Malware Analysis Report

2025-01-22 19:39

Sample ID 240601-g999aade35
Target 2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike
SHA256 0a15b947e4ed61d9423c4b12dffacdcc9a8986ab81bde3c5c5139492f7dee13c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a15b947e4ed61d9423c4b12dffacdcc9a8986ab81bde3c5c5139492f7dee13c

Threat Level: Known bad

The file 2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 06:31

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 06:31

Reported

2024-06-01 06:34

Platform

win7-20240215-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MCCFhLA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fMajKWJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\COyUvAp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fwayesi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EvfDDYX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kcoljJB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wWsPmDt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WGBByrj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jLBZAbf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GsRoPSp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\egaGxxC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zAfHTJW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AFcAXsJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VltwIsd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nDHVUrR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mLUFjJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AtFxwTL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JbXMqiV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PkiaoRS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqJmKNO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mQpyXyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MCCFhLA.exe
PID 1260 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MCCFhLA.exe
PID 1260 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MCCFhLA.exe
PID 1260 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLUFjJL.exe
PID 1260 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLUFjJL.exe
PID 1260 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLUFjJL.exe
PID 1260 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMajKWJ.exe
PID 1260 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMajKWJ.exe
PID 1260 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMajKWJ.exe
PID 1260 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcoljJB.exe
PID 1260 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcoljJB.exe
PID 1260 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kcoljJB.exe
PID 1260 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWsPmDt.exe
PID 1260 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWsPmDt.exe
PID 1260 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWsPmDt.exe
PID 1260 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtFxwTL.exe
PID 1260 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtFxwTL.exe
PID 1260 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtFxwTL.exe
PID 1260 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\egaGxxC.exe
PID 1260 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\egaGxxC.exe
PID 1260 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\egaGxxC.exe
PID 1260 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbXMqiV.exe
PID 1260 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbXMqiV.exe
PID 1260 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JbXMqiV.exe
PID 1260 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAfHTJW.exe
PID 1260 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAfHTJW.exe
PID 1260 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAfHTJW.exe
PID 1260 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AFcAXsJ.exe
PID 1260 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AFcAXsJ.exe
PID 1260 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AFcAXsJ.exe
PID 1260 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGBByrj.exe
PID 1260 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGBByrj.exe
PID 1260 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGBByrj.exe
PID 1260 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkiaoRS.exe
PID 1260 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkiaoRS.exe
PID 1260 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkiaoRS.exe
PID 1260 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jLBZAbf.exe
PID 1260 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jLBZAbf.exe
PID 1260 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jLBZAbf.exe
PID 1260 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqJmKNO.exe
PID 1260 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqJmKNO.exe
PID 1260 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqJmKNO.exe
PID 1260 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VltwIsd.exe
PID 1260 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VltwIsd.exe
PID 1260 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VltwIsd.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\COyUvAp.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\COyUvAp.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\COyUvAp.exe
PID 1260 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQpyXyJ.exe
PID 1260 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQpyXyJ.exe
PID 1260 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQpyXyJ.exe
PID 1260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsRoPSp.exe
PID 1260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsRoPSp.exe
PID 1260 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsRoPSp.exe
PID 1260 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fwayesi.exe
PID 1260 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fwayesi.exe
PID 1260 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fwayesi.exe
PID 1260 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nDHVUrR.exe
PID 1260 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nDHVUrR.exe
PID 1260 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nDHVUrR.exe
PID 1260 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvfDDYX.exe
PID 1260 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvfDDYX.exe
PID 1260 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvfDDYX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MCCFhLA.exe

C:\Windows\System\MCCFhLA.exe

C:\Windows\System\mLUFjJL.exe

C:\Windows\System\mLUFjJL.exe

C:\Windows\System\fMajKWJ.exe

C:\Windows\System\fMajKWJ.exe

C:\Windows\System\kcoljJB.exe

C:\Windows\System\kcoljJB.exe

C:\Windows\System\wWsPmDt.exe

C:\Windows\System\wWsPmDt.exe

C:\Windows\System\AtFxwTL.exe

C:\Windows\System\AtFxwTL.exe

C:\Windows\System\egaGxxC.exe

C:\Windows\System\egaGxxC.exe

C:\Windows\System\JbXMqiV.exe

C:\Windows\System\JbXMqiV.exe

C:\Windows\System\zAfHTJW.exe

C:\Windows\System\zAfHTJW.exe

C:\Windows\System\AFcAXsJ.exe

C:\Windows\System\AFcAXsJ.exe

C:\Windows\System\WGBByrj.exe

C:\Windows\System\WGBByrj.exe

C:\Windows\System\PkiaoRS.exe

C:\Windows\System\PkiaoRS.exe

C:\Windows\System\jLBZAbf.exe

C:\Windows\System\jLBZAbf.exe

C:\Windows\System\zqJmKNO.exe

C:\Windows\System\zqJmKNO.exe

C:\Windows\System\VltwIsd.exe

C:\Windows\System\VltwIsd.exe

C:\Windows\System\COyUvAp.exe

C:\Windows\System\COyUvAp.exe

C:\Windows\System\mQpyXyJ.exe

C:\Windows\System\mQpyXyJ.exe

C:\Windows\System\GsRoPSp.exe

C:\Windows\System\GsRoPSp.exe

C:\Windows\System\fwayesi.exe

C:\Windows\System\fwayesi.exe

C:\Windows\System\nDHVUrR.exe

C:\Windows\System\nDHVUrR.exe

C:\Windows\System\EvfDDYX.exe

C:\Windows\System\EvfDDYX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1260-0-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1260-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\MCCFhLA.exe

