Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-jc1dxsbg78
Target 2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike
SHA256 3c10e9ed7768da7db97ea1508565b94384be210794aa7fa01bb0a732fc5253f5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c10e9ed7768da7db97ea1508565b94384be210794aa7fa01bb0a732fc5253f5

Threat Level: Known bad

The file 2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike

Xmrig family

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 07:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 07:32

Reported

2024-05-30 07:34

Platform

win7-20240508-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GaJcnKk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KRAWUog.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YRqeWBW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hrlgyOD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wMHyQXj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gezAjRj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yPGPiOO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wMwUIqo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nqynuTR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FmsAdfq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fYdEKlX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JeiCgdA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OKTaIRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zESCxDf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MbVmrRC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EljGcjS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IXausxu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\exliNCC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LcNcraQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oNqMzKE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TLZFFYu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zESCxDf.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zESCxDf.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zESCxDf.exe
PID 1660 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbVmrRC.exe
PID 1660 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbVmrRC.exe
PID 1660 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbVmrRC.exe
PID 1660 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wMwUIqo.exe
PID 1660 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wMwUIqo.exe
PID 1660 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wMwUIqo.exe
PID 1660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRqeWBW.exe
PID 1660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRqeWBW.exe
PID 1660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRqeWBW.exe
PID 1660 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcNcraQ.exe
PID 1660 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcNcraQ.exe
PID 1660 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcNcraQ.exe
PID 1660 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrlgyOD.exe
PID 1660 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrlgyOD.exe
PID 1660 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrlgyOD.exe
PID 1660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNqMzKE.exe
PID 1660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNqMzKE.exe
PID 1660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNqMzKE.exe
PID 1660 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EljGcjS.exe
PID 1660 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EljGcjS.exe
PID 1660 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EljGcjS.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLZFFYu.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLZFFYu.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLZFFYu.exe
PID 1660 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqynuTR.exe
PID 1660 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqynuTR.exe
PID 1660 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqynuTR.exe
PID 1660 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fYdEKlX.exe
PID 1660 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fYdEKlX.exe
PID 1660 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fYdEKlX.exe
PID 1660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wMHyQXj.exe
PID 1660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wMHyQXj.exe
PID 1660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wMHyQXj.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeiCgdA.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeiCgdA.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeiCgdA.exe
PID 1660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXausxu.exe
PID 1660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXausxu.exe
PID 1660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXausxu.exe
PID 1660 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\exliNCC.exe
PID 1660 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\exliNCC.exe
PID 1660 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\exliNCC.exe
PID 1660 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmsAdfq.exe
PID 1660 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmsAdfq.exe
PID 1660 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FmsAdfq.exe
PID 1660 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GaJcnKk.exe
PID 1660 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GaJcnKk.exe
PID 1660 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GaJcnKk.exe
PID 1660 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gezAjRj.exe
PID 1660 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gezAjRj.exe
PID 1660 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gezAjRj.exe
PID 1660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OKTaIRZ.exe
PID 1660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OKTaIRZ.exe
PID 1660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OKTaIRZ.exe
PID 1660 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPGPiOO.exe
PID 1660 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPGPiOO.exe
PID 1660 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yPGPiOO.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRAWUog.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRAWUog.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRAWUog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\zESCxDf.exe

C:\Windows\System\zESCxDf.exe

C:\Windows\System\MbVmrRC.exe

C:\Windows\System\MbVmrRC.exe

C:\Windows\System\wMwUIqo.exe

C:\Windows\System\wMwUIqo.exe

C:\Windows\System\YRqeWBW.exe

C:\Windows\System\YRqeWBW.exe

C:\Windows\System\LcNcraQ.exe

C:\Windows\System\LcNcraQ.exe

C:\Windows\System\hrlgyOD.exe

C:\Windows\System\hrlgyOD.exe

C:\Windows\System\oNqMzKE.exe

C:\Windows\System\oNqMzKE.exe

C:\Windows\System\EljGcjS.exe

C:\Windows\System\EljGcjS.exe

C:\Windows\System\TLZFFYu.exe

C:\Windows\System\TLZFFYu.exe

C:\Windows\System\nqynuTR.exe

C:\Windows\System\nqynuTR.exe

C:\Windows\System\fYdEKlX.exe

C:\Windows\System\fYdEKlX.exe

C:\Windows\System\wMHyQXj.exe

C:\Windows\System\wMHyQXj.exe

C:\Windows\System\JeiCgdA.exe

C:\Windows\System\JeiCgdA.exe

C:\Windows\System\IXausxu.exe

C:\Windows\System\IXausxu.exe

C:\Windows\System\exliNCC.exe

C:\Windows\System\exliNCC.exe

C:\Windows\System\FmsAdfq.exe

C:\Windows\System\FmsAdfq.exe

C:\Windows\System\GaJcnKk.exe

C:\Windows\System\GaJcnKk.exe

C:\Windows\System\gezAjRj.exe

C:\Windows\System\gezAjRj.exe

C:\Windows\System\OKTaIRZ.exe

C:\Windows\System\OKTaIRZ.exe

C:\Windows\System\yPGPiOO.exe

C:\Windows\System\yPGPiOO.exe

C:\Windows\System\KRAWUog.exe

C:\Windows\System\KRAWUog.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1660-0-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1660-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\zESCxDf.exe

