Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-b843zsdf3w
Target 2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike
SHA256 0f154c31f6511c7bdddb539d70f851dc41126f90ac428023414b286aaa7e7a54
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f154c31f6511c7bdddb539d70f851dc41126f90ac428023414b286aaa7e7a54

Threat Level: Known bad

The file 2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:49

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:49

Reported

2024-06-01 01:52

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sQkqFwu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ivxKSJq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EmMjLKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VyEUlPS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lblpqCU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lXIEuQb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\czqRkCv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPZCDlN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nJmLrPz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wzIhMpY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UFPVxPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dyOZnEY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\THgmydD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIBJzOJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXUkVAP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vGjGHTc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOaguwJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\txVoENQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XBHyRtl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jzWsnQK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RBGKZEF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\THgmydD.exe
PID 2096 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\THgmydD.exe
PID 2096 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\THgmydD.exe
PID 2096 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIBJzOJ.exe
PID 2096 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIBJzOJ.exe
PID 2096 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIBJzOJ.exe
PID 2096 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXUkVAP.exe
PID 2096 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXUkVAP.exe
PID 2096 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXUkVAP.exe
PID 2096 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmMjLKl.exe
PID 2096 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmMjLKl.exe
PID 2096 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmMjLKl.exe
PID 2096 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGjGHTc.exe
PID 2096 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGjGHTc.exe
PID 2096 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGjGHTc.exe
PID 2096 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOaguwJ.exe
PID 2096 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOaguwJ.exe
PID 2096 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOaguwJ.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPZCDlN.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPZCDlN.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPZCDlN.exe
PID 2096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\txVoENQ.exe
PID 2096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\txVoENQ.exe
PID 2096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\txVoENQ.exe
PID 2096 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJmLrPz.exe
PID 2096 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJmLrPz.exe
PID 2096 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJmLrPz.exe
PID 2096 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzIhMpY.exe
PID 2096 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzIhMpY.exe
PID 2096 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzIhMpY.exe
PID 2096 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBHyRtl.exe
PID 2096 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBHyRtl.exe
PID 2096 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBHyRtl.exe
PID 2096 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFPVxPk.exe
PID 2096 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFPVxPk.exe
PID 2096 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFPVxPk.exe
PID 2096 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWsnQK.exe
PID 2096 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWsnQK.exe
PID 2096 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWsnQK.exe
PID 2096 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyEUlPS.exe
PID 2096 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyEUlPS.exe
PID 2096 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyEUlPS.exe
PID 2096 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lblpqCU.exe
PID 2096 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lblpqCU.exe
PID 2096 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lblpqCU.exe
PID 2096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQkqFwu.exe
PID 2096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQkqFwu.exe
PID 2096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQkqFwu.exe
PID 2096 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBGKZEF.exe
PID 2096 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBGKZEF.exe
PID 2096 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBGKZEF.exe
PID 2096 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXIEuQb.exe
PID 2096 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXIEuQb.exe
PID 2096 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXIEuQb.exe
PID 2096 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyOZnEY.exe
PID 2096 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyOZnEY.exe
PID 2096 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyOZnEY.exe
PID 2096 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivxKSJq.exe
PID 2096 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivxKSJq.exe
PID 2096 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivxKSJq.exe
PID 2096 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\czqRkCv.exe
PID 2096 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\czqRkCv.exe
PID 2096 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\czqRkCv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\THgmydD.exe

C:\Windows\System\THgmydD.exe

C:\Windows\System\gIBJzOJ.exe

C:\Windows\System\gIBJzOJ.exe

C:\Windows\System\kXUkVAP.exe

C:\Windows\System\kXUkVAP.exe

C:\Windows\System\EmMjLKl.exe

C:\Windows\System\EmMjLKl.exe

C:\Windows\System\vGjGHTc.exe

C:\Windows\System\vGjGHTc.exe

C:\Windows\System\wOaguwJ.exe

C:\Windows\System\wOaguwJ.exe

C:\Windows\System\gPZCDlN.exe

C:\Windows\System\gPZCDlN.exe

C:\Windows\System\txVoENQ.exe

C:\Windows\System\txVoENQ.exe

C:\Windows\System\nJmLrPz.exe

C:\Windows\System\nJmLrPz.exe

C:\Windows\System\wzIhMpY.exe

C:\Windows\System\wzIhMpY.exe

C:\Windows\System\XBHyRtl.exe

C:\Windows\System\XBHyRtl.exe

C:\Windows\System\UFPVxPk.exe

C:\Windows\System\UFPVxPk.exe

C:\Windows\System\jzWsnQK.exe

C:\Windows\System\jzWsnQK.exe

C:\Windows\System\VyEUlPS.exe

C:\Windows\System\VyEUlPS.exe

C:\Windows\System\lblpqCU.exe

C:\Windows\System\lblpqCU.exe

C:\Windows\System\sQkqFwu.exe

C:\Windows\System\sQkqFwu.exe

C:\Windows\System\RBGKZEF.exe

C:\Windows\System\RBGKZEF.exe

C:\Windows\System\lXIEuQb.exe

C:\Windows\System\lXIEuQb.exe

C:\Windows\System\dyOZnEY.exe

C:\Windows\System\dyOZnEY.exe

C:\Windows\System\ivxKSJq.exe

C:\Windows\System\ivxKSJq.exe

C:\Windows\System\czqRkCv.exe

C:\Windows\System\czqRkCv.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2096-1-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2096-0-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\THgmydD.exe