MD5 238783ce8d69888ef9dc5f3b2625558e
SHA1 347ca866cd40062ec3b20849a289fa2846f47eeb
SHA256 60fec2792f694a42ed26ef9d1bb70f0dc926c28c1cecccd4bc8308e9febb6143
SHA512 13e8933dd89b92a46362c4db398e4093f1610179562dd4a5e99210656320dfb7ef3fdf10ce4a46f4bce86766f2f043f1a4725db4380bfd1d3765fa3f9eb8800b

memory/1456-7-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\mLUFjJL.exe

MD5 af95a10a17c22862de3556f022497c79
SHA1 d0447f5680d02bbb1301e9f31e0dd99aa53377f1
SHA256 e6de42d02974d3fce6cf488356e7923f7b974c48d6a713afc7e646de8a23c5ca
SHA512 00229ad23c32a05c9807a849e197a355b3b4bebd9fd821d136f1b6ce849e254cd2869b83930f58e53c25b4f17dac2b14a161626044233867940972fbd0966ce2

memory/1260-11-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/1504-14-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\fMajKWJ.exe

MD5 6c35866a412f3b4fa7ae2b0373ab7426
SHA1 decc6f5e4267d81e6286f8aed1bb5e4a95f1bc0b
SHA256 d145becbecd832e86f6d86728fa5c59e69c07c333f8dcb91c5d400c4f8b43cbc
SHA512 40d5adfab4be7ec30ac8b91c663258b858c5b1e64fbff2f7c7764e62d6a1ac2759583b225a261826533306a22bd55b98af7ab2e806e80aa8f3b41c510588dfa7

memory/2640-22-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1260-21-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\kcoljJB.exe

MD5 557d6ed12e9a08b286286825f97cfe9d
SHA1 a9090c73374fea6cb7055baa492f0d7a9a873737
SHA256 4cbe30d9eb19db1f9fc4c3caafa2970e12981452bb1aa16b73105bd4ad5cab3f
SHA512 fbc7c8e5e2f911a53e2934b6d01affee5bc6729afb908353d704f43613f8cc7434d95bea5fe06bcfaa341c1163dd7cd6d059dfd0cbc3db58d4a559439ef7aac8

memory/2504-29-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1260-28-0x000000013F620000-0x000000013F974000-memory.dmp

\Windows\system\wWsPmDt.exe

MD5 04659049b407fb9682154778a29571c0
SHA1 adb7e6682242b73e559ee1eaa354e271cef3fbb5
SHA256 082e9905c1b90baeb13f53afd069f6838cd5801cf8aba6c0fde38277aa7492a3
SHA512 ef1c57037976a0b0045dfe358f2a7eb5c18ad4ef8ca3a1d3382e658c17c7868c32e5af5ac1c66b55115dc3f867d8bb0c3deda33aa756b90e7eee553a0b087cd4

memory/1260-34-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2672-36-0x000000013F7B0000-0x000000013FB04000-memory.dmp

C:\Windows\system\AtFxwTL.exe

MD5 62ba83386b5fcae691265e3302a7ebf1
SHA1 09de0ad103730163c61a43853228d0c4d25eb498
SHA256 f316ca5f956e3efe17a4dacc84c0957bcfdf93a985397afb3ee6d1243abb3ae7
SHA512 468f75a09257252fb3e42b0388065f7044a4f91c3fe09e40b551c3eac607ff811e8fbd21204a87f690bcdb554377fdd5b994d236a3c54ee0cc38e56490d90a73

memory/1260-42-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2564-49-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2580-47-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\egaGxxC.exe

MD5 c48ddff0dbcb4ebb22800bca0daab83c
SHA1 4d99da47d86e594253fc611a4ea806090789ac0c
SHA256 a1d784fd34b35192a4cb7c9a1d8257965656e837c1ad5aa27e227cbf361ac126
SHA512 1bc74a92040e032e63f1877630b435d03498366115a8c3cb55e24db3d09f12d2ef38aceb94fc8dace9113a2447ae3fedfbb29bb017be94bc0602957c0658d47b

memory/1260-50-0x000000013F5B0000-0x000000013F904000-memory.dmp

\Windows\system\JbXMqiV.exe

MD5 a1c85605d5971ec06de5d2c72f2cf962
SHA1 734846292150608c8c05d716bacf5c10c1bb35d4
SHA256 8d94edf6e3d9bb09d8574320131e6608cc33e67c351a453be454cfe40f2cb961
SHA512 43d438c781f66ff36456af9fd6272133282dfd28d13da34a156ef374017f3011672e983a543d5bfc4dbe2f7b6bd2605767c0cecc740e799e16a9c2f35db3766b

memory/1260-56-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2396-60-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1456-59-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1260-57-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1260-52-0x000000013F160000-0x000000013F4B4000-memory.dmp