MD5 b5f33c9e71b289396cf772da880461fe
SHA1 5766db873b35475b14d23b63bba3f61ccef42ee2
SHA256 4184e3a86c5749a3bdf4291fa6944f069ffab2400f1685be0a95e1d537c50129
SHA512 4f5a1fb0acc42fab86e96948d6ac1a2265502869192b4a3a983373d2ea09c866f62c9bb7632a18c25acf6bc96ae0b1f07d2d64a4ed4e2cab5a8b5f0dc0774ec7

memory/1660-6-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2932-8-0x000000013F3E0000-0x000000013F731000-memory.dmp

C:\Windows\system\MbVmrRC.exe

MD5 d880010cd17d2f4d6f06cb91c863a511
SHA1 f1c63766a8fa2375380d038bbc950f4d4e3393ad
SHA256 52e743a225baecdb569ad4577158c8f455625e1944e356bb63dc979f0574816c
SHA512 3eddc390794b1a72dfca5b572552f30992878a46eaca6bebc0bca0ccd5447682f4571adc2af903417629e15b811b2540d6e35d831d1156bc09905accb81fd5dd

memory/2368-14-0x000000013F240000-0x000000013F591000-memory.dmp

C:\Windows\system\wMwUIqo.exe

MD5 a596ee33515c1f708048f0f39699edc4
SHA1 3d23c5ccff71a89f814134f8040783153d7ce8eb
SHA256 60e46e520a20fa459db183747242746966b329d484539758620684d9c55c2f6b
SHA512 859a3efd7fb7b3f605fd2ff3e3473e02bd897270e92e0b03850d23e84a7c95b00aee487e18e1b1e1ec2dba8e1c3f1638e4aa878770b154bc9095e8cb37630907

C:\Windows\system\YRqeWBW.exe

MD5 401df8fcded4f6042983de6a1cfa8eae
SHA1 4bfc29ec2740a1c723a977bb3cdf08591206221f
SHA256 40caee777c5818b3a404b6dbf75934b94a96f647c875b2665e26e7e68367f311
SHA512 92873df79fff68c6a789ccbc10cdb8df183f131a25a255ef565ecb96c48879ee87ea2bdac18b2549bcd070e0b6f8b0c69813765d06d0a1e32686a6ed3a16b38d

memory/2872-28-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\hrlgyOD.exe

MD5 d2ce23754f8d3efe766f608136158109
SHA1 368b2c404c71810730f23411f32edd0d5a8bc677
SHA256 e3f7793cba46637d393a6c4e723e2990ffe40294c45ac461232e8805afae1b54
SHA512 470f0277b735f9961a54dc7bda4f17b3129a091755a4df5c863cefe198f8a664e95b2b8d9eca7ea6d54a7ba76b6bec89a4f8ce9c069f7086a083535b802220fb

\Windows\system\LcNcraQ.exe

MD5 90a2d0223da10a0cec14adf32dbf9427
SHA1 78b458c60e374acb77bbc6a9ae498f4afd7c7bba
SHA256 6bbe4ba27d2a3c5d9c3375161f4cdeebc0d1683e9421baac3f94e6ebd01f0ada
SHA512 a5596470ca77d7e06f19b914170b0ad175222eaa676bb50ff9ba3f87c84712504058967cfe8624ea85714ad6b7331991ff8277a8b7d4ec830460d76295a05aed

C:\Windows\system\oNqMzKE.exe

MD5 8578e6d507c22c333e5601aba08f6530
SHA1 a3bcf41a03a71653a1bff130a159d72cf921a8a1
SHA256 98cf42eb78775a3375474a26b8293f896b4da6d97ebc6b7bfea08b6f66f1bd57
SHA512 41c90fb3ff9c13990a4b480354529685ab111dacad8a1e36d8505e6e3808cbe62572c98c6ff1a4e1fbb29091b84cab07a15a7d2ebe5b9260f3602967930ef595

\Windows\system\EljGcjS.exe

MD5 a148d32882d31d2fc96e011b8f6552dd
SHA1 1535e66fd66075cb74f8cfcb8b8c45e08fff5c8e
SHA256 6cb50d757ba816af5c42466317fa3a2ffe215c13b3141aaab0207fbd5cc15a71
SHA512 e6b64160a7d87e6deb2264d13548350b79e6dd3c3477d45ece9d927872c426dc8f97dcf8d319640ff2d7c9488e3e563aa910bda7e52be24b3fb72c9aff1d7546

memory/2368-53-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2880-56-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1876-47-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2932-49-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/1660-45-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2768-44-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1660-43-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2676-41-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/1008-25-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/1660-18-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2704-62-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1660-61-0x0000000002140000-0x0000000002491000-memory.dmp