MD5 75319f8c897fdc9c25ba5401423ca493
SHA1 2a888e977093361a97e79f06618d50929459955a
SHA256 be1a1d34e7f251dbf6b885da459f11e32879059947c4a058e8fdb54913760eca
SHA512 22cf692c9ea322a5f045ddf938e37e8c60e57c0fcf018bd20a9fbee316d2e2dba9bc2246d2dd2e401dd06ea838c0da5d2acd3672848d644e3f5a6b8c0766de24

memory/2096-6-0x00000000024C0000-0x0000000002814000-memory.dmp

C:\Windows\system\gIBJzOJ.exe

MD5 348c352e8787b0f16bfe1d95797a907c
SHA1 83176f4e2a842e5ec92ba7f53d9125ffa8829735
SHA256 61726c8e43547363d1cda05055d8e1f16312ffee70637b022bdacf5c3b755318
SHA512 9aa26fd746d87398dff87744b51e21c66f02b2ee86dbe31a5b4c93ce0ed7a69d5bba5cd91a99637b635ca4646e3e68debfebe4177c8b6b40da04be9b8ac77ed9

memory/1996-14-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2096-15-0x00000000024C0000-0x0000000002814000-memory.dmp

memory/2924-16-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\kXUkVAP.exe

MD5 6f26c1b34617e315440f08a73c810c6d
SHA1 f7caaf5107a15a8a831b9614d03c49528a7349d6
SHA256 8b28daef17fc83b1da49e9cb189352dc8a6b09eb2eba3fb959b10a185e02dc13
SHA512 c82d0ed84aa25d7855ebee8c9667c09ed452619f5c56b81f6bcdb8cb22a176b847f45505759dc08231c50269aa36e5afbc04742aeea125883f482e184ed1c249

memory/2096-24-0x00000000024C0000-0x0000000002814000-memory.dmp

memory/2644-32-0x000000013F550000-0x000000013F8A4000-memory.dmp

C:\Windows\system\vGjGHTc.exe

MD5 cfc47e90971c794818ffe1e47c98c8bb
SHA1 cb560c3e69e304b8d030bbd9abd83e304fc9965e
SHA256 fb4f90e0afaf66446290b5e7acb7b279118d7a0d6822a0185529916faf2740c7
SHA512 2050e69fac16a268a544b7ed0d27356431154a857eedcc2396bb61395a1d9f3923a08e02009546348db781b037015715b81f4f56bf6e2e4bad16a777e82c66ca

memory/2096-29-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2580-39-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2948-42-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2096-44-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2096-43-0x00000000024C0000-0x0000000002814000-memory.dmp

C:\Windows\system\wOaguwJ.exe

MD5 d1aec7595a2c8a780f8eafe7682da821
SHA1 b7e854846b7544273635227833a53d1123566df0
SHA256 56c4858e48b2f61df0ae1d8053e568612caebfe9635cc83e3909599dc47877e8
SHA512 1d99501180b55eee705f9e827ecd15b7fd91dec793c2873a8d54e952df6f3a41e996c735a959cb6ba565b3490a632065e4f492c5aa61f65cc1cdcff165382a47

memory/2564-27-0x000000013F2C0000-0x000000013F614000-memory.dmp

C:\Windows\system\EmMjLKl.exe

MD5 35868b1fb7fd78ea45a1d2222d4d2104
SHA1 483a50b51c9b3c4ee58924dbbf756e3376462b84
SHA256 7ac94b0d1b6fe5a0141542637ae9f0412cee809226e31ce9b5181efdc695c49e
SHA512 84faa620dd7bf990c4b5087757e089c508f8c1f8a5c4d449db60a8cfb37a80b6bcf75113bd3beecd382484331baf1b74d309c927233f6bb9dfe58254587a223a

\Windows\system\gPZCDlN.exe

MD5 1ba742a91defccc81e99362da2f9c5c4
SHA1 3a085036fff6f07c8f28d02df8cb5adec98d0016
SHA256 0394f6641ee0baccc0f76287f531b30fb363d5644de08919a56cc2d2cb732e53
SHA512 274723e15bd6d9a2e087ae7c376c905c61cb59474f4ff262b6a1c8892d036638c2c65692e075b2eaf23241ac5033060fcb8c1b88ee13a944087a33794080ffa2