C:\Windows\system\zAfHTJW.exe

MD5 3bad4e003d792f5013408aac86fb4c4d
SHA1 72e000912bb2613e7437a41fc5057a88f405592b
SHA256 2c53cfea07a591c0cbd6b45e2fa63a080e62161b23ed6a6a87ef7837202fa424
SHA512 8a9875a3f7e9ed1a25115c48a5ac2dfeb6cd5be6c3e2f302fbf6d8309ae4f5987c1b0b5685132b3bbd8d80e1b76bdb8174c01e92788df1448f5c80dd8f61dfef

memory/1016-68-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/1260-66-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/1504-74-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2696-76-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\PkiaoRS.exe

MD5 9a23860257750fcf01f14df4cd84bc1c
SHA1 bd6409bd87d5b1c288b4882bc166e2b9f543d641
SHA256 16db69a5b7cd27d01b4c2814dff229e19d70216221518d8f5bb7a0e1f02ac702
SHA512 9196ce2c6b52c5edb646d26f20aebf867f5c60c2594d95a49f3ed68d7076b3104ebe11967e1292680895b39708665f7bf4d2af151f239757676a715a7f302c5c

memory/2812-89-0x000000013F720000-0x000000013FA74000-memory.dmp

C:\Windows\system\zqJmKNO.exe

MD5 3904eb651d362cee650ab6a7a66a9442
SHA1 1a3e63d02e38dde7247dea9a48e1553ffc2697e7
SHA256 615e6c15ef86bcbdbf1853a66808ce02a38f6f0d553dab19fba274ced5a6664d
SHA512 7893d303c931fc63a91b40fcdd60d6cbcd8ccba40b16adc89b7759291570ca74257def845ffcbee50e25ca019f03ca0cb3152599864e3a6a787232ff90f7b67a

memory/2284-101-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2784-82-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2672-93-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2828-105-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1260-103-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2564-102-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/1260-100-0x00000000023E0000-0x0000000002734000-memory.dmp

C:\Windows\system\jLBZAbf.exe

MD5 c3bd61aad3fdd490de0dbe267fd4c6d9
SHA1 0f3089cc28aa9d0172c8b7fadceaddc0a77e77f8
SHA256 7ad51368cac07025a59762901d8597e208861dab3528a75bcb06f6294831f7e6
SHA512 1b9a5df56bcb39b6faac9094cf7a814696bc11688d6519a18a939f580790b1a80bf2b691d30e0471346497300a10c50f2fda363dc6270cda868b95fb6decad4b

\Windows\system\mQpyXyJ.exe

MD5 d540dfdd8e44eac02ee69e29e2c83d30
SHA1 3ff7b4f32d48c71b7a5173b36a50dcb05df60ba2
SHA256 8246d8218b0399437d922f5fb1e4bd44dae91b0f7894c8113cd983a7e3421a42
SHA512 b6148011ffd462d3adb3f75c8899a9b2045d626bd1e39b2af2f3bd2cc28e216a55818167ea72339fdac4a02ee55b2b0af299c788307f7953fc2bfc2c0e6ed690

C:\Windows\system\fwayesi.exe

MD5 66caf0e4d0ed99ed29d527102d350f2f
SHA1 0f5b26f8f0dd592a31d6177f6e457ba2d02a8ac7
SHA256 af8d8d7538d09c09dd3fbdc30a9944ef239070af1774e17ee1d12a273b876be0
SHA512 538252d9d5b63f4e3b57ddf84345fe4334235d57b45c96b81ef4d818895f1452e2a8adacc1739e19b1481075fab16117867f2660f7f7e3c573f141bc1d21d9c1

\Windows\system\EvfDDYX.exe

MD5 e491ca6b5e0cb8015c3d8fc3c6d77934
SHA1 a414763324f841b78c57c7b58af3cbffd1e5a504
SHA256 d6f821c20caa2587fe207f04e498d125d4224df43c14b4d811a5e18f2b7f498e
SHA512 bc6a6d98c5f6bc8fa3ecfdc4d4215a43a0a7d8df96d6685eb88e0291b4387486aaf7ff12e72cf69b3313ad24391503238ab7abe96dcbe10e3447d0e015f7699f