C:\Windows\system\TLZFFYu.exe

MD5 c4dcbf7adb2416ef5c1d3de833c28b7d
SHA1 0bf4a0830ff2a67663914ae6f929da70183cbb5f
SHA256 8ff7af4632a95454c6d7191e1f59915cbf1ebf5333c7c7bd85c47a472345f167
SHA512 c6b26273a260f68283eb864dadc88d0be31d50f67abb7e6bd9d55a417101f9dd941ac83902304971f4724289e939e136c9cda00e1fb36fc973b009e2da3ac7a1

C:\Windows\system\nqynuTR.exe

MD5 415e3586a1984464cc3e2175ba00bfd2
SHA1 0c21185752d4097ff2f0ec80ddde7202da41cdf7
SHA256 1afab5cbd59e7a7eb6cbad26158a6acadd3ff69050063d8424ca00c9ae2b69c9
SHA512 369644539ba66a597106ef0afdc3a0a96972ef72c2978cdbad659f227e937a23545d00edd9a7aecbd15728c9bddd9e913f1389704d3b9e1b5e3c3d358cfa5eb3

memory/1660-68-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2636-69-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/1008-67-0x000000013FA70000-0x000000013FDC1000-memory.dmp

\Windows\system\fYdEKlX.exe

MD5 0989856c3b33c9ac073d85eed6ba142f
SHA1 7c0a33be8b5c8def2586eaf3b50251b3b2d1ed5a
SHA256 7eaa7372b9abdd6979bbf6f550e8dbb4e4cb25068c190682f27f296e1e582b68
SHA512 1dfde838077677776d835aa86b016d0e4d5990e60b3496cdd3c57ae427420c4832ebac08a31463cc5af0f80ddffef2c61063504aa02ab538745a568870e20cfe

C:\Windows\system\wMHyQXj.exe

MD5 fff1659d37d062c0c390242036e2211b
SHA1 210024c3b421142e0a777428d7b5fd9c74019f51
SHA256 b76b2c00376c69c767c396ea5a2ceb155fbe92a7dbf9782324028ee474733b29
SHA512 af1d32a463db3bc3d51d141d04238f0b7bf1c42128da0496df8abe4bc1ab88fb7c6c5966bd56130eec4ca6bf6f0d6bfc2b218adfa7e295ff56a352a0dc9f2f85

memory/2480-84-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2872-85-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1660-82-0x0000000002140000-0x0000000002491000-memory.dmp

C:\Windows\system\JeiCgdA.exe

MD5 85b4ed2027575298e534afbeab859567
SHA1 429bbbc7940a3986ab9f989487b8e090d8a05743
SHA256 c27331a7aaf8e5e2b89949e255022159a13e81552355ccb384a22b0b1c4ba151
SHA512 556720ababb0691db99c884ba6e8de36c2d7d715b71b4de78f372d8ff0158565a650ad22c14b73723952c58f1554f41e6f0d5b8ccfd761493adb4ba4dcd342f3

memory/1668-93-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1660-91-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2676-90-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2540-87-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/1660-80-0x0000000002140000-0x0000000002491000-memory.dmp

\Windows\system\IXausxu.exe

MD5 56d57ad9f6fecd66b17c196a7807369d
SHA1 c0348141a002fd1b03cbeed2b2bfb5a63fa4121a
SHA256 40981b3836df5d40dcb328beaead701d461e02e93ba3de0ec9c344c251b8cdca
SHA512 e5af7cea0007a382220cbe4260fa662fa96775e7153ec5d5810039d17374ff041f4c5360ab772f63286fd4131b76d715a3e5718c7a961fb0e49de8b40b06e329

\Windows\system\FmsAdfq.exe

MD5 80ce054d6a8547b199072c687bcb5fa5
SHA1 0855dbdac5b983b5f6ef28822ab2811efac133e0
SHA256 fbe75033f23ab0bf9fa06d53ebca2ff801df0c42f2072f5dc7276bd6d6208866
SHA512 17de690c42573781ade4800b04e3116d6400097b468e2d4ce8a0d1b59baa20d87e3c52ee848c6b51ca5f7b215f830844e2197b2ede6d0ac1cb8f931e3f918331

memory/2268-121-0x000000013F090000-0x000000013F3E1000-memory.dmp

C:\Windows\system\yPGPiOO.exe

MD5 fde00e7213f8937e9571a35fa63f5ccb
SHA1 1efb33d4d252c9289169440973b8f3457a50b962
SHA256 78fcfa8432d7acb4208f70513ab6e4a60cb3c63a560435f9b0a9617071243df0
SHA512 f80a331b498db52fd0b2e58f9fa26334ec296e8eb89a7de9aa123aa28d92a0bf8a81eb1be16cd7d992a265a6ece6b66b6c618791510c34f20e56b5e104cc103d