C:\Windows\system\gPZCDlN.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

\Windows\system\txVoENQ.exe

MD5 b5e18313ad4f66275601bd7b1c8f47f9
SHA1 eb0dd5edb30c169741187b9b67ba547dc54d990c
SHA256 464fdbb641dd2d25ba5389142f5c6291af99e7e9525a378e12199449ed447e8d
SHA512 8555f09eae80295f34c85136534ab0e42d4606b2f9be8960d1c7b419770a778d8ee30ee664e188317f872af358c03d5dedffda07e2fad42eb9e2fe90a7726b57

memory/2680-57-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2752-51-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2096-50-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2096-63-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2432-65-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2096-64-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\nJmLrPz.exe

MD5 8275dbc46688b802a429d71d26c02163
SHA1 e753fc1b7c855c971fc6e7a77f54b82efaffe414
SHA256 ebcb937f9bf665db3304d8d9cf6c187e301105055fc76dbf528151437acdadc4
SHA512 486b13cc7346ff015509b40c7dfa48ea3bea05346fefe8cff883b49eee29ce220c63be724254c6dfafa2258166f0a601aac1fb13ad3f683cf86e82225cf8e49d

\Windows\system\nJmLrPz.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

\Windows\system\UFPVxPk.exe

MD5 5d36821caf0e9fb46aeedabbe88b1d48
SHA1 fd580a8b9b54c3de43b817a8f0040d0f47b2e79a
SHA256 4820b0c97cd729aeadae72fc77879de0c54c3bf70c7aa5f3c742b540250e065e
SHA512 31ff05e78b7e7a86bedcdc435753ad7b1ecb0ea659dc59ac128bf8bd89d6c6fe15e485975407778690d0dd47f9fc85f8c751e980c972818a02e7d9bc330271df

\Windows\system\VyEUlPS.exe

MD5 cf4c5cbc84f7c3a7abb0d67a29e83e21
SHA1 fdd9ef46cae8b84a6542a82777efddd25fd0b407
SHA256 9824efa4258c989b01fdf5bd6f90e8afc4dbe7429c487cce0104b5b061d9b14a
SHA512 3f77be24c51b6c5a3b046dff27d9b8507ca78b87785216e536b02ab49c9bade358dc554d80c7649960bd74e0706ac4418b500f7adf548eac814e9f7b5e3abfb4

memory/2848-97-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1632-108-0x000000013FE20000-0x0000000140174000-memory.dmp

C:\Windows\system\lblpqCU.exe

MD5 8a8130a6aa3807024bc442b5bf25a39e
SHA1 af7e815cc142487a893951d90695be6c9f7ab8bc
SHA256 576f567a479935a9df02bfcaefc4b710fe06b9385f408471a658fd9d939af1b3
SHA512 1849e47419bbf0931b2d65886affbe13e610d236cefe8049c778d5a33984665863f368409fe7f9da57bb3b0d640fac173727195469d741278f1777f68754398d

memory/2096-112-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2580-110-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

C:\Windows\system\ivxKSJq.exe

MD5 a7d25f5166036fb9016dfdb538693190
SHA1 12018dd9f25ff555401768dedc6ee5d4c5a5d4e1
SHA256 403f253649bac2ffc21811e94039517cb5c0bc07b55fac2492b3caef36a5d9df
SHA512 1021e76c3a1208424d6b091cd3e1c8cc067517596996a626f6a44fe60ba1d6459cf66f19091d87ad2d9517d51b99655c9579941e99bff7ed818b484f2ef44a1e

\Windows\system\czqRkCv.exe

MD5 4cf121e0ecfbf73cda9100c15ebfe7ab
SHA1 ac0830c9955f80b7661626695b3802f1bb3ee620
SHA256 ea6e972976fda5872c976009d17572bfa6a17a7a6204e3f5bb44fa70f87755fd
SHA512 8e2230c04fe97fabcb320d0e349cb7584e149116c27891d7ec879bb79e49999fa35fc399a67edd7ad53e5b3a287620e54571210140f1806ed5f69a20fdf993ad

\Windows\system\ivxKSJq.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

C:\Windows\system\dyOZnEY.exe

MD5 c93afb183e72bba0b4a43614b8dc23da
SHA1 4d94442773263ceefddff0b8748350a6e846f6c0
SHA256 8a2f8c9869d5e9aad964296f2881829244de06d2e8e0290d0d046372e3a5aabd
SHA512 b71b1af9701814684e754fe65d7e242b73e0b2215f155aaa9ec0398d619df27548a1d29f8d3f0857d4ff05f56abce6aaf713f321ae28338bb7eb57f8e2bd32d5

C:\Windows\system\lXIEuQb.exe

MD5 c492a916ba43c3163d3a414c3ed42a39
SHA1 c7910f5cda281dc8062bdb4e602c8550cdd828dc
SHA256 7d7360ed11405b98c7b420593c57cc7b04a3b097d5275aed2d6c4940a1f38573
SHA512 747468bb70ea84e0f28513196654d104ed7b46ea06db8491b284266cd9cb940666aaefa4ae07a2ca806db19b61cbb68e28ca9fcbc7070cdcd66f0a0cb5e92c98