C:\Windows\system\nDHVUrR.exe

MD5 67ece22b76b9de3af39a22124c3542ea
SHA1 b31b6210f32c2aef300d8fdcac72fa409ab76ce5
SHA256 59bdfd387dab08f3941a7f4d3d020d8b36f25921f63d8291c3d330e7c8643622
SHA512 75e6b5e035ae9695bf555a58c96a06ed1c11d9c5fe0fbebce076c2a0c8e8a03fe31bc350b48954c13ab6d951a048822ad26c21a24c313b5c825412f6934e39df

C:\Windows\system\GsRoPSp.exe

MD5 17bfdf77c347472310a1f77c940d9bba
SHA1 6f213ccfaf419cc3b9ce06d2aba562d4573805d1
SHA256 472f48f925ad849b205901f257372e9fcb1b3c0ac73d053de8da742c79b0564b
SHA512 1ec557ed964a1e57ab01275ff54ebbe5df4e1848598284d1cb8476212f4135583794082d52041d2434520810bae5a9b6e151231f7e07ea10cb066612a4c17308

C:\Windows\system\COyUvAp.exe

MD5 7fba4f5468845f67f215bc2a77e00194
SHA1 0db7c5ce833aefbb5162971811eeffdd1dd74401
SHA256 96ee36fbae7e4b48f2cd20a39ba5a08ecb02c456ffdfc50b1a3f4095ed8798e3
SHA512 d02ac84a381c16554680e23a7054eda6ca64d98bf4fb1c462c012d6f31bc7ff82db609c908c7eb9581165db64f69cc90d577d8b60f25ceeb9a8072ef54f2ed1f

C:\Windows\system\VltwIsd.exe

MD5 55765fc8a4339f5e4137d7f132b9e83e
SHA1 2ff23acd8b5071c923c6b4e49911d30c09f39c4f
SHA256 468c937cdd53fc055e007ffdca646b8bd2337dc54c92424cffba4c08369184e5
SHA512 d17b9a544ab62658db11020f4c0b1a90cb6e5cfa6b3d3d40cc51fd46293fc3e221a617e2aee946d239e426007f161a14d9ee6267d79c5e23159e3d5efe8d5120

C:\Windows\system\WGBByrj.exe

MD5 b29131ccfcc675a371aa0cedf976d1dd
SHA1 7993a95a50caa2a54f0a71c7b93a0c92708827ed
SHA256 e445cce95b047809eed5f2e91e196108a9e95c523de3e850ce05bdc927c3ec2b
SHA512 8d8fd310e1d4ec568bb31d8ceb3bf9890a63ae618960545934cbceab16b2572b2836a9fdf1ee84d56c3b8476dbe68df897a3c154ac97246c478cd586eb881a8f

memory/1260-78-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/1260-88-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/1260-75-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\AFcAXsJ.exe

MD5 c2ce2857e21f9852d6ea624a60859a35
SHA1 cbce8edbb92a9223865d3f6a9902fa45235507b9
SHA256 ff6985237d5b01961bf82a0b68338d84bdb7eae400e839b991e1a4da72d8e8c8
SHA512 082807d0c3b83970caaf770ece3d995d743fd7d952c974183f8628320d048b00e757c2256ff810ba284623a19e78ad3915e182a21173d985dd38e454ae9f8dd6

memory/1260-65-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/1260-141-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/1016-142-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/1260-143-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1260-144-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2784-145-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2812-146-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2284-147-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2828-148-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1260-149-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1260-150-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/1456-151-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1504-152-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2640-153-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2504-154-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2672-155-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2580-156-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2564-157-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2396-158-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1016-159-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2696-160-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2784-161-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2812-162-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2284-163-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2828-164-0x000000013F380000-0x000000013F6D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 06:31

Reported

2024-06-01 06:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wUzEtMG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qUmItfs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oeLsNog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VPbHtce.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sCfgwVG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZcaFgiW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KcDSOiP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gvvUQVy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WdEIEhz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uWaloaR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gLZrYvN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JahaOkI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ykbJimy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VDdWFHB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cDlNYVt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WFIzFet.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JvmozBk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FQosnjc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zmVlLEo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PKnkIjk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tiKQgZu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JahaOkI.exe
PID 4764 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JahaOkI.exe
PID 4764 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcaFgiW.exe
PID 4764 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcaFgiW.exe
PID 4764 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUzEtMG.exe
PID 4764 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUzEtMG.exe
PID 4764 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcDSOiP.exe
PID 4764 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcDSOiP.exe
PID 4764 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvvUQVy.exe
PID 4764 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvvUQVy.exe
PID 4764 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ykbJimy.exe
PID 4764 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ykbJimy.exe
PID 4764 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VDdWFHB.exe
PID 4764 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VDdWFHB.exe
PID 4764 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUmItfs.exe
PID 4764 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUmItfs.exe
PID 4764 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQosnjc.exe
PID 4764 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQosnjc.exe
PID 4764 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeLsNog.exe
PID 4764 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeLsNog.exe
PID 4764 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmVlLEo.exe
PID 4764 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmVlLEo.exe
PID 4764 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PKnkIjk.exe
PID 4764 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PKnkIjk.exe
PID 4764 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cDlNYVt.exe
PID 4764 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\cDlNYVt.exe
PID 4764 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdEIEhz.exe
PID 4764 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdEIEhz.exe
PID 4764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFIzFet.exe
PID 4764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFIzFet.exe
PID 4764 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tiKQgZu.exe
PID 4764 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tiKQgZu.exe
PID 4764 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPbHtce.exe
PID 4764 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPbHtce.exe
PID 4764 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JvmozBk.exe
PID 4764 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JvmozBk.exe
PID 4764 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWaloaR.exe
PID 4764 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWaloaR.exe
PID 4764 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gLZrYvN.exe
PID 4764 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gLZrYvN.exe
PID 4764 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfgwVG.exe
PID 4764 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfgwVG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6aa4ae98d5455cbab222b218a441a11f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\JahaOkI.exe