C:\Windows\system\gezAjRj.exe

MD5 4becaa68f917685a7190d6d1536b5460
SHA1 cb4545e99e51b5e67e37afafa630e232cbd09a63
SHA256 494d6f09f00346c5838b1aacb059646ba10644dd4843baa9ba57cbbdabb486d1
SHA512 444aab61fc89e63b942dd9f013df8fdde0649cb231ef0977a8a0f9d52535a6c688ba008c0cf37030c236352be58e771a52ebe8172c0eaae04a15c59731241b63

C:\Windows\system\OKTaIRZ.exe

MD5 b535f88dbf0ac3a6456ad09f33311639
SHA1 d192d57c425794d4eec8675f9efdaef256233086
SHA256 58e4f86f20a25fa34c4c667e3bafb486341c25dc03979a58045acca6724c5602
SHA512 a64daeabd677bd8c9cab58ca5a51f37e5c560c2fe4c203d4138b352501dd9d2e40f409811fef10a787b202f26ba2e1c4524cfb3bfab6a43621634a523f87770c

C:\Windows\system\KRAWUog.exe

MD5 aaade16a808b6de3e97f54c669b5dde3
SHA1 6bb21dd00184e214f97ca2082ecc63584fbb43c5
SHA256 dc50adaf84c62428bdf5921b633a6486743bb6eeefb3152c09446373746985a1
SHA512 140cf4a137f174b18d1fc0e166561c245fcb2f44f81a9e839da1f4193c5834d7640c409494fe1abfee926e8562a3d4468ce141dc5650983884ad171ad7680fae

\Windows\system\GaJcnKk.exe

MD5 bc63dab8c2e805fb21bdd318843a625d
SHA1 9fe67d818be0989449ef2a7cbf898eef918a6026
SHA256 108035f9a1640eb64b7ba7ccfd335667b6cae89168db136b40e50e20fb96a6a1
SHA512 c77daeb16f8f301d307ce31e3edfa9f99db43a4122b877ccee5f0a2fa0fdf5d432b2ea280e945f21314a7c0e2091b88492e0237e7925f9d6ed0948b7b017e30d

C:\Windows\system\exliNCC.exe

MD5 e932317d67915f2cfb6913b3998e3a04
SHA1 233388dbedb3d2cb8ecd62332de88ba5c08024f0
SHA256 30d21fe39b4cfff0b9b37474748147c73f027187ddedb18aab9c226a197a43fc
SHA512 d701eef2a4a69850e877085113e1f0fcab43690842ac870ac602c0ebe9e1a7acb59424bd34251cb9863e0a6abc685ef59e32e6c9c0be13bf0f4d1f73151f53d0

memory/1876-99-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/1660-136-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2704-145-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1660-146-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2636-147-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/1668-150-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1660-151-0x0000000002140000-0x0000000002491000-memory.dmp

memory/2268-152-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1616-154-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2104-153-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1828-156-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2152-155-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/1660-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1424-160-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/1656-159-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2128-161-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/1660-170-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1660-175-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2932-206-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2368-216-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2872-220-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1008-219-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2768-222-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2676-224-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2880-227-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1876-228-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2704-230-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2636-233-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2540-237-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2480-236-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1668-239-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2268-249-0x000000013F090000-0x000000013F3E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 07:32

Reported

2024-05-30 07:34

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rIQUMwP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WwZctqw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BsJdxgS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OSgEkPt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\laeAzpo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fDXzRAr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GRUxrcH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bDKXNzS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UWWfJRm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WiOLIfP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WLAlczF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yqnwrAN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PmGNAjm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dlgZycI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HjTnHkq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DgmiQeX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hKOmtAr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GRPwDXu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XsVKhln.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wmCgwxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAoteLL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgmiQeX.exe
PID 4252 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgmiQeX.exe
PID 4252 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKOmtAr.exe
PID 4252 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKOmtAr.exe
PID 4252 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fDXzRAr.exe
PID 4252 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fDXzRAr.exe
PID 4252 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRUxrcH.exe
PID 4252 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRUxrcH.exe
PID 4252 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDKXNzS.exe
PID 4252 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDKXNzS.exe
PID 4252 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rIQUMwP.exe
PID 4252 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rIQUMwP.exe
PID 4252 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqnwrAN.exe
PID 4252 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqnwrAN.exe
PID 4252 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\XsVKhln.exe
PID 4252 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\XsVKhln.exe
PID 4252 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwZctqw.exe
PID 4252 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwZctqw.exe
PID 4252 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRPwDXu.exe
PID 4252 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRPwDXu.exe
PID 4252 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsJdxgS.exe
PID 4252 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsJdxgS.exe
PID 4252 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmCgwxZ.exe
PID 4252 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmCgwxZ.exe
PID 4252 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PmGNAjm.exe
PID 4252 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PmGNAjm.exe
PID 4252 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlgZycI.exe
PID 4252 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlgZycI.exe
PID 4252 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWWfJRm.exe
PID 4252 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWWfJRm.exe
PID 4252 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OSgEkPt.exe
PID 4252 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OSgEkPt.exe
PID 4252 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiOLIfP.exe
PID 4252 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiOLIfP.exe
PID 4252 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\laeAzpo.exe
PID 4252 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\laeAzpo.exe
PID 4252 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HjTnHkq.exe
PID 4252 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HjTnHkq.exe
PID 4252 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAoteLL.exe
PID 4252 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAoteLL.exe
PID 4252 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLAlczF.exe
PID 4252 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLAlczF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DgmiQeX.exe

