Malware Analysis Report

2025-04-19 17:32

Sample ID 240527-hl3pzabe5v
Target 2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike
SHA256 27b9b2e874fd961244b9b951333a8f1a43c3e2e7b1bf5bdf6ef8f544ea758948
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27b9b2e874fd961244b9b951333a8f1a43c3e2e7b1bf5bdf6ef8f544ea758948

Threat Level: Known bad

The file 2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 06:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 06:50

Reported

2024-05-27 06:52

Platform

win7-20240221-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zyCYHuZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WQDszuz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mKdcbzP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LrtzQxF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dStkkYR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RLCNemZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JHKcXgY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\onouNdH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VRkbipI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fqNwZua.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AfSgWdV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YLwLodl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sKhddsH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aEhwFfg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\swmtOff.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vcJNtLq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TzFLNTW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AXhWwbF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ddAuABI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vmkhKAk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Cvmkyym.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLwLodl.exe
PID 1964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLwLodl.exe
PID 1964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLwLodl.exe
PID 1964 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyCYHuZ.exe
PID 1964 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyCYHuZ.exe
PID 1964 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyCYHuZ.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLCNemZ.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLCNemZ.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLCNemZ.exe
PID 1964 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzFLNTW.exe
PID 1964 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzFLNTW.exe
PID 1964 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzFLNTW.exe
PID 1964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHKcXgY.exe
PID 1964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHKcXgY.exe
PID 1964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHKcXgY.exe
PID 1964 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKhddsH.exe
PID 1964 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKhddsH.exe
PID 1964 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKhddsH.exe
PID 1964 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQDszuz.exe
PID 1964 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQDszuz.exe
PID 1964 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WQDszuz.exe
PID 1964 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aEhwFfg.exe
PID 1964 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aEhwFfg.exe
PID 1964 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aEhwFfg.exe
PID 1964 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\onouNdH.exe
PID 1964 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\onouNdH.exe
PID 1964 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\onouNdH.exe
PID 1964 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXhWwbF.exe
PID 1964 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXhWwbF.exe
PID 1964 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXhWwbF.exe
PID 1964 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\swmtOff.exe
PID 1964 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\swmtOff.exe
PID 1964 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\swmtOff.exe
PID 1964 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VRkbipI.exe
PID 1964 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VRkbipI.exe
PID 1964 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VRkbipI.exe
PID 1964 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKdcbzP.exe
PID 1964 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKdcbzP.exe
PID 1964 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKdcbzP.exe
PID 1964 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddAuABI.exe
PID 1964 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddAuABI.exe
PID 1964 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddAuABI.exe
PID 1964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcJNtLq.exe
PID 1964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcJNtLq.exe
PID 1964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcJNtLq.exe
PID 1964 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fqNwZua.exe
PID 1964 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fqNwZua.exe
PID 1964 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fqNwZua.exe
PID 1964 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfSgWdV.exe
PID 1964 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfSgWdV.exe
PID 1964 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfSgWdV.exe
PID 1964 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrtzQxF.exe
PID 1964 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrtzQxF.exe
PID 1964 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrtzQxF.exe
PID 1964 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmkhKAk.exe
PID 1964 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmkhKAk.exe
PID 1964 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmkhKAk.exe
PID 1964 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cvmkyym.exe
PID 1964 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cvmkyym.exe
PID 1964 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cvmkyym.exe
PID 1964 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dStkkYR.exe
PID 1964 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dStkkYR.exe
PID 1964 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dStkkYR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YLwLodl.exe

C:\Windows\System\YLwLodl.exe

C:\Windows\System\zyCYHuZ.exe

C:\Windows\System\zyCYHuZ.exe

C:\Windows\System\RLCNemZ.exe

C:\Windows\System\RLCNemZ.exe

C:\Windows\System\TzFLNTW.exe

C:\Windows\System\TzFLNTW.exe

C:\Windows\System\JHKcXgY.exe

C:\Windows\System\JHKcXgY.exe

C:\Windows\System\sKhddsH.exe

C:\Windows\System\sKhddsH.exe

C:\Windows\System\WQDszuz.exe

C:\Windows\System\WQDszuz.exe

C:\Windows\System\aEhwFfg.exe

C:\Windows\System\aEhwFfg.exe

C:\Windows\System\onouNdH.exe

C:\Windows\System\onouNdH.exe

C:\Windows\System\AXhWwbF.exe

C:\Windows\System\AXhWwbF.exe

C:\Windows\System\swmtOff.exe

C:\Windows\System\swmtOff.exe

C:\Windows\System\VRkbipI.exe

C:\Windows\System\VRkbipI.exe

C:\Windows\System\mKdcbzP.exe

C:\Windows\System\mKdcbzP.exe

C:\Windows\System\ddAuABI.exe

C:\Windows\System\ddAuABI.exe

C:\Windows\System\vcJNtLq.exe

C:\Windows\System\vcJNtLq.exe

C:\Windows\System\fqNwZua.exe

C:\Windows\System\fqNwZua.exe

C:\Windows\System\AfSgWdV.exe

C:\Windows\System\AfSgWdV.exe

C:\Windows\System\LrtzQxF.exe

C:\Windows\System\LrtzQxF.exe

C:\Windows\System\vmkhKAk.exe

C:\Windows\System\vmkhKAk.exe

C:\Windows\System\Cvmkyym.exe

C:\Windows\System\Cvmkyym.exe

C:\Windows\System\dStkkYR.exe

C:\Windows\System\dStkkYR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1964-0-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/1964-1-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