C:\Windows\System\JahaOkI.exe

C:\Windows\System\ZcaFgiW.exe

C:\Windows\System\ZcaFgiW.exe

C:\Windows\System\wUzEtMG.exe

C:\Windows\System\wUzEtMG.exe

C:\Windows\System\KcDSOiP.exe

C:\Windows\System\KcDSOiP.exe

C:\Windows\System\gvvUQVy.exe

C:\Windows\System\gvvUQVy.exe

C:\Windows\System\ykbJimy.exe

C:\Windows\System\ykbJimy.exe

C:\Windows\System\VDdWFHB.exe

C:\Windows\System\VDdWFHB.exe

C:\Windows\System\qUmItfs.exe

C:\Windows\System\qUmItfs.exe

C:\Windows\System\FQosnjc.exe

C:\Windows\System\FQosnjc.exe

C:\Windows\System\oeLsNog.exe

C:\Windows\System\oeLsNog.exe

C:\Windows\System\zmVlLEo.exe

C:\Windows\System\zmVlLEo.exe

C:\Windows\System\PKnkIjk.exe

C:\Windows\System\PKnkIjk.exe

C:\Windows\System\cDlNYVt.exe

C:\Windows\System\cDlNYVt.exe

C:\Windows\System\WdEIEhz.exe

C:\Windows\System\WdEIEhz.exe

C:\Windows\System\WFIzFet.exe

C:\Windows\System\WFIzFet.exe

C:\Windows\System\tiKQgZu.exe

C:\Windows\System\tiKQgZu.exe

C:\Windows\System\VPbHtce.exe

C:\Windows\System\VPbHtce.exe

C:\Windows\System\JvmozBk.exe

C:\Windows\System\JvmozBk.exe

C:\Windows\System\uWaloaR.exe

C:\Windows\System\uWaloaR.exe

C:\Windows\System\gLZrYvN.exe

C:\Windows\System\gLZrYvN.exe

C:\Windows\System\sCfgwVG.exe

C:\Windows\System\sCfgwVG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.229.48:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4764-0-0x00007FF672A70000-0x00007FF672DC4000-memory.dmp

memory/4764-1-0x000001BEDD630000-0x000001BEDD640000-memory.dmp

C:\Windows\System\JahaOkI.exe

MD5 3c3558be81fae556737cc7106ccf0898
SHA1 bdf72edaffdebb0d3f1a4f6b19d5b2b017442b9d
SHA256 875cacf25c146eed5259e728f0bf5a8fb9eea7708ace32587dfaf482ec540137
SHA512 dd9166b538f2a00d6922e4702b0b50c7e3a4a53a52f54edff3c74363b5844dda1e9e19eb305e29dde0cc19886e79b0e6ccc2822ded879241cae7d70c50ce2446

memory/3160-6-0x00007FF792A20000-0x00007FF792D74000-memory.dmp

C:\Windows\System\wUzEtMG.exe

MD5 f8b916e8b0b751ce3a7bf280d47d5627
SHA1 875f60134834f4f3ef8afa815fdc6e0c09c5af64
SHA256 afb745220aa93071dd830a6145951a4b65afefbb6625ea8290a4a35384be30bc
SHA512 139d29869b18548f70a978133a9ad4bb5b00d238f36fa0e61a2f7bc6240c1c82cf9003401f8049b741e0fe6307c9425ddf0b3bd7639c2f80ca4362934db0e40a

