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUrrRcq.exe
PID 2664 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXlbZhW.exe
PID 2664 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXlbZhW.exe
PID 2664 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXlbZhW.exe
PID 2664 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtzmFV.exe
PID 2664 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtzmFV.exe
PID 2664 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtzmFV.exe
PID 2664 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUOoQTt.exe
PID 2664 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUOoQTt.exe
PID 2664 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUOoQTt.exe
PID 2664 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGkzpep.exe
PID 2664 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGkzpep.exe
PID 2664 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe C:\Windows\System\YGkzpep.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LIOaWFr.exe

C:\Windows\System\LIOaWFr.exe

C:\Windows\System\yozivTF.exe

C:\Windows\System\yozivTF.exe

C:\Windows\System\gBudILL.exe

C:\Windows\System\gBudILL.exe

C:\Windows\System\YIHqDur.exe

C:\Windows\System\YIHqDur.exe

C:\Windows\System\bdTmpHj.exe

C:\Windows\System\bdTmpHj.exe

C:\Windows\System\AfAjanN.exe

C:\Windows\System\AfAjanN.exe

C:\Windows\System\znOEvIJ.exe

C:\Windows\System\znOEvIJ.exe

C:\Windows\System\UjRIsOH.exe

C:\Windows\System\UjRIsOH.exe

C:\Windows\System\NindsaN.exe

C:\Windows\System\NindsaN.exe

C:\Windows\System\EmgQtAG.exe

C:\Windows\System\EmgQtAG.exe

C:\Windows\System\cBzMpVc.exe

C:\Windows\System\cBzMpVc.exe

C:\Windows\System\MUzOzqD.exe

C:\Windows\System\MUzOzqD.exe

C:\Windows\System\BthFRqy.exe

C:\Windows\System\BthFRqy.exe

C:\Windows\System\yGAcGAx.exe

C:\Windows\System\yGAcGAx.exe

C:\Windows\System\bzwOfwL.exe

C:\Windows\System\bzwOfwL.exe

C:\Windows\System\aUAvRZU.exe

C:\Windows\System\aUAvRZU.exe

C:\Windows\System\uUrrRcq.exe

C:\Windows\System\uUrrRcq.exe

C:\Windows\System\hXlbZhW.exe

C:\Windows\System\hXlbZhW.exe

C:\Windows\System\BFtzmFV.exe

C:\Windows\System\BFtzmFV.exe

C:\Windows\System\fUOoQTt.exe

C:\Windows\System\fUOoQTt.exe

C:\Windows\System\YGkzpep.exe

C:\Windows\System\YGkzpep.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2664-0-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2664-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\LIOaWFr.exe

MD5 36668e21035d512493ba1b5197dd15f6
SHA1 9bb07ad67858dab228efa9d30d379ae0f3e554e7
SHA256 03f9c144d63628e5e3fbf386a8bd83f2a423faf922c175ac5028b5c6ba5958aa
SHA512 e4c2f7fc6c48907ab38cd3626d2a8de15bb7b5ce577535c59541ae300d0699c2a6eaaa5f28b0837bc2c8d63393914f447748d9f0d2cd481e05a9bd17bbcea481

memory/2664-6-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\yozivTF.exe

MD5 77c527d10feb863a3286c471e864c573
SHA1 39c2e2350df474f1bc8879daa939ef5cd68514b4
SHA256 582805e84c60c55f81af52b417e94f551ac4f19853382957839c03676c5aa69c
SHA512 8c88718b31534a46f3e6198393063fecc03533cce1eb6deb83e37009ebe2ffe35a8f229bb9322cf099d776ad010d5b68bad79552543f833df9c010b4cabf5ea3

memory/2924-14-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2444-11-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2556-21-0x000000013FF80000-0x00000001402D4000-memory.dmp

\Windows\system\YIHqDur.exe

MD5 620fa4c5fb93aa32d18bbf01838dd5a1
SHA1 99f3d221324a344edd4621e40531ae7a7620ab48
SHA256 6b33d3210f768b24d714cb3cddb4f7b8e2cc939ad98fc5ef089def799ea671ed
SHA512 563191e766be08e73c8d5753e03d5dcfeb6e5f0d5e5a176737856136bf8c3149f5103ded97cb6dbd0a98257c0b944f2ece75751c8a85afe4a1ec946bf5f4c5c1

memory/2664-24-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2664-20-0x000000013FF80000-0x00000001402D4000-memory.dmp

C:\Windows\system\gBudILL.exe

MD5 22e36bfb89d46e2fee30b484a34d92a4
SHA1 ec22863b8745c5013064cf6ca59c776572676681
SHA256 af7540acfafa922791a0781dc5e067426cec180344ecfb6b7101102b62fcbec7
SHA512 336d962a9cdead20854ac0aa26b5f36b1c8a1695989eb5a5236fdbe34bd2d5b09d118eedb5a8ba3723886f69517a3ab4099a1bcbbcfe542adeec5a55c92abb8c

memory/2752-138-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2664-137-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2384-136-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2664-139-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2336-135-0x000000013F630000-0x000000013F984000-memory.dmp