\Windows\system\YLwLodl.exe

MD5 dc5f5e05ff5b295b985e99cd8d995e73
SHA1 aa721ded31698b49ea1ee39e60f7516bfc846bf8
SHA256 7b5af15a6515f2168abe5b41e9767c45d013183ff580a0963bc3448c4b5cecbf
SHA512 0a2d88936abd66a7cf9e9bf2f7230f4ab75696f0155e6d2e9cd80e2f2f74aeab5e6e72a852a3ded1d7b98a1d9187fcccc3ca5564ec7b424310864aaca2d3fb7c

memory/1964-6-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1208-9-0x000000013F920000-0x000000013FC74000-memory.dmp

\Windows\system\zyCYHuZ.exe

MD5 dde3a75dc792c46a47c80a99405d7785
SHA1 94c7ac5d7b8cac7003ffdad3570ec5d65800d2bb
SHA256 2a6e2800dd6f263555c59c3b6b543f7fb11d0255a2dc1d65302162c96a78c173
SHA512 fd6d80a51566bca495bdb2ac34f864cdf476320e961f228eeffb0509d076e6dd2a4268bb74cc3b8cd73a8e4026903a584a543756ed47a5a05ad3cecbbc6a0f84

memory/1964-17-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2692-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\RLCNemZ.exe

MD5 94377345d4845bf09909e87cf9c2582f
SHA1 b4e9adcda6654285ff038b5572da3261ce41bf98
SHA256 c5c0fda31b8cebdbc9322b628110d458855fa70b060491a32984007856579d2d
SHA512 345509cfd2b20a5037ec9024cf5cd7a0d92561ec483ce632aa4b3bcc1d5a91c26ab503db53966258b61a312b6b64b996d2260aded404787b3fa361536d97713c

\Windows\system\TzFLNTW.exe

MD5 587d3749f203355df5751643f673613a
SHA1 20a8fa2671541f74c3d304d7764aa0f670d4a38b
SHA256 15352dc43c70b73894ed29d2ba53244384ebfdcf83629a88fb47778c668965e5
SHA512 65d38db2ed82c36d7f5ea3c950c90e0fdfb7937fa034fe69d6708404af73004c8fd08995c77adf25782050d494d0eda9db8e4082710fa44dfa52e8808a00f1dd

memory/2656-36-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

C:\Windows\system\JHKcXgY.exe

MD5 43a63208272c93e0f5cd8c30acc77d4a
SHA1 daeeeaa5fb7880d1e834f547f4d0fca7d6b8d5ac
SHA256 9d534c7fea73368cd5ccdc970d2e9c100eeef6c211ff2c3d803155ce6a59a4fc
SHA512 3035234a0fa2aa9ef4b931ca6476318be53d58708c629b372060162b6f48410d170edfef63efcdb272a4290c334673b5c7f744a66de5ac2e43b1db208c1a340f

memory/2560-34-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/1964-33-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/1964-29-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/1964-28-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2964-27-0x000000013FB10000-0x000000013FE64000-memory.dmp

C:\Windows\system\sKhddsH.exe

MD5 e3fe1ea1ad00bc3e2e45f548c4b0adae
SHA1 b2025fb7357270d4a893faaec1887ae23c6629ed
SHA256 ae4c71db9a5c07fcfa2fb330935e381291277df067be5b0042278a9149eb62bd
SHA512 c7424af2c126b6633fbbb8ae50362d123b80a266d8c661a3e64e6c617236b365a564ec19c3087e13dfe17337196c1aa02e5bd5805f4c3f8aa040bbdf60cb3b69

memory/2664-49-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/1964-47-0x000000013F890000-0x000000013FBE4000-memory.dmp

C:\Windows\system\WQDszuz.exe

MD5 d0bd2d997671baaab2c56a4810fe6b09
SHA1 bb371c2ad922a266506bfc9e223104b2e9b4e977
SHA256 d3013220b83369ddbccb65cec7e62f7128f13542595f86895efe74c1d33f5308
SHA512 14e0e58fa03854c999cbfea10f214926ce716f7aede76c80bd525beb0f6cc2edf5af490efe2e1af8483239c8e79ab18c222345d9f5e6fd152145c3bc50c5be54

memory/1732-53-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2436-58-0x000000013F3E0000-0x000000013F734000-memory.dmp