C:\Windows\System\ZcaFgiW.exe

MD5 b59559ccb8eac36a69b858f0b979a422
SHA1 447deaf5262734a436d18d02d57b7e73b6541297
SHA256 4a5a4eb715fe761daa382abfd6ff114df736a3204ecd731f51658988ea847ce1
SHA512 ad3f27a05c1e1c98e6b2da2ed3b37b1fe7e5af387649cc4dd44d36817616224842fd7f2c5c68eb84ca10dc2595325602219a9d3ab59897fed64e251316d862e1

memory/5080-12-0x00007FF6F2A60000-0x00007FF6F2DB4000-memory.dmp

memory/2448-20-0x00007FF701D70000-0x00007FF7020C4000-memory.dmp

C:\Windows\System\KcDSOiP.exe

MD5 2c430b8a5496adda938d1ec65375c0c4
SHA1 2f70baf586fbb6dee77ed8f85ed669fd0439f121
SHA256 a1e01530af30bb1df66f0a6e922ee24799d9fa44c15ec3b922c0dfc4d3ae5f78
SHA512 86c41b6afd150200cbd4e08438f69f2c56e439c283fcf3f2d7c1c8e795e2cbb574308a8df2ae663cf66ce295c808c21d1102b81e9474aa119213d91fd6d0ac60

memory/1892-26-0x00007FF62D3C0000-0x00007FF62D714000-memory.dmp

C:\Windows\System\gvvUQVy.exe

MD5 1a036a2290e41e29a28daa979e57b2cb
SHA1 9984dd46dac8a774c3f6ceac41a06324931af3e5
SHA256 fd082fa0dcff1c9ab8165ea1c9a018fa8e5d166dfeff9c03251e012d44643946
SHA512 63a8a269f848ba6eec3f5f3e2c09f3f0bd37b5980c5f289d945d6cdd420d2539207e58dcddf7405306f0c9a2d798ab171565473748a64ba944b6a7ae49740acd

C:\Windows\System\ykbJimy.exe

MD5 9b236ae5724c1d3b076f1eadbb089ead
SHA1 aab42b401b4f907b483a467d63a606fd1ff1b519
SHA256 446ce9e02f8259ae7387e5472fbb7ad6aebc85ca793560ba5cedfdd2aeb1068b
SHA512 49b1ea8d51ccdf8dec0e95f18e119e4aab949f01077e8e5e7c3ddd23e2e0ef6fbc23d6fbb072fee04a9a406667d7fbac755e650f0336a7b854563725a71519b5

memory/2208-30-0x00007FF658FB0000-0x00007FF659304000-memory.dmp

memory/3292-34-0x00007FF79BA50000-0x00007FF79BDA4000-memory.dmp

C:\Windows\System\VDdWFHB.exe

MD5 3cee6eeab0531d63cd3caefeeed0d50b
SHA1 dc6ed42d5e62adc27fc2cacd8ec5373818a62187
SHA256 ba6f9fb25305cf4b102adfc7d90bed4cb0b51d3ab570aa4de4e9a590bcb23ab6
SHA512 1f41611dc328bf28efde43e379924468fb37c95f453c21a418084275b13b4a747341c47c45a5ea85f260eaefe7a287f9865f2cc54d6ffb5365c8884773ed10b3

memory/1688-44-0x00007FF6841A0000-0x00007FF6844F4000-memory.dmp

C:\Windows\System\qUmItfs.exe

MD5 b2b41b3108f620ce742be82356dc3200
SHA1 b69eaf4f9efaa80dcefff85dfdadca3d0ca036f1
SHA256 d30d972300b7a9c68f7feebea136e3f8dd377e3a2b978ea611a0574a1a0691f7
SHA512 8329affdd2a0db63d83d2876cd24ed477ddc30a38816f890c2a83443a458a2087014c540019f8138a5d8afd5be896574e907afc7e51e41d9e41e2dd39f7b957b

memory/3668-51-0x00007FF6D18B0000-0x00007FF6D1C04000-memory.dmp

C:\Windows\System\FQosnjc.exe

MD5 bddd1caf25b1351c8a60adc2c2b857ba
SHA1 1149a48e3c943f9541536688284d84d976265437
SHA256 42aeb914469ad8d15811a8df2f31a0e15ca81401bacd1eedfdbbff991a2a980d
SHA512 3b7e5029c7ea025a6900ab6c94c15cfb373cc76afbff28fccdec37b1aac645dd258274e3498f2a1cd3dc6b0cfec720baa1c01b6726270619dde0cf43ec9e3424

memory/1476-56-0x00007FF6485A0000-0x00007FF6488F4000-memory.dmp

C:\Windows\System\oeLsNog.exe

MD5 e646a5da4b1b90330be7506af99fcca8
SHA1 461ec22e85bbb2e626a8fe69a3125dc884d0df3b
SHA256 4d7b418d78f9079a436031e117e04d5e5a250c5420369d2775685514f4611bb3
SHA512 09e47f9e776f54d440ec081b88f2b5b7ace576b7727fa98484d3e58258ba3e9e531db24d2bffd9c24104c937e60ff6d35be0d793630d6e102c6702f875726859

memory/4764-62-0x00007FF672A70000-0x00007FF672DC4000-memory.dmp

memory/4488-65-0x00007FF7EE960000-0x00007FF7EECB4000-memory.dmp

memory/3160-67-0x00007FF792A20000-0x00007FF792D74000-memory.dmp

memory/3088-69-0x00007FF602E00000-0x00007FF603154000-memory.dmp

C:\Windows\System\zmVlLEo.exe

MD5 040fb509f2433ed2f17e026b428fb2b1
SHA1 00a1d807d282b25f65ca3b477d1ac10d05fe1fbf
SHA256 a9d0b277a410b6183d42b49ace742cdb0dfb7b3db2778d537e7a20980aa6cf66
SHA512 d3a1ef966b72d92488ce6588395cbccc43d4df02c7928cd07fcf553cf0e77aa3c106ff6163bb18ffe7f3d134afd883d5222b59a9a06701e47be096d242a314c1