C:\Windows\system\YGkzpep.exe

MD5 f30803b70b4005cb249cec1406257ef4
SHA1 71246859cf78769a1df1d1f1c324ebb4978963df
SHA256 f6549543f5cb1311b8588d97cf7c19c5688e561232fe9a684224400b3b442517
SHA512 d4482bb783756bdf985506d6d56ec8a51c1d06968358a61c6b61f6e8ea794275e758da10c6d8f2a0314bb6472969f6dbc152249be1b873bf1bb8c75a267561fd

C:\Windows\system\fUOoQTt.exe

MD5 8ae9edbe977de8b85c0f59061d363e16
SHA1 9f41db2cb8a69ea261e922dd7640b93bc6309013
SHA256 f1f496fbb1d5153f3211aed26fafa9fa8ab004e21e7bb7044dd43107e03c1943
SHA512 ea9cafe22ea31988383a0a91789779d8a24788af8c12fc89358947c8aeecc5c253a5d0e092526fc78bcfc339819a21f8b1eb7f8ae5f9108a589853598fa29937

C:\Windows\system\BFtzmFV.exe

MD5 1597aaf72a42a8f833525a6dc8e6c94e
SHA1 31ac0b11f3b46e3e1a27eac7503c4a06470c3b79
SHA256 fc789decc84f0f454112b3824dee96f7e9067be6a0594f6e4287e6bdec32c90a
SHA512 8b1fb1b6453bb45696474eb4a1491c6fb72ef27ab33e8b928bca226566958f30e5ab0ff593222ede7794d476a920fc5b046e5ce3cb59cedd2289f51def1e7cc4

C:\Windows\system\hXlbZhW.exe

MD5 93a14013a6d462785738488fb457b34b
SHA1 66c3c6d9caf8e26c0746577920ca903fffdb0fef
SHA256 02aa51fb80e1ab143aa0161a418dd7d244bf324b842b5e385b4583565a124c25
SHA512 4eff9a28fa435e369b61ab421ba63e975b154cd62f31bd1abef133a47ec73d6286f873353867b40c04dee288f739b173080cb94b5e773be55c51fa4cfe29f42d

C:\Windows\system\uUrrRcq.exe

MD5 3e3be67c96f735ed154acd84291611d9
SHA1 0a41da1b4119b9946b1753c82c8e666290fb007a
SHA256 66df8155b157a332fa01d30ff73409996db4431ec6fcd58da10294713a4ab7a8
SHA512 afedbf266dc95f3aba30f3e16462958aba65a7aae7df34e58190b707db73e8c3f16f52ac8af54cbb0b57edd4aec465ccaf54f574f8e0a50f10a704cc6a42d86e

C:\Windows\system\aUAvRZU.exe

MD5 52def6e6a5d3d0af8d2aff84549beba3
SHA1 42a6c4a51e12667468d23c4fd0d61e3be160939f
SHA256 63f0e2d8bc4ed07a420f4aa8ae1e90ffefa2b38d53132923ce0d8c4a065e4f6d
SHA512 41ba5cfffeac26a0157ddb6a83d790469cc579c5a60cf24d51eb8e838b362c7813cfb9ddc34c9ec91a6d9f788f73ea9dabdd3e17cf7fefdaded1436a1eb66daa

memory/2340-88-0x000000013F320000-0x000000013F674000-memory.dmp

C:\Windows\system\bzwOfwL.exe

MD5 aa57e6da36b3b9a95b1dcc91ad55aeb0
SHA1 3332d8c9835a1a85686ceb8f6267bcb6181b05e0
SHA256 e725ea549193d9f98eb98648be05c109532ca7f2a1d8c65957b551476f4038f6
SHA512 8529bfb0466f9280b775165a3efced6512eb329d849d2cc690b4b954cbff847e3da186a326ab5dd2acb73f7a70729acdc6250e44d9e6360c48346db6bd8e3672

memory/2664-91-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2068-90-0x000000013FCB0000-0x0000000140004000-memory.dmp

C:\Windows\system\yGAcGAx.exe

MD5 87d37f6f049691dca3dc911b98610d62
SHA1 5c821a553b6ee4c86ac6d10c365469034f36f70a
SHA256 74eab57e77efa046db844d994091d3ec9a6fc0f526be921ae923a7184a02f8c1
SHA512 b8f2fc105c96442033faef2f66f9785bec4a659f63e1f2e0787184e67314e01abfd8e29e1fa618886249730eeba1b7161105840402bb12c9077678929093a16e

C:\Windows\system\BthFRqy.exe

MD5 e3af737c690ef0ec84e02e814f3fb6c9
SHA1 5c064d82068623f40eb2cadeae30a603989038d2
SHA256 2a3bf1b96564873a98e8a4cad89e74b101ad97265015c5c842ce8e6936ebf8e7
SHA512 535808e7054089ba06d8af3c290287e43209088e8d04fc6e1c4691194775c0fd0713fb51bdf7e2012c9ee62cc1565ffe5e1761df28a1254b616d13f508a98d36

memory/1964-79-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2664-78-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2556-77-0x000000013FF80000-0x00000001402D4000-memory.dmp