\Windows\system\VRkbipI.exe

MD5 68bc28b73e126f556b632a9afad0bb10
SHA1 dc98e68061beadec3970ad5d408a1909e15da72b
SHA256 c035572b8ff0163a689c2a1dd9579f3ee901a081e859f19b37c9168ea8ffa7d3
SHA512 adc3abfb49f64fb33f2d8fde36416889f84b6b210a12f9f022c776bb2b80414562dadef412584803a0f15199ca278a053dde508e2e12825f176ad993dfded77a

C:\Windows\system\AXhWwbF.exe

MD5 818e45cdfb7626658ec36acb63e0561b
SHA1 0bb32383c782bd2bc54d8a718e0b9da0e4f50e42
SHA256 b33e64c9fa64ba9978776270f315c7559e8b0848b6b2c9699f3a9b0665460cb2
SHA512 79ecca2ed9a077acb5f27cea4cb98cef55266097f6425e32606a1602614ec66abe8ce7dc37c929778f735843916711b75e2d08a5041c35be9e661d43fe6e91a8

\Windows\system\vcJNtLq.exe

MD5 b83725cfa56cb1ec6630bd6c0e4ec4da
SHA1 c5249cdeff4f0085bb3a3319066c5ab4ad5ccc3e
SHA256 b06cbc331e2fca2e0fa5c4ab22907eecf82fead6da3002d19c739c9ea3a47326
SHA512 fe30822db236eabcb43acc46c3bb448d4f07e16fce6d88719ca65f8c5eff112e5a654664ca311c77f9fd4ece6f64b71d0a7d3e02637a1b6f5882b67a8109a7e9

memory/1208-92-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1964-88-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2300-110-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/1964-109-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/1964-108-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1464-107-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1488-104-0x000000013FC70000-0x000000013FFC4000-memory.dmp

C:\Windows\system\fqNwZua.exe

MD5 c1f2b438caaaf91a9eb6da5680abd211
SHA1 23638d97aa4fc7d78d7c50a6d62ccbb6e0d487bd
SHA256 1dadc26c432854c09e8d7da27e8071770d29bed8d00d9e7eef2f44cda5587c0e
SHA512 df85b1537d69dc57b30c741b9f2679694253e9dec1570209ee6df82925000bbbdcd933e42eacafa005ce839f1dded5fd7a16617a896df20e0388d2f2a6af0af1

C:\Windows\system\Cvmkyym.exe

MD5 2ff59912340d99c45abac3063c48b7b4
SHA1 106e9bd29c2b45ee1512dc25557e1e8ea1af52a2
SHA256 c5f394a8feb6b637d6d21e7397d673f97b4919de754893de143141d78186c925
SHA512 0861635baaf5bd6b475af50104df6678807e9f1e0ffb4a605649d729916386b0668fc55de94b3eb1b86af4b84bae5b8e1a093f3612c30ed55f8912178c43d834

\Windows\system\dStkkYR.exe

MD5 a03b940ab7cfd4be3966b82af4bae80c
SHA1 1c5a467d8d46500cb81bb88c99a6e5da1349c090
SHA256 0373a9a999301b0d7e286935029fa97ad4439696a77b0eaa4a4e38204659403b
SHA512 de09f445cb3a40cfe4ac44b8584e6790da1e458cfa7022eb3977e79e6a97c656391efba5697cd2ff332787f320b9910ab4e3365e367a0263c314c8f7fff2e433

C:\Windows\system\vmkhKAk.exe

MD5 fa054d81764f8309949f17c84e866a95
SHA1 5e78581a8f4471e21279a99c161c9a2af3ac17ff
SHA256 420dbc48bf10f0a0c365862f30e632d04f1d2df38a55ac9baa4330330927ee30
SHA512 fb771129d37317163f8592302739f8ec7a7c0e1bca20d26d53808087ded7ede4bd54f3f35513cc8548e985484597e8963db85a833ee0b51b5727963a87234e22

C:\Windows\system\LrtzQxF.exe

MD5 5162f934a4832dab589ada9a5c5bff71
SHA1 9d5e5710f9197c98ec17a7cdc948ca302ab03c16
SHA256 8e97d09cf8d0646f9c2bf5caf2f7076319bab814fe7a6dc018c7deb36c56d18c
SHA512 52a5b0d837c0d17c24b60c9f5e60b5dc85613c7d07e462e0ae458772e815c44556f383fde462c5c3e30bcb3a39f14157fd6e35459f491717a462e1a5ab1facaa