C:\Windows\System\DgmiQeX.exe

C:\Windows\System\hKOmtAr.exe

C:\Windows\System\hKOmtAr.exe

C:\Windows\System\fDXzRAr.exe

C:\Windows\System\fDXzRAr.exe

C:\Windows\System\GRUxrcH.exe

C:\Windows\System\GRUxrcH.exe

C:\Windows\System\bDKXNzS.exe

C:\Windows\System\bDKXNzS.exe

C:\Windows\System\rIQUMwP.exe

C:\Windows\System\rIQUMwP.exe

C:\Windows\System\yqnwrAN.exe

C:\Windows\System\yqnwrAN.exe

C:\Windows\System\XsVKhln.exe

C:\Windows\System\XsVKhln.exe

C:\Windows\System\WwZctqw.exe

C:\Windows\System\WwZctqw.exe

C:\Windows\System\GRPwDXu.exe

C:\Windows\System\GRPwDXu.exe

C:\Windows\System\BsJdxgS.exe

C:\Windows\System\BsJdxgS.exe

C:\Windows\System\wmCgwxZ.exe

C:\Windows\System\wmCgwxZ.exe

C:\Windows\System\PmGNAjm.exe

C:\Windows\System\PmGNAjm.exe

C:\Windows\System\dlgZycI.exe

C:\Windows\System\dlgZycI.exe

C:\Windows\System\UWWfJRm.exe

C:\Windows\System\UWWfJRm.exe

C:\Windows\System\OSgEkPt.exe

C:\Windows\System\OSgEkPt.exe

C:\Windows\System\WiOLIfP.exe

C:\Windows\System\WiOLIfP.exe

C:\Windows\System\laeAzpo.exe

C:\Windows\System\laeAzpo.exe

C:\Windows\System\HjTnHkq.exe

C:\Windows\System\HjTnHkq.exe

C:\Windows\System\NAoteLL.exe

C:\Windows\System\NAoteLL.exe

C:\Windows\System\WLAlczF.exe

C:\Windows\System\WLAlczF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4252-0-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp

memory/4252-1-0x00000218714B0000-0x00000218714C0000-memory.dmp

C:\Windows\System\DgmiQeX.exe

MD5 a1c634d0e709e8cdd5f5e3a8c891e349
SHA1 d2470da4854b6c7fc9b9f220523e3096c5a01894
SHA256 44258ee1d23012742473f3d7d8736a7a742f25c078d08d678ce9ff784ae08fbf
SHA512 8463ed1a8be01913c899fcb47a8cd64240f30ce15c416fe9628b9273cedfdc8efcb66cdd57a42eab3a8c35540ee133c110107c21d68c37b62005bfeb5b374ba5

C:\Windows\System\fDXzRAr.exe

MD5 569738d331e700a4de5ce15dc2053fc2
SHA1 e788e50a8819046c569eedc492969b5187b877f7
SHA256 15c2c712805946926c8cd4a294817f23f0669d90d764d37eb03bebc6dd6df6b2
SHA512 dc336ea0657039fd2eed49627a7c44ce22499df93964449c27d3054e48c11d6e00fa4db6747a3234f301d854423b2d181042b7b2ad53f91a51b0e3be1225feef

C:\Windows\System\hKOmtAr.exe

MD5 e144982a65f695ae35ce02300ba1785d
SHA1 cb6148361eeb076a7a2e244ad4625cdfbbb6df81
SHA256 f2decb6965ccb74dc8a3498c6f9393a77e9841132258259d5a8179a2013e0190
SHA512 f87e01b4acb111f3377b8c794479a8323f3c6aabec006b33e0f8f60345ed79aad1c4a2e1d6f51f98d2314582773fb75c2e81588943e49968d854986d51ef0a2c