C:\Windows\System\PKnkIjk.exe

MD5 8c220408711ce556178f9211b04f8514
SHA1 4013be397707ba2ee0b183c49e6e3ef7c791c55c
SHA256 c42e3c62a3de8ebe85238fa86086e55a0e0dd0f40ccb324a5300800076ef7c17
SHA512 757eb6630c0412cc65401571d61b2ffb5423166815048e7ccf909e5e5fdbe7491f2f177a297ad3923c12b396325b96f9af1b5e33288e2f759b76005b7432ab4d

C:\Windows\System\cDlNYVt.exe

MD5 b527bb58377654e2655b98e8e81fe9b0
SHA1 f1851fbff8eae8fef05fb96c67c132e25bdb89be
SHA256 ec7b99c490fe6f9ba3a1f774b927cbdcb259d8b5ef0f359f11760755eb66a8e4
SHA512 12a92dfde0f31f91cbc21fe8cda39b3691016ec3267e8127583212790cedf3b621c17bdfd02ffdd935c68a869f1ad7b182bae344afdea38e907a2736f162bfa7

C:\Windows\System\WFIzFet.exe

MD5 11bdb73ace3d05164a445f55588f400a
SHA1 1c8f885b0226022f7b92849fac0efc83acf40381
SHA256 373843b1d51a1f0a6a6306bd30a480eb34089a2d7c0c91cecd4a373aeb3e8353
SHA512 4918decd23d1e1de9a24946c8dd5fe062cfeb33013a4054a653d91c878f2bab90a37ca2012c1b5b537c836b84dcf77f89a9e151111f4905703e83eed64ca2141

memory/4616-90-0x00007FF6556D0000-0x00007FF655A24000-memory.dmp

memory/880-93-0x00007FF687CF0000-0x00007FF688044000-memory.dmp

memory/2944-95-0x00007FF625400000-0x00007FF625754000-memory.dmp

memory/1544-94-0x00007FF62D410000-0x00007FF62D764000-memory.dmp

memory/5080-89-0x00007FF6F2A60000-0x00007FF6F2DB4000-memory.dmp

C:\Windows\System\WdEIEhz.exe

MD5 19a966103fe1c85b92f7bcec8e4031da
SHA1 ea5ab6022ed7022300320afb408ef9abc2b7af8c
SHA256 d7b9df5107a9b01372664df492b5962d38b46f103f2fae6687e0dfea56cc1984
SHA512 89545cb7e395786517c5d12189f4d23049da949c2fa2ccc7fd4b292b0438c128e58113fa002199fa2dc3c40b3bb6180bd4a4db36bc4ad1c7bce5b82189867651

C:\Windows\System\tiKQgZu.exe

MD5 0fce27b1fe415bcabc743d39c1b582ee
SHA1 b953cc4ba5101cc9009daa4145ee4e964ee09c24
SHA256 2521b2d195c230e3cd91150a5193e12419b68ed06868df0d8c3329225f52107e
SHA512 b8a15850c5f890117adaad500e43e1ef7cc00fa25a94508a3c427cb803c0c142445f8817ebc96e67029651e9b5b73e4fe6eba4fb8c2b222e104ea2561cb89dad

C:\Windows\System\VPbHtce.exe

MD5 c54b8c837fe4a4f2e6baa6107595b281
SHA1 7663ffbc921999fefdd8cddcb1d77ba87659cb74
SHA256 7921555d17a77adeb0f43712db83cbe80aae1985eaba3e67ea16ea973a07cc1a
SHA512 dc0d4884c59a46cea16f925de54ea5b8b5639e84a3028352272322e553aeef557c40bd168bce2eb3b126d3f0bd7c23c41ab7f596375f21bd22b60d738c640dab

memory/4552-116-0x00007FF7513E0000-0x00007FF751734000-memory.dmp

memory/2912-117-0x00007FF72EAF0000-0x00007FF72EE44000-memory.dmp

C:\Windows\System\JvmozBk.exe

MD5 4be23d5d6d4d94d532cac2712ce012ff
SHA1 3c61047c1026e030fc783059cb8e5354eb99514d
SHA256 59a542e3259ae6019f3b55092dd16f54b9cb173330aed252d896f6d4c059deb5
SHA512 89f5ae5611b557af9a73bcc92d001b1b3953900630a1a65403f175adfc0b4e086b96ad275e37a449685206430a6b344ad006a0377dd67826ef472da0ebd250d2