C:\Windows\system\AfSgWdV.exe

MD5 e1e66927609639d6ad65665acb756c29
SHA1 5e3582bf3c6718fd1fcd70ad3308d1715027d7da
SHA256 c328315ab780d0a8e1a0162241acc756aa8745795fc1df89c75b4623dcab6104
SHA512 d778c37da4df410d7661e266fb7a991c9ef680910de66f2533d22773347d4eb413e6c36e8debb97494e81721d6bacf5322e26ba308eca9635f31d40c9fa0da12

memory/1964-103-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/1964-102-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2812-101-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2964-99-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2692-97-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\ddAuABI.exe

MD5 d7c9b1b2443c7cf2105e507c0c0eb327
SHA1 73b85ec1206abf087327077c7fc276db6925680f
SHA256 fe20a0759c9c063104599a65adfdc87bb187c67daa2d99d1ec26c0f7a6d3ea28
SHA512 053a4caff4b9d819282c91c77f17ff7b0b3f716c32bae721ebadf10cefbb17d05ac099b3066f89c31b97790b93d44154cf3a5221a5edb4338990245e6a2f12f5

C:\Windows\system\mKdcbzP.exe

MD5 9ef675cdca3b787190361d39bd209a6a
SHA1 832bfd648493b724145bc54966f92250cb30e800
SHA256 5bfe68bb7b9db94227a8b02587e243f4516e25260e5dfb9e36d57ca29289b3ce
SHA512 28b7687d7d26bff4ca067d98296e0ff0b41212b73028c73d0c093acc351fc482ad10777ec90acf507652019f23348445445f91b2f9bcd049f679538ecd98f96c

memory/1964-79-0x000000013FDC0000-0x0000000140114000-memory.dmp

C:\Windows\system\swmtOff.exe

MD5 d5d86128df161429d5424c3402c28d6f
SHA1 4211107e5f5df081fe6fc433dda40ad8759e1a37
SHA256 00d42f52b69cef634937597445d390327210201dd4435535f2260a932b04b06d
SHA512 e6c2721f1b9b571ab562b6aec42c2a97269ecbcab02f0439ffcc1e26e32104d82dec1d31a5876c047373c4d7fb8e29590f4862440ca76160fe565e3263af2b82

memory/1696-84-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2472-68-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1964-72-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1964-63-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

C:\Windows\system\onouNdH.exe

MD5 ddd3f9009ff24c8e3c9f8fcb9fc4cbf1
SHA1 063bd9aedc9f8b7b8368257b53c60df179b032e8
SHA256 290c4f5033f3a9bfd3e4232a6ec4385e37e5e107d64c50e87f0d61a42af11d95
SHA512 fff42e5a7ab5dcdf70705807e4172d00bf8f6e370c7ad4cfb1d82cc4a29a3c3e03508ec098ea05048093c5336f069e4ae9c073a4e53c3ee3d3d8773a3e7e6883

memory/1964-57-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/1964-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\aEhwFfg.exe

MD5 d3ac4f169edf2c046cbb641f517964fa
SHA1 2d49350d962296e0ba1ba7fdb403a30351838787
SHA256 7987df8710e5a0c876eb949ebdb1f45a9061e3d731a2fd81a7af4351b22ba765
SHA512 3e7f4e8874e59f12f62612e0061118cda81bb08252b7d0cf8bc2edd7b7dec178a58384c445155e03885a88a51cc4a502e86b0ad3b677b3fafcce5b93ec854337

memory/1964-141-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2656-140-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2472-142-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1696-143-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1964-144-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/1208-145-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2964-146-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2692-147-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2560-148-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2656-149-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2664-150-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/1732-151-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2436-152-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2472-153-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2812-154-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/1696-155-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2300-156-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/1464-157-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1488-158-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 06:50

Reported

2024-05-27 06:52

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qYfRuDJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UyyeFfh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XISSJaa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sTtovNB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JnXzYOT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pLAHrbi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aiHXtOT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sUTsCqB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tHjWivQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ubLRzZT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uIuKwaR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RgTOuvr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LhwYKVW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ACdsnwc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bvYzzDd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gMktBTB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GiFZGgW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oWtAhed.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QggPsyB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gsBcrbI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VrgROXq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvYzzDd.exe
PID 3420 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvYzzDd.exe
PID 3420 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LhwYKVW.exe
PID 3420 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LhwYKVW.exe
PID 3420 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACdsnwc.exe
PID 3420 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACdsnwc.exe
PID 3420 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHjWivQ.exe
PID 3420 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHjWivQ.exe
PID 3420 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aiHXtOT.exe
PID 3420 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\aiHXtOT.exe
PID 3420 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ubLRzZT.exe
PID 3420 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ubLRzZT.exe
PID 3420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gsBcrbI.exe
PID 3420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gsBcrbI.exe
PID 3420 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUTsCqB.exe
PID 3420 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUTsCqB.exe
PID 3420 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYfRuDJ.exe
PID 3420 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYfRuDJ.exe
PID 3420 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyyeFfh.exe
PID 3420 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyyeFfh.exe
PID 3420 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XISSJaa.exe
PID 3420 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XISSJaa.exe
PID 3420 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrgROXq.exe
PID 3420 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrgROXq.exe
PID 3420 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sTtovNB.exe
PID 3420 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sTtovNB.exe
PID 3420 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GiFZGgW.exe
PID 3420 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GiFZGgW.exe
PID 3420 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIuKwaR.exe
PID 3420 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uIuKwaR.exe
PID 3420 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWtAhed.exe
PID 3420 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWtAhed.exe
PID 3420 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QggPsyB.exe
PID 3420 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QggPsyB.exe
PID 3420 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JnXzYOT.exe
PID 3420 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JnXzYOT.exe
PID 3420 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMktBTB.exe
PID 3420 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMktBTB.exe
PID 3420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgTOuvr.exe
PID 3420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgTOuvr.exe
PID 3420 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLAHrbi.exe
PID 3420 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLAHrbi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bvYzzDd.exe