memory/1780-10-0x00007FF7E8370000-0x00007FF7E86C1000-memory.dmp

memory/3988-19-0x00007FF767850000-0x00007FF767BA1000-memory.dmp

C:\Windows\System\GRUxrcH.exe

MD5 ab799ad920b1cbfbece4ba29dc92b1d3
SHA1 5f1f776478caee9f21f835dc19ed159b5bb7edca
SHA256 09100d4cca42d1f21ce815969ee6f4ed3fd700d87de96d2097a0df5d3b58a03c
SHA512 b962af400243a52504f4eddd1c76ee5b5e75151a4cf2c7f15e873971b00b4f7309d5f14ef67b3fd8eb1663337aa171f283ad37e30712d7b883234c2f92c2f0c3

memory/876-28-0x00007FF787F70000-0x00007FF7882C1000-memory.dmp

C:\Windows\System\bDKXNzS.exe

MD5 f75adab880445b9a375a2a26a1eddd1c
SHA1 61af8d1692fac9d763ed152d4cc2434233edd087
SHA256 1c05fd2004bfd0cc726ea3b15eed790b964003b6a831d292e8ddfd29b3a2b51a
SHA512 b5d96f5b28c4da9af8d1f93ce6961c861e40b8e562a0c7ec398edee5d8039b5dd2e18ea1475b45b11dd42e5cfad0d0ee9cbf03af0b5508327b3ed7f007a94736

memory/4660-15-0x00007FF7E2720000-0x00007FF7E2A71000-memory.dmp

C:\Windows\System\rIQUMwP.exe

MD5 59119d65d8a47299723199fcec0cfe3c
SHA1 e64fb5ecef78a4740e073ac9a0e8462f189e908c
SHA256 f895d01eb8d0d7f505e4e807e58d5f9021a678ed03c435d4eb632940243ab70d
SHA512 861d39e12b0f90de2d416b7d2fd211403d3b979a827f618a92a8f80dde4d5f73e95cd6b7685000b8cd0c3430d195ff3acb68dbcd1e4374682dc0b2744ec610ea

memory/3696-36-0x00007FF7D7040000-0x00007FF7D7391000-memory.dmp

C:\Windows\System\yqnwrAN.exe

MD5 f78c7b6cf32ac5db6400d1247d915cf0
SHA1 a902e2fe42329e22657f4b1da31186bb81e9ac8d
SHA256 4449fa6015fd50b0184d6d10620e7141bfa44c1b0f9e6e9f9a45150565e886fb
SHA512 6ebf9826a0ad148ca83aa761ca52e3d16b4c30925b98dbf3b255c546a4f6d7d961c0871f4552473d30faf1af6b8735acc64195d2c25fd470463c3ce4c06fd6ef

memory/3296-44-0x00007FF665DD0000-0x00007FF666121000-memory.dmp

memory/4648-40-0x00007FF752940000-0x00007FF752C91000-memory.dmp

C:\Windows\System\XsVKhln.exe

MD5 4d964e3717fed2e8cb31061f1442c91a
SHA1 c001e966f52d3c3de79141322178a410f5d42698
SHA256 afe7f46dee00950df2caa5b1bb98f09d42ee5f487750633a67d51ea92fe3f1ae
SHA512 2586e027473e1aba557f51f76ff3322ffd1844f8d8218a8c61e81f2b6a8c36a8de22b5763b5edeeef62604117331cabd19c593a190332fbe7ddaed303337a9a8

memory/4852-49-0x00007FF77C100000-0x00007FF77C451000-memory.dmp

C:\Windows\System\WwZctqw.exe

MD5 abde53094d7de32fca994028dc63ada9
SHA1 7801d525d5bcfee440981bc3948e77b968aaf3ae
SHA256 b1687f823ddf9605bb7e767e45307a075672f7d7b076e0279e2670ac97f5f823
SHA512 9a13dc892fb08a62d62abce8c26d1ec157502da861f4e5d2946052d83386f0e93d58ff62c5e27f0f15f132079adf16b6ddafb285752f8e8d1d79c0e75f04659b

memory/752-55-0x00007FF74F060000-0x00007FF74F3B1000-memory.dmp

C:\Windows\System\GRPwDXu.exe

MD5 7878eb2c91f4a75b4f70162d1ef3d2ee
SHA1 7cb64c60e211ba7b2a0bee4d7c2d9209dbf0fea5
SHA256 bec36b41d3bd376142260632f5d203361cc42b87938a5d64c257d22dfff91652
SHA512 a2e39c97961cbe689fd1e91c9d18f57606562054607547df046df6badfd6b69c6d9b7a68898c432d6af86dc42ac440ee96de432434bf5a99efe22406a4b6927d

memory/1548-69-0x00007FF67B9D0000-0x00007FF67BD21000-memory.dmp

memory/1464-73-0x00007FF76FC40000-0x00007FF76FF91000-memory.dmp

C:\Windows\System\PmGNAjm.exe

MD5 ab4b9043f9b3487b8eab0283d463e46c
SHA1 e209279695a28fa00e6219dc1b8acd00208c439e
SHA256 32cdea892804b4b72faa1d4218f230cbe060a939fdb86742bb8a929fdce50997
SHA512 e0b478713e8f4d50a82d9a43d46d888c6177125270e6d7c1b8d9880fe7a12b3de98bcaf5299c62c8500efba103f1b80f021113d65dda4839f19692497a20a11a