C:\Windows\system\RBGKZEF.exe

MD5 a0543034fae1ac2e62c22ff4609a494f
SHA1 66be56a5109c0337d9bf3f399f6507dcfb24a381
SHA256 5e66b00a1424fd4a14df013261e5d1b813605a1a796c77d7e71ce1ffcdeb2e0e
SHA512 36ebe770c9afbfe134e3290cf3c67c0053d672bfcfdd64753bfe43459514ea6534eabc1f8bd21298ea9e2904d5a619ee67cafc74e18a7960fcab1299ace5706b

memory/2096-103-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2096-101-0x000000013FA30000-0x000000013FD84000-memory.dmp

C:\Windows\system\sQkqFwu.exe

MD5 9a2d899dbcd4725e1180d2c1b05d00ba
SHA1 d521ceca8a36e495a94eab69ae9ed42e59babec4
SHA256 d63a7b26df900d1edd7788128ee9b24cf99cf7cd7b4394d9e175c47ae548c73b
SHA512 b27c1718210b3c977e8078ef8987ac86cf5b9283d2c19f3a50b0fe04df3c8e655fe3459d7775484d85f7b1b38ae80040c920848f0764aa9185545073d866bd3e

memory/768-105-0x000000013FA30000-0x000000013FD84000-memory.dmp

\Windows\system\sQkqFwu.exe

MD5 30ac98cd6ec57605801f546c6567c9ef
SHA1 6432a7a9703259b40c10be16db7b39adce1f130c
SHA256 1d79da8549c3799713a6109d1bea90e413cb0fc53e299dddf783bb6ae4dd26dd
SHA512 008fa4cea1ffdd4b38dc10823add1593d558af9d475052938882c7d1a85f52e714a536b08725eed77f52d0cd239c5e9bf7d392702d03009a532a7faeb1d5ef33

memory/2096-98-0x00000000024C0000-0x0000000002814000-memory.dmp

memory/2096-96-0x00000000024C0000-0x0000000002814000-memory.dmp

memory/1996-92-0x000000013F4B0000-0x000000013F804000-memory.dmp

C:\Windows\system\jzWsnQK.exe

MD5 dc0f4bd22e16e1a71ff73fa13dd5ccc8
SHA1 b5a70c13ef916cad764ccf811e02136fe5ba621c
SHA256 25afb732e6d904b25d2e6098360c2a10e71a6b4bf55d5e4bb9ab660ac52d9e37
SHA512 6b9aedc79b0dce6c08afd9bad524df6e5ae340e17b5cec128e4e87c8d8b50cbf9ee76945826d0ca2121205e92c7b6fafabaedc786f2b1f4510b6c191d72e2809

memory/2604-88-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2496-84-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2096-79-0x00000000024C0000-0x0000000002814000-memory.dmp

C:\Windows\system\XBHyRtl.exe

MD5 3c4936ba91eaa69f7fdbfccc9b857022
SHA1 d97c8ba6655ec64594f86192c6bdb9c832040c3a
SHA256 f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10
SHA512 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9

\Windows\system\XBHyRtl.exe

MD5 c303705661228a1a05937667079965cc
SHA1 2aeacd1f3de911a7cab7f9b5975499c11d4fdbc4
SHA256 631d5817452e7aa6ee5178431348b5f3ac748691e6dd780e1e28c5a50d297dd9
SHA512 30b1fd3ac4c95afbbf778a4d07c28b1cc38f1fed0f98e364cd490e10d4cf3d86b1ea771f343525c22ebc79b50870ebae03263efe911bbc990d8c0324e0e0a42f

memory/2096-70-0x00000000024C0000-0x0000000002814000-memory.dmp

C:\Windows\system\wzIhMpY.exe

MD5 d2839ee0b656c2111c7bc1d77ec65d6c
SHA1 439184fcad2d9885a4ea90e93d61f8b1716d5018
SHA256 327464db84f5ce777126171ad14fb29802792cc315ade2ee1e23a5932d8c3aa2
SHA512 db4b5059665ef3bac2b7224503eb4ab2b74b4df2585133df864f2e28e1a3b0295f0d1b3df3e5fe815277d7c54d3c253bc91f1665da07ff13f721a3ab04457a01

memory/2948-139-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2096-140-0x00000000024C0000-0x0000000002814000-memory.dmp

memory/2096-141-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2096-142-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/1996-144-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2924-143-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2564-145-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2644-146-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2948-148-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2580-147-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2752-149-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2680-150-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2432-151-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2496-152-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2848-153-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2604-154-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/1632-156-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/768-155-0x000000013FA30000-0x000000013FD84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:49