C:\Windows\System\bvYzzDd.exe

C:\Windows\System\LhwYKVW.exe

C:\Windows\System\LhwYKVW.exe

C:\Windows\System\ACdsnwc.exe

C:\Windows\System\ACdsnwc.exe

C:\Windows\System\tHjWivQ.exe

C:\Windows\System\tHjWivQ.exe

C:\Windows\System\aiHXtOT.exe

C:\Windows\System\aiHXtOT.exe

C:\Windows\System\ubLRzZT.exe

C:\Windows\System\ubLRzZT.exe

C:\Windows\System\gsBcrbI.exe

C:\Windows\System\gsBcrbI.exe

C:\Windows\System\sUTsCqB.exe

C:\Windows\System\sUTsCqB.exe

C:\Windows\System\qYfRuDJ.exe

C:\Windows\System\qYfRuDJ.exe

C:\Windows\System\UyyeFfh.exe

C:\Windows\System\UyyeFfh.exe

C:\Windows\System\XISSJaa.exe

C:\Windows\System\XISSJaa.exe

C:\Windows\System\VrgROXq.exe

C:\Windows\System\VrgROXq.exe

C:\Windows\System\sTtovNB.exe

C:\Windows\System\sTtovNB.exe

C:\Windows\System\GiFZGgW.exe

C:\Windows\System\GiFZGgW.exe

C:\Windows\System\uIuKwaR.exe

C:\Windows\System\uIuKwaR.exe

C:\Windows\System\oWtAhed.exe

C:\Windows\System\oWtAhed.exe

C:\Windows\System\QggPsyB.exe

C:\Windows\System\QggPsyB.exe

C:\Windows\System\JnXzYOT.exe

C:\Windows\System\JnXzYOT.exe

C:\Windows\System\gMktBTB.exe

C:\Windows\System\gMktBTB.exe

C:\Windows\System\RgTOuvr.exe

C:\Windows\System\RgTOuvr.exe

C:\Windows\System\pLAHrbi.exe

C:\Windows\System\pLAHrbi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3420-0-0x00007FF767D50000-0x00007FF7680A4000-memory.dmp

memory/3420-1-0x00000288C3B30000-0x00000288C3B40000-memory.dmp

C:\Windows\System\bvYzzDd.exe

MD5 6368cb81c72ca10e60b7266def3e2d60
SHA1 393181c70f72b248ad2598ff689074bc58fed23f
SHA256 292a9193c83095739cd24a616c42ee21f4ec15ce4daf6470184ecf0e2a221354
SHA512 4e37ec8883414e25f4abb964249aa281717e2423ffb66c23529afcb63ad71ec1589810e29fb6151a8fc74a0e1ada3fd0fa6043c7e41b3702fdad74d91b9f0b8a

memory/3644-8-0x00007FF6D34B0000-0x00007FF6D3804000-memory.dmp

C:\Windows\System\LhwYKVW.exe

MD5 550535acb3911d45cbed5a1fead66f9a
SHA1 40ff778d0b7060a38c7b2875c9632e0be15b388d
SHA256 23cadfb8718e1c77b7f772efa5e0ad1bbb72caf3d683865a971dd7fb3cc1c3fc
SHA512 18c5d55eb18c800db44025607d9f0c2949b7fe6e434f5388e7b30497d864992a67bd2c2fbd21eb928b5180680aba8ed2ac34b75757fe78a32108c9964496ba8b