C:\Windows\System\dlgZycI.exe

MD5 618b44b55f60d8c852208890c75906b4
SHA1 57d33364a3ccf9b26d0173c93ecac761cd76a071
SHA256 0258128ab871d1444b15938aa8705bb6c9b0bbd7775333f6d31f384c7b21bad1
SHA512 1388fff41d9815115663fc18e5176de1e7ec2497abbe2db6ed7e2458b864f05b3b39a1129a836e1f97b2fc0f1eb33fa4375a9f3c86a62884bf17dce4333c85a1

memory/4164-85-0x00007FF79F970000-0x00007FF79FCC1000-memory.dmp

C:\Windows\System\laeAzpo.exe

MD5 a4b86861d13ec4168910f00570f312eb
SHA1 a33e6d6e80b6af0c2885dca5f99f4e5f01b90e85
SHA256 c95f23c1cc8bbc61f71df7d151e6fa50ecf140eae78c8bef45eb29bd6ebb8922
SHA512 d6763f01f2b297bf995dddd19cdfd8f40c7cf48cf48cb237ffef5d1d5dae73311692df95479bb949f63511cb7536b8303eeec72fa02aa6432489fbe42df181f5

C:\Windows\System\HjTnHkq.exe

MD5 c9554a93d2d2452961856b5c01399bc2
SHA1 8fae89cd8826a2e16ab000b2663ae850f6951944
SHA256 af8afd66cf05ef285c4fe9aafc207c67323ea698c4aa22ea9844ba89c85ea768
SHA512 033410571867e3b9ed7412b5419a1779a80ad08d705edded7e529bbf6fd847cb0c126b24c7daed4d5b08f0e5cb241ebde2b5a0b4eb5144364c515d89b4214c2f

C:\Windows\System\NAoteLL.exe

MD5 2eaa67974c006e58daa7eeee7e4f4cdb
SHA1 3e4dc5dce5ce0e0b998444778bd750dd04c18458
SHA256 34c3370c6c4eaa07815e49c937e6668d0ed2f808fc889bbecfb258167d87d5e7
SHA512 393c98760339a81d93c6ac1e3e507e8e9264493e68d565ca363e3ab55398250b6cf9f9362c957efc64c0a17fcebe184c82cfd3d46a61df4e7e3cb10e0eda3e34

C:\Windows\System\WLAlczF.exe

MD5 5e568dbcfbfef1bbf86002a79d051f1e
SHA1 12e2f8e3a99a9d8b4da073df8f38f534a6c240d8
SHA256 b579621a428718ec3aadcd67cbcc54bddcde162762054a9c18827727620d6fff
SHA512 b144cf7a8ad9685fd1c955026db63eef440dbc151b8ddf5aca1e012fa89d586e4cd8c9e36fbaf777f7627992b2a4f32b711c5bff4d44027037bf650a71854279

C:\Windows\System\WiOLIfP.exe

MD5 23e788dffb1a2a02213e8c4658ea14f6
SHA1 b83bfcec22280640709d64afe7a6fce210a01c88
SHA256 5672e28ecd6ec990b5e516c147364787347b64561de60b59b896a8e1bd8a42a2
SHA512 b99c36f7eb7fd04276701aa707db2b6a3c1898d6103e28e0352c219d4c91d985f4cce575050e2a0983370adc92eaffddda6ad79a5e1d71184d3a3b72755831e9

C:\Windows\System\OSgEkPt.exe

MD5 28a3baacbe98b42cd5248cb0f6db78af
SHA1 da148cd15f533ac132912147e00361fef8069fc4
SHA256 4c4774319ba49ed5d9738293f74d5c545ad21efc46f10c0b9cb9d172a45a5226
SHA512 0ed734f8b793660c32328f97260074767a08e23bf2a0aabf3ec1918145ce61d902fff07ae1e186d116e8d4e2096757f9a70193b7a15ce2aaa9fc8ff0f2260f42

C:\Windows\System\UWWfJRm.exe

MD5 eb4c7ce2e39b58c2f99903eac057f489
SHA1 238334656c270164ee0066298abf065c1a687a7e
SHA256 b3c1834b5086bb1266ac47424bb628250dd5cea3130100fb955b60a6ebeb6d9c
SHA512 474f85a9df1cfb0c90517cc2667db80681123fc8b359b3ed79c8e1c4a66798d96e04126fa600892285b29057004eaf973fc0e6f000ebec2484796e6bca71312f