Reported

2024-06-01 01:52

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RBGKZEF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIBJzOJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXUkVAP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EmMjLKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPZCDlN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jzWsnQK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lblpqCU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sQkqFwu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ivxKSJq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\THgmydD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\txVoENQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wzIhMpY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UFPVxPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vGjGHTc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOaguwJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XBHyRtl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lXIEuQb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dyOZnEY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nJmLrPz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VyEUlPS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\czqRkCv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\THgmydD.exe
PID 3488 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\THgmydD.exe
PID 3488 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIBJzOJ.exe
PID 3488 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIBJzOJ.exe
PID 3488 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXUkVAP.exe
PID 3488 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXUkVAP.exe
PID 3488 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmMjLKl.exe
PID 3488 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EmMjLKl.exe
PID 3488 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGjGHTc.exe
PID 3488 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vGjGHTc.exe
PID 3488 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOaguwJ.exe
PID 3488 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOaguwJ.exe
PID 3488 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPZCDlN.exe
PID 3488 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPZCDlN.exe
PID 3488 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\txVoENQ.exe
PID 3488 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\txVoENQ.exe
PID 3488 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJmLrPz.exe
PID 3488 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJmLrPz.exe
PID 3488 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzIhMpY.exe
PID 3488 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzIhMpY.exe
PID 3488 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBHyRtl.exe
PID 3488 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBHyRtl.exe
PID 3488 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFPVxPk.exe
PID 3488 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFPVxPk.exe
PID 3488 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWsnQK.exe
PID 3488 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jzWsnQK.exe
PID 3488 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyEUlPS.exe
PID 3488 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyEUlPS.exe
PID 3488 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lblpqCU.exe
PID 3488 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lblpqCU.exe
PID 3488 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQkqFwu.exe
PID 3488 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQkqFwu.exe
PID 3488 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBGKZEF.exe
PID 3488 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBGKZEF.exe
PID 3488 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXIEuQb.exe
PID 3488 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXIEuQb.exe
PID 3488 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyOZnEY.exe
PID 3488 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyOZnEY.exe
PID 3488 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivxKSJq.exe
PID 3488 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivxKSJq.exe
PID 3488 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\czqRkCv.exe
PID 3488 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe C:\Windows\System\czqRkCv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\THgmydD.exe

C:\Windows\System\THgmydD.exe

C:\Windows\System\gIBJzOJ.exe

C:\Windows\System\gIBJzOJ.exe

C:\Windows\System\kXUkVAP.exe

C:\Windows\System\kXUkVAP.exe

C:\Windows\System\EmMjLKl.exe

C:\Windows\System\EmMjLKl.exe

C:\Windows\System\vGjGHTc.exe

C:\Windows\System\vGjGHTc.exe

C:\Windows\System\wOaguwJ.exe

C:\Windows\System\wOaguwJ.exe

C:\Windows\System\gPZCDlN.exe

C:\Windows\System\gPZCDlN.exe

C:\Windows\System\txVoENQ.exe

C:\Windows\System\txVoENQ.exe

C:\Windows\System\nJmLrPz.exe

C:\Windows\System\nJmLrPz.exe

C:\Windows\System\wzIhMpY.exe

C:\Windows\System\wzIhMpY.exe

C:\Windows\System\XBHyRtl.exe

C:\Windows\System\XBHyRtl.exe

C:\Windows\System\UFPVxPk.exe

C:\Windows\System\UFPVxPk.exe

C:\Windows\System\jzWsnQK.exe

C:\Windows\System\jzWsnQK.exe

C:\Windows\System\VyEUlPS.exe

C:\Windows\System\VyEUlPS.exe

C:\Windows\System\lblpqCU.exe

C:\Windows\System\lblpqCU.exe

C:\Windows\System\sQkqFwu.exe

C:\Windows\System\sQkqFwu.exe

C:\Windows\System\RBGKZEF.exe

C:\Windows\System\RBGKZEF.exe

C:\Windows\System\lXIEuQb.exe

C:\Windows\System\lXIEuQb.exe

C:\Windows\System\dyOZnEY.exe

C:\Windows\System\dyOZnEY.exe

C:\Windows\System\ivxKSJq.exe

C:\Windows\System\ivxKSJq.exe

C:\Windows\System\czqRkCv.exe

C:\Windows\System\czqRkCv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/3488-0-0x00007FF76B400000-0x00007FF76B754000-memory.dmp

memory/3488-1-0x000002991B1E0000-0x000002991B1F0000-memory.dmp

C:\Windows\System\THgmydD.exe

MD5 75319f8c897fdc9c25ba5401423ca493
SHA1 2a888e977093361a97e79f06618d50929459955a
SHA256 be1a1d34e7f251dbf6b885da459f11e32879059947c4a058e8fdb54913760eca
SHA512 22cf692c9ea322a5f045ddf938e37e8c60e57c0fcf018bd20a9fbee316d2e2dba9bc2246d2dd2e401dd06ea838c0da5d2acd3672848d644e3f5a6b8c0766de24