C:\Windows\System\ACdsnwc.exe

MD5 d113f3848e08921585a4c7a755f2a4d3
SHA1 d7dcd5747a8b848a9aa67f42c4a2a3060dbfc389
SHA256 058d3f71a350386114b10595e9618553de01ff80f119609a125052420072e8ad
SHA512 d2eecb7449006f2d9ce166333d7ce4cb4ed9396d1d9a655a07357015714a66ff4eaccc35a460a419e9067657000796dc8802ab74a0a23dc5599477ec33b0ca86

memory/1836-14-0x00007FF7DB690000-0x00007FF7DB9E4000-memory.dmp

memory/988-20-0x00007FF75DE90000-0x00007FF75E1E4000-memory.dmp

C:\Windows\System\tHjWivQ.exe

MD5 7ac4a81380ef18e35872ab47a48ed1f1
SHA1 1661eea5a0661faf8bdaa27fda74219da593e2b9
SHA256 d2e7e59695f252e4f5e3b74d2448516ecb25c02b7c934920ade0fc2fd2b2873b
SHA512 83a55e1877bcb767d95d3cee0053526d65d8a9bd4d8d4dafb1f0dd92d6dd6458ff50d495890906ef50974b219bfedd03f15428ba4fc9a15a420e8be838ef549e

C:\Windows\System\aiHXtOT.exe

MD5 06e71c1e25e61966c9a6c2438748f2e0
SHA1 55b91e065177540822fdb4fbd5a0bc726ab3a1b6
SHA256 b7e2f38a93381e6c21597a53f2bf4f00d7a83cf0cf6823f890c8b3096cdf2485
SHA512 4841b9dc481d974aac2a68f7090c7599ddc6dbf48892255f7fe3c9e0a3801991ace7d78d4d1040f91967554e3bd611dfedbfe52732696d63ac5626a019161e59

memory/3496-29-0x00007FF7BA400000-0x00007FF7BA754000-memory.dmp

C:\Windows\System\ubLRzZT.exe

MD5 1ea39ad11297edaef54f0e9b75e2a1cb
SHA1 d17018327b0f81f52ebcf2ed8862b26a67415546
SHA256 c640cc098acfe5db06fdfe9b4acf114fbe76ca634615c04595656efe4c9f0182
SHA512 2209c3109a521ca01feb744ec3cf0bc6c85bba3fcd8402135d76f0facec6e19bd97d9a7da573e2dc597dc5790013abc2188769c16a10ad4445aa7ce53af58830

memory/4056-36-0x00007FF6603F0000-0x00007FF660744000-memory.dmp

memory/3104-30-0x00007FF6DFD30000-0x00007FF6E0084000-memory.dmp

C:\Windows\System\gsBcrbI.exe

MD5 0badc40a2dd76376f0d761c06d2c68fe
SHA1 6748be8947a8f164271c6510fc770b693e86bdd3
SHA256 dfd5be27fadec2ae0c737124c199765bf23cbaeee4dbb0d279e90a16cf2aa1b3
SHA512 b516aa6ef2b0bec3a874f7726f5a0eee8b2ac0afcce394f353d32c6b569d23156266654ed8b76c3ddbe8f3b14506b74739fb9283a4452039fdcdc9b9452dc84e

memory/1748-44-0x00007FF6F1F00000-0x00007FF6F2254000-memory.dmp

C:\Windows\System\sUTsCqB.exe

MD5 818f7d330a6916e68066bd86cba75220
SHA1 06ad4edf7a00347230676c74bd1fa8f792ee93e1
SHA256 60be9605b0114566b6c18a01849c94333a11ec0caab2439493e128ec34672172
SHA512 4c69616e59b335c27bae4838df32f98f22bf6dbb785bec165805a65fbfd6e71c1046365e4899e8825e3681ad344376cbadb0d8b68f0dbe2c5507a2070d40b760

memory/4436-52-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

C:\Windows\System\qYfRuDJ.exe

MD5 40d0764ba1321defa97a46a64bf297ec
SHA1 a92f3a50142d5ca5addd188795bb4ef457ff1815
SHA256 e8348ff7826bf1c4d1870f51c70de36a8855716ed544ff09bbe4003c190c101b
SHA512 ab98b223f38e0c7a65bd49ded0074700232a20426737643da69a6ad6680b15a03dc745ae80125dfc73ae48d21396ab5cffef778a27aec39be157d43f9f3ae0d3

C:\Windows\System\UyyeFfh.exe

MD5 87912c2fd3abb8c025b34afd6b26e6ed
SHA1 9d305e71b8fcf72dc6af7336aee48f3d577fb654
SHA256 303b68b7b0c50a796c30e443a77024db39860bf921d7b329274a5ebf71391566
SHA512 f3a9ef5dfb0837f169b1cb89ed6301c82779f1194e72fdccc2ff879840b4998c98fc39643f3e668e0d25e49a80b88b25ce62e908ae99440f703b0efa7ce53e78