memory/412-84-0x00007FF696570000-0x00007FF6968C1000-memory.dmp

C:\Windows\System\wmCgwxZ.exe

MD5 237f3b0ac88f9ece6bbe0d5f995c61c1
SHA1 1f4df300a374d52826bcf64e6c3ff989f1731fe6
SHA256 ff422ed340aa9b24f6a4bb457ee085b168bf5d24a40130ae0675d6dbecd22efb
SHA512 b21abb3be5ebe70fbd89e4d87a5ca2c2f78bd2dee9596783f51aa90dd5b30afd4593196285001fc0be517844e3d2fe6908ff8fec938a88b073c54c9405d81c8d

memory/3988-82-0x00007FF767850000-0x00007FF767BA1000-memory.dmp

memory/3624-77-0x00007FF6779F0000-0x00007FF677D41000-memory.dmp

C:\Windows\System\BsJdxgS.exe

MD5 95a618c0586e47b0da75a589aa1b2fc6
SHA1 a11b6b96439dbc376b106bdcb5bb422c1c5b0020
SHA256 c8d56ce3cf37e9ad9818769fff2f8c95d3218bf7ff5054a89ae1ddfc8be803ea
SHA512 4ddfb76995ae2b7ad052ca6b8ef257fd0d0c0c52022f0d0c5f0208a73f566d8a8e3218f90d331ac22772a100445b7b0b635251f308fe8f71ea54f5eb27945376

memory/4660-74-0x00007FF7E2720000-0x00007FF7E2A71000-memory.dmp

memory/1780-63-0x00007FF7E8370000-0x00007FF7E86C1000-memory.dmp

memory/4252-62-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp

memory/4252-124-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp

memory/4852-132-0x00007FF77C100000-0x00007FF77C451000-memory.dmp

memory/4648-130-0x00007FF752940000-0x00007FF752C91000-memory.dmp

memory/2804-135-0x00007FF7CE260000-0x00007FF7CE5B1000-memory.dmp

memory/2760-138-0x00007FF7C3270000-0x00007FF7C35C1000-memory.dmp

memory/4024-137-0x00007FF6C7D40000-0x00007FF6C8091000-memory.dmp

memory/4360-136-0x00007FF6923C0000-0x00007FF692711000-memory.dmp

memory/4596-133-0x00007FF6D8D20000-0x00007FF6D9071000-memory.dmp

memory/3588-139-0x00007FF611410000-0x00007FF611761000-memory.dmp

memory/4912-140-0x00007FF7285A0000-0x00007FF7288F1000-memory.dmp

memory/752-141-0x00007FF74F060000-0x00007FF74F3B1000-memory.dmp

memory/1548-142-0x00007FF67B9D0000-0x00007FF67BD21000-memory.dmp

memory/4164-146-0x00007FF79F970000-0x00007FF79FCC1000-memory.dmp

memory/412-145-0x00007FF696570000-0x00007FF6968C1000-memory.dmp

memory/3624-144-0x00007FF6779F0000-0x00007FF677D41000-memory.dmp

memory/1464-143-0x00007FF76FC40000-0x00007FF76FF91000-memory.dmp

memory/4252-154-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp

memory/1780-206-0x00007FF7E8370000-0x00007FF7E86C1000-memory.dmp

memory/4660-208-0x00007FF7E2720000-0x00007FF7E2A71000-memory.dmp

memory/3988-210-0x00007FF767850000-0x00007FF767BA1000-memory.dmp

memory/876-212-0x00007FF787F70000-0x00007FF7882C1000-memory.dmp

memory/3696-214-0x00007FF7D7040000-0x00007FF7D7391000-memory.dmp

memory/4648-216-0x00007FF752940000-0x00007FF752C91000-memory.dmp

memory/3296-218-0x00007FF665DD0000-0x00007FF666121000-memory.dmp

memory/4852-226-0x00007FF77C100000-0x00007FF77C451000-memory.dmp

memory/752-228-0x00007FF74F060000-0x00007FF74F3B1000-memory.dmp

memory/1548-230-0x00007FF67B9D0000-0x00007FF67BD21000-memory.dmp

memory/1464-232-0x00007FF76FC40000-0x00007FF76FF91000-memory.dmp

memory/412-234-0x00007FF696570000-0x00007FF6968C1000-memory.dmp

memory/3624-236-0x00007FF6779F0000-0x00007FF677D41000-memory.dmp

memory/4596-238-0x00007FF6D8D20000-0x00007FF6D9071000-memory.dmp

memory/2804-240-0x00007FF7CE260000-0x00007FF7CE5B1000-memory.dmp

memory/4360-242-0x00007FF6923C0000-0x00007FF692711000-memory.dmp

memory/4024-244-0x00007FF6C7D40000-0x00007FF6C8091000-memory.dmp

memory/2760-246-0x00007FF7C3270000-0x00007FF7C35C1000-memory.dmp

memory/4912-248-0x00007FF7285A0000-0x00007FF7288F1000-memory.dmp

memory/3588-250-0x00007FF611410000-0x00007FF611761000-memory.dmp

memory/4164-254-0x00007FF79F970000-0x00007FF79FCC1000-memory.dmp