memory/4496-8-0x00007FF752DE0000-0x00007FF753134000-memory.dmp

C:\Windows\System\gIBJzOJ.exe

MD5 348c352e8787b0f16bfe1d95797a907c
SHA1 83176f4e2a842e5ec92ba7f53d9125ffa8829735
SHA256 61726c8e43547363d1cda05055d8e1f16312ffee70637b022bdacf5c3b755318
SHA512 9aa26fd746d87398dff87744b51e21c66f02b2ee86dbe31a5b4c93ce0ed7a69d5bba5cd91a99637b635ca4646e3e68debfebe4177c8b6b40da04be9b8ac77ed9

memory/4536-13-0x00007FF791330000-0x00007FF791684000-memory.dmp

C:\Windows\System\kXUkVAP.exe

MD5 6f26c1b34617e315440f08a73c810c6d
SHA1 f7caaf5107a15a8a831b9614d03c49528a7349d6
SHA256 8b28daef17fc83b1da49e9cb189352dc8a6b09eb2eba3fb959b10a185e02dc13
SHA512 c82d0ed84aa25d7855ebee8c9667c09ed452619f5c56b81f6bcdb8cb22a176b847f45505759dc08231c50269aa36e5afbc04742aeea125883f482e184ed1c249

C:\Windows\System\EmMjLKl.exe

MD5 35868b1fb7fd78ea45a1d2222d4d2104
SHA1 483a50b51c9b3c4ee58924dbbf756e3376462b84
SHA256 7ac94b0d1b6fe5a0141542637ae9f0412cee809226e31ce9b5181efdc695c49e
SHA512 84faa620dd7bf990c4b5087757e089c508f8c1f8a5c4d449db60a8cfb37a80b6bcf75113bd3beecd382484331baf1b74d309c927233f6bb9dfe58254587a223a

C:\Windows\System\vGjGHTc.exe

MD5 cfc47e90971c794818ffe1e47c98c8bb
SHA1 cb560c3e69e304b8d030bbd9abd83e304fc9965e
SHA256 fb4f90e0afaf66446290b5e7acb7b279118d7a0d6822a0185529916faf2740c7
SHA512 2050e69fac16a268a544b7ed0d27356431154a857eedcc2396bb61395a1d9f3923a08e02009546348db781b037015715b81f4f56bf6e2e4bad16a777e82c66ca

memory/748-30-0x00007FF719300000-0x00007FF719654000-memory.dmp

memory/4920-22-0x00007FF7C4530000-0x00007FF7C4884000-memory.dmp

C:\Windows\System\wOaguwJ.exe

MD5 d1aec7595a2c8a780f8eafe7682da821
SHA1 b7e854846b7544273635227833a53d1123566df0
SHA256 56c4858e48b2f61df0ae1d8053e568612caebfe9635cc83e3909599dc47877e8
SHA512 1d99501180b55eee705f9e827ecd15b7fd91dec793c2873a8d54e952df6f3a41e996c735a959cb6ba565b3490a632065e4f492c5aa61f65cc1cdcff165382a47

C:\Windows\System\txVoENQ.exe

MD5 b5e18313ad4f66275601bd7b1c8f47f9
SHA1 eb0dd5edb30c169741187b9b67ba547dc54d990c
SHA256 464fdbb641dd2d25ba5389142f5c6291af99e7e9525a378e12199449ed447e8d
SHA512 8555f09eae80295f34c85136534ab0e42d4606b2f9be8960d1c7b419770a778d8ee30ee664e188317f872af358c03d5dedffda07e2fad42eb9e2fe90a7726b57

C:\Windows\System\wzIhMpY.exe

MD5 d2839ee0b656c2111c7bc1d77ec65d6c
SHA1 439184fcad2d9885a4ea90e93d61f8b1716d5018
SHA256 327464db84f5ce777126171ad14fb29802792cc315ade2ee1e23a5932d8c3aa2
SHA512 db4b5059665ef3bac2b7224503eb4ab2b74b4df2585133df864f2e28e1a3b0295f0d1b3df3e5fe815277d7c54d3c253bc91f1665da07ff13f721a3ab04457a01

C:\Windows\System\UFPVxPk.exe

MD5 5d36821caf0e9fb46aeedabbe88b1d48
SHA1 fd580a8b9b54c3de43b817a8f0040d0f47b2e79a
SHA256 4820b0c97cd729aeadae72fc77879de0c54c3bf70c7aa5f3c742b540250e065e
SHA512 31ff05e78b7e7a86bedcdc435753ad7b1ecb0ea659dc59ac128bf8bd89d6c6fe15e485975407778690d0dd47f9fc85f8c751e980c972818a02e7d9bc330271df

C:\Windows\System\jzWsnQK.exe

MD5 dc0f4bd22e16e1a71ff73fa13dd5ccc8
SHA1 b5a70c13ef916cad764ccf811e02136fe5ba621c
SHA256 25afb732e6d904b25d2e6098360c2a10e71a6b4bf55d5e4bb9ab660ac52d9e37
SHA512 6b9aedc79b0dce6c08afd9bad524df6e5ae340e17b5cec128e4e87c8d8b50cbf9ee76945826d0ca2121205e92c7b6fafabaedc786f2b1f4510b6c191d72e2809