C:\Windows\system\MUzOzqD.exe

MD5 e5ba3b287db9aec1cbbc9cac4a817a35
SHA1 1ed5f51cffa32f437e2cfb7450f959b9302ce843
SHA256 d23e53c7c00226fa6e973b9b7c499f6fc783e85f877cf0c71a4219610873be03
SHA512 20017a3ed973acf2b791cb972455ae8556ae37269d5e10abcebff46bbbe3815ce55097bce66bdf652e273a980da04b9946d91a2ff15e1eae2ac698da4fd42d1a

memory/2756-72-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2664-71-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2924-70-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\cBzMpVc.exe

MD5 2aef90561fa2ffa2a31d9fef5a5bd87c
SHA1 9761c0035821b7d2c9cb08471e195f8bb6738559
SHA256 663c650e2920c80ba978d9863957e4c5f6ba4207fe375b8002cc049f38e5eab2
SHA512 b3cd7db0b909572586840d8412c16ca4b8fb737ea5bc60e427dd4faf6de0559fbc1a41d70cb425595baccf7c4e4646f57b400c7b9cb6fe77ba6ddfd6214a4097

memory/2752-65-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2664-64-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2444-63-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\EmgQtAG.exe

MD5 7f779bfbc949cc455ae96a3106aa26f5
SHA1 a4c20aaa7e9786e63b5d4eaacd75ee3a6d7f51f9
SHA256 78cfdeee936a48a334325966ed4b8cb5d19d7d10e8bb440e4833d6e49d421691
SHA512 c013059e740211b5c70d8b78cd2870bbb77aeeb9a0b1628012726beebf12a495555acac6bc1c875604751c7af9585afefa78ff90866be0292e6fabe409e8da41

memory/2384-58-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2664-57-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\NindsaN.exe

MD5 dc1d1c99d917c5f36dd450970fb8c1ba
SHA1 ac1c30d949938bbc01dee1f041042124d91ce71c
SHA256 9323720a43dcb2aec5ea0ad8dac0bf1375f44a54ad670cc9b55241b709e0552b
SHA512 4c4a3001add3dbb7f288f14da3c416cd00c2208e98ed37e87d3ef1d851a7e9887c3f705f22de98d4d4e74ea2af4811a02043f3b2d52e1f3ede3b0d4413400d11

memory/2336-52-0x000000013F630000-0x000000013F984000-memory.dmp

C:\Windows\system\UjRIsOH.exe

MD5 73a595c52915abbf0eba9b47da0ad520
SHA1 033e3c46bf74f5fe4e848fc7927433acba102e5e
SHA256 fe924948d2e3c37dc1f3702814443c2b212ee19d0ac15e98c2876ca85bf3dd3a
SHA512 5ae174447911d5d2994258dc8d490e44d86dfae1cdce195a85d2e3ead2d5474ffbdd103c4605c0224244f293907632c774d37ed34621665bc9422c5b32860fd5

memory/2568-47-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2664-46-0x000000013F6D0000-0x000000013FA24000-memory.dmp

C:\Windows\system\znOEvIJ.exe

MD5 702c206e7a1559435cfc7a184c20256b
SHA1 8b8ec06404590607d328cfa1195ea4f6ba11ecf9
SHA256 305dcf5470a18cfaf2622f5f8e64da7421665311b34c36af9702c2aaad07b8b5
SHA512 a53ce0eaefc8735b0709662e4f23f1136cfbef44553e47fd11a52a045eb394e1e7baa63670e0b2f750b5c6acc56a1915103105198cc74889aba69166d131c53e

memory/2356-40-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2664-39-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\AfAjanN.exe

MD5 276048a23a47edaa9c6c65268b9b3b6f
SHA1 588a4d80e9e23affc8c084d852fba162e39069a7
SHA256 2ed764bdbe53a2ad4470ce29665df4df9f4f6d1394a2ea3eab01cbc897074e25
SHA512 e0b001f1d92b0211d9f313f2a657eecfb7aba2bc88cf6dd49fdb57d2a7ac1c2dcc9942c469f1d787fc92c7c0c65862c701ba0e8693b31aab6d37c17cd2db8355

memory/2608-35-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2664-34-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2340-28-0x000000013F320000-0x000000013F674000-memory.dmp

C:\Windows\system\bdTmpHj.exe

MD5 1e3ebab2909eb3594f84be7a817c684c
SHA1 de4555322f30bd45042484b82970d34e39bf4bef
SHA256 87c4275c9372494646242cee8c3c68a9051d9b4c16888f4aa0149667f4cb6763
SHA512 f873518b192c47cf1e2629d70320b1264fcf7ea17775695b1b54129d1fb5a1ecdfa67319c01b7405a593eccf74cb5490272874545a4eb5fb964390d5e0fb0a5c

memory/2756-140-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2664-141-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1964-142-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2664-143-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1524-144-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2664-145-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2068-146-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2664-147-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2444-148-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2924-149-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2556-150-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2608-151-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/1524-155-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2568-154-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2756-153-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2384-152-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2336-160-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2356-161-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2752-159-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1964-158-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2068-157-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2340-156-0x000000013F320000-0x000000013F674000-memory.dmp