C:\Windows\System\gLZrYvN.exe

MD5 a3952a6713abcbfebbbf7b4181e36441
SHA1 189a2ea744499c8a51cb4fdb3a52468f4cae68fc
SHA256 de76ba0e58be9b71ccd2b981062fe3cd14f1c9dc337324e4eee406edb192818a
SHA512 d08fdb14662eef9a73b7b0925e196512a3116b6ca2076b5ed686e707f6f3335e383aeed7366586af2a8f4958fbb9604dde2f16d330e96d01b5f5b351af1f9a72

C:\Windows\System\sCfgwVG.exe

MD5 7cbe016468e6187b82007c87510ae4b2
SHA1 3eb028ed9bc98665bc37d353b1565b5912f0b0c8
SHA256 2ebb70c285429b8d55b971f5dcfd073f7c6e588023da6ba8526cb8104d78221c
SHA512 2a72f82e79bbe8a702f2c88d37469add28ef116d5e039ccc63c093957a476a742bc792eae7f8feb078d40f16ead14c03350fc4e39f0a107af49ac1f69444f3d0

C:\Windows\System\uWaloaR.exe

MD5 a185f4099016090674edd21f2ac4762e
SHA1 1793b27aba33bf13392f760c206628cfd38c1dc9
SHA256 73f27f943afc011adc5ea09a65ce152ee1e515dffd20a89eae1ccb6ff44eac14
SHA512 a272e0b897423053c428cae1686d6077158f335f6628d3d863ec233467da244686c3f73363b7bb8ce400096796fcf2f6787abc03e2cd3e935ecce2e374302db4

memory/2208-113-0x00007FF658FB0000-0x00007FF659304000-memory.dmp

memory/1468-107-0x00007FF620440000-0x00007FF620794000-memory.dmp

memory/4848-101-0x00007FF75E6A0000-0x00007FF75E9F4000-memory.dmp

memory/3292-130-0x00007FF79BA50000-0x00007FF79BDA4000-memory.dmp

memory/4020-131-0x00007FF6A30F0000-0x00007FF6A3444000-memory.dmp

memory/4432-132-0x00007FF624A20000-0x00007FF624D74000-memory.dmp

memory/1476-133-0x00007FF6485A0000-0x00007FF6488F4000-memory.dmp

memory/3088-134-0x00007FF602E00000-0x00007FF603154000-memory.dmp

memory/4848-135-0x00007FF75E6A0000-0x00007FF75E9F4000-memory.dmp

memory/1468-136-0x00007FF620440000-0x00007FF620794000-memory.dmp

memory/3160-137-0x00007FF792A20000-0x00007FF792D74000-memory.dmp

memory/5080-138-0x00007FF6F2A60000-0x00007FF6F2DB4000-memory.dmp

memory/2448-139-0x00007FF701D70000-0x00007FF7020C4000-memory.dmp

memory/4552-140-0x00007FF7513E0000-0x00007FF751734000-memory.dmp

memory/2912-141-0x00007FF72EAF0000-0x00007FF72EE44000-memory.dmp

memory/1892-142-0x00007FF62D3C0000-0x00007FF62D714000-memory.dmp

memory/3292-143-0x00007FF79BA50000-0x00007FF79BDA4000-memory.dmp

memory/2208-144-0x00007FF658FB0000-0x00007FF659304000-memory.dmp

memory/1688-145-0x00007FF6841A0000-0x00007FF6844F4000-memory.dmp

memory/3668-146-0x00007FF6D18B0000-0x00007FF6D1C04000-memory.dmp

memory/1476-147-0x00007FF6485A0000-0x00007FF6488F4000-memory.dmp

memory/4488-148-0x00007FF7EE960000-0x00007FF7EECB4000-memory.dmp

memory/3088-149-0x00007FF602E00000-0x00007FF603154000-memory.dmp

memory/4616-150-0x00007FF6556D0000-0x00007FF655A24000-memory.dmp

memory/880-151-0x00007FF687CF0000-0x00007FF688044000-memory.dmp

memory/1544-152-0x00007FF62D410000-0x00007FF62D764000-memory.dmp

memory/2944-153-0x00007FF625400000-0x00007FF625754000-memory.dmp

memory/4848-154-0x00007FF75E6A0000-0x00007FF75E9F4000-memory.dmp

memory/1468-155-0x00007FF620440000-0x00007FF620794000-memory.dmp

memory/2912-156-0x00007FF72EAF0000-0x00007FF72EE44000-memory.dmp

memory/4432-157-0x00007FF624A20000-0x00007FF624D74000-memory.dmp

memory/4020-158-0x00007FF6A30F0000-0x00007FF6A3444000-memory.dmp

memory/4552-159-0x00007FF7513E0000-0x00007FF751734000-memory.dmp