C:\Windows\System\sQkqFwu.exe

MD5 9a2d899dbcd4725e1180d2c1b05d00ba
SHA1 d521ceca8a36e495a94eab69ae9ed42e59babec4
SHA256 d63a7b26df900d1edd7788128ee9b24cf99cf7cd7b4394d9e175c47ae548c73b
SHA512 b27c1718210b3c977e8078ef8987ac86cf5b9283d2c19f3a50b0fe04df3c8e655fe3459d7775484d85f7b1b38ae80040c920848f0764aa9185545073d866bd3e

C:\Windows\System\RBGKZEF.exe

MD5 a0543034fae1ac2e62c22ff4609a494f
SHA1 66be56a5109c0337d9bf3f399f6507dcfb24a381
SHA256 5e66b00a1424fd4a14df013261e5d1b813605a1a796c77d7e71ce1ffcdeb2e0e
SHA512 36ebe770c9afbfe134e3290cf3c67c0053d672bfcfdd64753bfe43459514ea6534eabc1f8bd21298ea9e2904d5a619ee67cafc74e18a7960fcab1299ace5706b

C:\Windows\System\czqRkCv.exe

MD5 4cf121e0ecfbf73cda9100c15ebfe7ab
SHA1 ac0830c9955f80b7661626695b3802f1bb3ee620
SHA256 ea6e972976fda5872c976009d17572bfa6a17a7a6204e3f5bb44fa70f87755fd
SHA512 8e2230c04fe97fabcb320d0e349cb7584e149116c27891d7ec879bb79e49999fa35fc399a67edd7ad53e5b3a287620e54571210140f1806ed5f69a20fdf993ad

C:\Windows\System\ivxKSJq.exe

MD5 a7d25f5166036fb9016dfdb538693190
SHA1 12018dd9f25ff555401768dedc6ee5d4c5a5d4e1
SHA256 403f253649bac2ffc21811e94039517cb5c0bc07b55fac2492b3caef36a5d9df
SHA512 1021e76c3a1208424d6b091cd3e1c8cc067517596996a626f6a44fe60ba1d6459cf66f19091d87ad2d9517d51b99655c9579941e99bff7ed818b484f2ef44a1e

C:\Windows\System\dyOZnEY.exe

MD5 c93afb183e72bba0b4a43614b8dc23da
SHA1 4d94442773263ceefddff0b8748350a6e846f6c0
SHA256 8a2f8c9869d5e9aad964296f2881829244de06d2e8e0290d0d046372e3a5aabd
SHA512 b71b1af9701814684e754fe65d7e242b73e0b2215f155aaa9ec0398d619df27548a1d29f8d3f0857d4ff05f56abce6aaf713f321ae28338bb7eb57f8e2bd32d5

C:\Windows\System\lXIEuQb.exe

MD5 c492a916ba43c3163d3a414c3ed42a39
SHA1 c7910f5cda281dc8062bdb4e602c8550cdd828dc
SHA256 7d7360ed11405b98c7b420593c57cc7b04a3b097d5275aed2d6c4940a1f38573
SHA512 747468bb70ea84e0f28513196654d104ed7b46ea06db8491b284266cd9cb940666aaefa4ae07a2ca806db19b61cbb68e28ca9fcbc7070cdcd66f0a0cb5e92c98

C:\Windows\System\lblpqCU.exe

MD5 8a8130a6aa3807024bc442b5bf25a39e
SHA1 af7e815cc142487a893951d90695be6c9f7ab8bc
SHA256 576f567a479935a9df02bfcaefc4b710fe06b9385f408471a658fd9d939af1b3
SHA512 1849e47419bbf0931b2d65886affbe13e610d236cefe8049c778d5a33984665863f368409fe7f9da57bb3b0d640fac173727195469d741278f1777f68754398d

C:\Windows\System\VyEUlPS.exe

MD5 cf4c5cbc84f7c3a7abb0d67a29e83e21
SHA1 fdd9ef46cae8b84a6542a82777efddd25fd0b407
SHA256 9824efa4258c989b01fdf5bd6f90e8afc4dbe7429c487cce0104b5b061d9b14a
SHA512 3f77be24c51b6c5a3b046dff27d9b8507ca78b87785216e536b02ab49c9bade358dc554d80c7649960bd74e0706ac4418b500f7adf548eac814e9f7b5e3abfb4

C:\Windows\System\XBHyRtl.exe

MD5 c303705661228a1a05937667079965cc
SHA1 2aeacd1f3de911a7cab7f9b5975499c11d4fdbc4
SHA256 631d5817452e7aa6ee5178431348b5f3ac748691e6dd780e1e28c5a50d297dd9
SHA512 30b1fd3ac4c95afbbf778a4d07c28b1cc38f1fed0f98e364cd490e10d4cf3d86b1ea771f343525c22ebc79b50870ebae03263efe911bbc990d8c0324e0e0a42f