memory/3420-59-0x00007FF767D50000-0x00007FF7680A4000-memory.dmp

memory/4244-61-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp

memory/3564-57-0x00007FF67E1A0000-0x00007FF67E4F4000-memory.dmp

C:\Windows\System\XISSJaa.exe

MD5 120be4a8a986d6d46637555085f354e4
SHA1 d368eaf8ac4124b7fbb11535cc6eb2724e84555a
SHA256 1983c3183aff6de1b724b6b9152de62f6db6265432364909a512693c24f16402
SHA512 56aea2459ccfdfcdf731a386d6d11a0f1e901b20e495c57fbc46d19cd4c09da3147c5afe11afecc7258eca50d9e8e46ffd624fdff8aa4e09f6cb9f04325b2a55

memory/2160-67-0x00007FF62B200000-0x00007FF62B554000-memory.dmp

C:\Windows\System\VrgROXq.exe

MD5 3c28774952ee1c6b58b85cf440a6ceeb
SHA1 86226158903614bc2f7bedef33f72aec10f5687b
SHA256 0126e150abae1d5874677583597e3ce0bba352be5a19f3fdd10843d80c576df8
SHA512 d9b0553eec094d3cb6ad0502b73a5b943da283f6c233359ae5ea3cf2b120b80cd526e5fe7bba696e3e8dce0fae861ad38724e44bba6fd3f044c09f9391e1a19a

memory/5000-76-0x00007FF7A9630000-0x00007FF7A9984000-memory.dmp

memory/3496-80-0x00007FF7BA400000-0x00007FF7BA754000-memory.dmp

memory/1144-81-0x00007FF6BE1A0000-0x00007FF6BE4F4000-memory.dmp

C:\Windows\System\sTtovNB.exe

MD5 ad5072a9f45b9c872714e556d5554b38
SHA1 6ecd1c5cbe58df5a0b5975f5dadb95fffdedf65e
SHA256 e9beb6ba3bff81ed746ccd5b5241e04e520f16d3091dd6e69cad94d0335b3d55
SHA512 0a56a6e1674375f06f48d0613dd549a8da8871a9cbed3a27089fb872fcf6a1c96c2943a8439c0a0219464f88d970e47fd66bf61bb9a9b23b5d490467b99e83aa

memory/1836-75-0x00007FF7DB690000-0x00007FF7DB9E4000-memory.dmp

C:\Windows\System\GiFZGgW.exe

MD5 2e4b29fc6ff77358609736c836032055
SHA1 265ee787031bd0050fbe3aa3ddf1d212cf6447f3
SHA256 3a5ce127104c175c38042d891348d8ed7597578d36692320a1dacf3ad9692d53
SHA512 ea308c3f6755639a39b56d73e8d49d4201800f3ddbf528175db23f621aec7b635f757000328a5686ea34b9e83bddff5f59774fd4e7086b71abbb74a4cfd78d4a

memory/3104-95-0x00007FF6DFD30000-0x00007FF6E0084000-memory.dmp

memory/1424-100-0x00007FF772C40000-0x00007FF772F94000-memory.dmp

C:\Windows\System\uIuKwaR.exe

MD5 f59403445df793bb7130bc33f24402b3
SHA1 8e21d055437fd6c6da22ccbd90dd3af842f374ce
SHA256 906510c7bb7a24b93bf5fab2f2be724daa16ace98548b113d42f957a89196855
SHA512 0df57016b8c9fe164a6d18d19df3bf4f4d1cd0d1a5a993cc9fc0ebc4713602313dab889a368bd5ff95e928a88f96ef116baa979b2df37a5288bcb6de76dc6f92

C:\Windows\System\JnXzYOT.exe

MD5 2891c97a1e2a37c751d30ed360143a31
SHA1 de825466e54f3173f4ddbaccec35ad043cb5db79
SHA256 910239011eadcd0688ba429b6a7b43e076ab7452fa6f26b8c64a960c09ad73cc
SHA512 445d4bdbef28af06847a1fc5d2623f54a1b9a656433de5e3f8cac330e4505ec44b96d92e9e97e6a50bf99b4454703052440f034c75ccb3654e41bdc6bb98adc1

C:\Windows\System\gMktBTB.exe

MD5 48cafb59acca20c9bc4c4d9981d0832e
SHA1 e6672331cedeb2a10e7883a84179a2a53a82747c
SHA256 5c12f3f9d77d59737548f7800d682feac3a57d57ddc907bc27c9057c2656d007
SHA512 9f8b336a8a1e414cbbb882e3d1f02fa96e11528b42f196fd05bc29ce508ecc4db4a41fcfdf98258554cb617879cdde16d021e82ef2158964ef974e226717319e

memory/528-121-0x00007FF73BE00000-0x00007FF73C154000-memory.dmp

C:\Windows\System\RgTOuvr.exe

MD5 60f7d02abe4ba4ac6a7b426dd9360886
SHA1 35bb91a00864622fb0e53a1b0fa09dee44defe17
SHA256 d98587e39ed4cd4bdc2678ec0965375988b8d392a93490453d964ef1852b6304
SHA512 93837ffbb39bcc369f9eab04c3a33a68060f4423d7a5a46bf01a10e6e80606fec1850ba73dc77ae402eac45b77fae59ac136568c718ffd34e8f307c40e726710