C:\Windows\System\nJmLrPz.exe

MD5 8275dbc46688b802a429d71d26c02163
SHA1 e753fc1b7c855c971fc6e7a77f54b82efaffe414
SHA256 ebcb937f9bf665db3304d8d9cf6c187e301105055fc76dbf528151437acdadc4
SHA512 486b13cc7346ff015509b40c7dfa48ea3bea05346fefe8cff883b49eee29ce220c63be724254c6dfafa2258166f0a601aac1fb13ad3f683cf86e82225cf8e49d

memory/336-43-0x00007FF72B2B0000-0x00007FF72B604000-memory.dmp

C:\Windows\System\gPZCDlN.exe

MD5 1ba742a91defccc81e99362da2f9c5c4
SHA1 3a085036fff6f07c8f28d02df8cb5adec98d0016
SHA256 0394f6641ee0baccc0f76287f531b30fb363d5644de08919a56cc2d2cb732e53
SHA512 274723e15bd6d9a2e087ae7c376c905c61cb59474f4ff262b6a1c8892d036638c2c65692e075b2eaf23241ac5033060fcb8c1b88ee13a944087a33794080ffa2

memory/4532-35-0x00007FF69A230000-0x00007FF69A584000-memory.dmp

memory/3884-113-0x00007FF673820000-0x00007FF673B74000-memory.dmp

memory/536-115-0x00007FF749950000-0x00007FF749CA4000-memory.dmp

memory/1000-114-0x00007FF68BE60000-0x00007FF68C1B4000-memory.dmp

memory/452-116-0x00007FF743070000-0x00007FF7433C4000-memory.dmp

memory/4016-117-0x00007FF771260000-0x00007FF7715B4000-memory.dmp

memory/1888-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp

memory/3372-118-0x00007FF6B5B80000-0x00007FF6B5ED4000-memory.dmp

memory/3116-120-0x00007FF70C280000-0x00007FF70C5D4000-memory.dmp

memory/4936-122-0x00007FF7DA140000-0x00007FF7DA494000-memory.dmp

memory/4864-123-0x00007FF6331D0000-0x00007FF633524000-memory.dmp

memory/4784-121-0x00007FF7ED690000-0x00007FF7ED9E4000-memory.dmp

memory/2160-124-0x00007FF7B35F0000-0x00007FF7B3944000-memory.dmp

memory/4428-125-0x00007FF697830000-0x00007FF697B84000-memory.dmp

memory/4528-126-0x00007FF70C330000-0x00007FF70C684000-memory.dmp

memory/376-127-0x00007FF7CBF20000-0x00007FF7CC274000-memory.dmp

memory/3488-128-0x00007FF76B400000-0x00007FF76B754000-memory.dmp

memory/4536-129-0x00007FF791330000-0x00007FF791684000-memory.dmp

memory/748-130-0x00007FF719300000-0x00007FF719654000-memory.dmp

memory/336-131-0x00007FF72B2B0000-0x00007FF72B604000-memory.dmp

memory/4496-132-0x00007FF752DE0000-0x00007FF753134000-memory.dmp

memory/4536-133-0x00007FF791330000-0x00007FF791684000-memory.dmp

memory/4920-134-0x00007FF7C4530000-0x00007FF7C4884000-memory.dmp

memory/4532-135-0x00007FF69A230000-0x00007FF69A584000-memory.dmp

memory/748-136-0x00007FF719300000-0x00007FF719654000-memory.dmp

memory/336-137-0x00007FF72B2B0000-0x00007FF72B604000-memory.dmp

memory/3884-139-0x00007FF673820000-0x00007FF673B74000-memory.dmp

memory/376-138-0x00007FF7CBF20000-0x00007FF7CC274000-memory.dmp

memory/4016-140-0x00007FF771260000-0x00007FF7715B4000-memory.dmp

memory/3372-144-0x00007FF6B5B80000-0x00007FF6B5ED4000-memory.dmp

memory/1000-143-0x00007FF68BE60000-0x00007FF68C1B4000-memory.dmp

memory/1888-145-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp

memory/536-142-0x00007FF749950000-0x00007FF749CA4000-memory.dmp

memory/452-141-0x00007FF743070000-0x00007FF7433C4000-memory.dmp

memory/4428-146-0x00007FF697830000-0x00007FF697B84000-memory.dmp

memory/4936-151-0x00007FF7DA140000-0x00007FF7DA494000-memory.dmp

memory/4784-152-0x00007FF7ED690000-0x00007FF7ED9E4000-memory.dmp

memory/4864-150-0x00007FF6331D0000-0x00007FF633524000-memory.dmp

memory/2160-149-0x00007FF7B35F0000-0x00007FF7B3944000-memory.dmp

memory/4528-148-0x00007FF70C330000-0x00007FF70C684000-memory.dmp

memory/3116-147-0x00007FF70C280000-0x00007FF70C5D4000-memory.dmp