C:\Windows\System\pLAHrbi.exe

MD5 8b4fe02e8d55098c73c9b72cf5f0060f
SHA1 135c556692984ec19738bbe3895fd2cb44f5b5d9
SHA256 4c0d1c882515d1285d73e4401552beb06c2dcb92e5f0ca68a2fcc920b5d7041c
SHA512 b9c1cf579455bd3fddd7902ea75f43cb43a42fcb6cc4d5552f7a225f277e02916c927a8d255aeb9674ed38ce7d257a7afdfb9b7828a13f1654331c937ee5cb5e

memory/2128-123-0x00007FF6A2750000-0x00007FF6A2AA4000-memory.dmp

memory/2976-117-0x00007FF6C47B0000-0x00007FF6C4B04000-memory.dmp

C:\Windows\System\QggPsyB.exe

MD5 2aadcef95ea02a86b41d893faa3c268e
SHA1 b64c652c0afa8f8bfe8eff9da4b33d526926d45a
SHA256 c9059e23c6e836c0669e712d48f8b1875455388d8744635d355550ef98af64a6
SHA512 557ba844daa585f3181a27ec8460e37e25c5c6142d6022b0c73e265274bd77a0a7e83047f85933f138966101842e00cd72ef415a8856ba7004f34baae0dd4e02

memory/4056-102-0x00007FF6603F0000-0x00007FF660744000-memory.dmp

C:\Windows\System\oWtAhed.exe

MD5 eef3156b3487a6b69e5c6e051d5fd683
SHA1 da7cda9f19085498028db1bbfb854d9f0ff56853
SHA256 074a8ec1d32137e5d912f681f409a86a3259f99796d2ec269cfdbb87de3601be
SHA512 df37c765db8240de9e2980b04540652a169a1f2d4b3fc860b7db4e061d665df3041ac3a46adfe3d90419e5f6470d9bb26f22ad2e627343b9ca91e1c8ec85bea7

memory/748-89-0x00007FF712EB0000-0x00007FF713204000-memory.dmp

memory/3300-130-0x00007FF7B5390000-0x00007FF7B56E4000-memory.dmp

memory/4436-131-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

memory/2928-132-0x00007FF675220000-0x00007FF675574000-memory.dmp

memory/4428-133-0x00007FF73CA70000-0x00007FF73CDC4000-memory.dmp

memory/4244-134-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp

memory/2160-135-0x00007FF62B200000-0x00007FF62B554000-memory.dmp

memory/1144-136-0x00007FF6BE1A0000-0x00007FF6BE4F4000-memory.dmp

memory/748-137-0x00007FF712EB0000-0x00007FF713204000-memory.dmp

memory/1424-138-0x00007FF772C40000-0x00007FF772F94000-memory.dmp

memory/528-139-0x00007FF73BE00000-0x00007FF73C154000-memory.dmp

memory/3644-140-0x00007FF6D34B0000-0x00007FF6D3804000-memory.dmp

memory/1836-141-0x00007FF7DB690000-0x00007FF7DB9E4000-memory.dmp

memory/988-142-0x00007FF75DE90000-0x00007FF75E1E4000-memory.dmp

memory/3496-143-0x00007FF7BA400000-0x00007FF7BA754000-memory.dmp

memory/3104-144-0x00007FF6DFD30000-0x00007FF6E0084000-memory.dmp

memory/4056-145-0x00007FF6603F0000-0x00007FF660744000-memory.dmp

memory/1748-146-0x00007FF6F1F00000-0x00007FF6F2254000-memory.dmp

memory/4436-147-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

memory/3564-148-0x00007FF67E1A0000-0x00007FF67E4F4000-memory.dmp

memory/4244-149-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp

memory/2160-150-0x00007FF62B200000-0x00007FF62B554000-memory.dmp

memory/5000-151-0x00007FF7A9630000-0x00007FF7A9984000-memory.dmp

memory/1144-152-0x00007FF6BE1A0000-0x00007FF6BE4F4000-memory.dmp

memory/748-153-0x00007FF712EB0000-0x00007FF713204000-memory.dmp

memory/2976-154-0x00007FF6C47B0000-0x00007FF6C4B04000-memory.dmp

memory/1424-155-0x00007FF772C40000-0x00007FF772F94000-memory.dmp

memory/3300-157-0x00007FF7B5390000-0x00007FF7B56E4000-memory.dmp

memory/2128-156-0x00007FF6A2750000-0x00007FF6A2AA4000-memory.dmp

memory/2928-159-0x00007FF675220000-0x00007FF675574000-memory.dmp

memory/528-158-0x00007FF73BE00000-0x00007FF73C154000-memory.dmp

memory/4428-160-0x00007FF73CA70000-0x00007FF73CDC4000-memory.dmp