Malware Analysis Report

2025-01-22 19:35

Sample ID 240601-npc7dacb37
Target 2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike
SHA256 e4f988fdf8637baab71e1683c014b562621ac00fa2937f5191efdce75bd64e88
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4f988fdf8637baab71e1683c014b562621ac00fa2937f5191efdce75bd64e88

Threat Level: Known bad

The file 2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Xmrig family

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:33

Reported

2024-06-01 11:36

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lWpkXRD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZsDVzSW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MQswEaz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dxczxgU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VEJreFr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mQZhNYc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BIdwhEN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yymadwV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KJaUvEC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EZdKDFy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ibMrzkG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PnapYMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xBwsGRc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\naWCDXm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dZRkryR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gYojtXr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HznnjwF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IyCqDRV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLFYQep.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YSjOGwK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iBqfApq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZRkryR.exe
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZRkryR.exe
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZRkryR.exe
PID 2220 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWpkXRD.exe
PID 2220 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWpkXRD.exe
PID 2220 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWpkXRD.exe
PID 2220 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZsDVzSW.exe
PID 2220 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZsDVzSW.exe
PID 2220 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZsDVzSW.exe
PID 2220 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yymadwV.exe
PID 2220 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yymadwV.exe
PID 2220 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yymadwV.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gYojtXr.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gYojtXr.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\gYojtXr.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\HznnjwF.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\HznnjwF.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\HznnjwF.exe
PID 2220 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyCqDRV.exe
PID 2220 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyCqDRV.exe
PID 2220 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyCqDRV.exe
PID 2220 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLFYQep.exe
PID 2220 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLFYQep.exe
PID 2220 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLFYQep.exe
PID 2220 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBwsGRc.exe
PID 2220 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBwsGRc.exe
PID 2220 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBwsGRc.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KJaUvEC.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KJaUvEC.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KJaUvEC.exe
PID 2220 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQswEaz.exe
PID 2220 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQswEaz.exe
PID 2220 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQswEaz.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSjOGwK.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSjOGwK.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSjOGwK.exe
PID 2220 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBqfApq.exe
PID 2220 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBqfApq.exe
PID 2220 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBqfApq.exe
PID 2220 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZdKDFy.exe
PID 2220 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZdKDFy.exe
PID 2220 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EZdKDFy.exe
PID 2220 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibMrzkG.exe
PID 2220 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibMrzkG.exe
PID 2220 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibMrzkG.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PnapYMm.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PnapYMm.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PnapYMm.exe
PID 2220 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxczxgU.exe
PID 2220 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxczxgU.exe
PID 2220 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxczxgU.exe
PID 2220 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\naWCDXm.exe
PID 2220 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\naWCDXm.exe
PID 2220 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\naWCDXm.exe
PID 2220 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQZhNYc.exe
PID 2220 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQZhNYc.exe
PID 2220 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQZhNYc.exe
PID 2220 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIdwhEN.exe
PID 2220 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIdwhEN.exe
PID 2220 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIdwhEN.exe
PID 2220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VEJreFr.exe
PID 2220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VEJreFr.exe
PID 2220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VEJreFr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dZRkryR.exe

C:\Windows\System\dZRkryR.exe

C:\Windows\System\lWpkXRD.exe

C:\Windows\System\lWpkXRD.exe

C:\Windows\System\ZsDVzSW.exe

C:\Windows\System\ZsDVzSW.exe

C:\Windows\System\yymadwV.exe

C:\Windows\System\yymadwV.exe

C:\Windows\System\gYojtXr.exe

C:\Windows\System\gYojtXr.exe

C:\Windows\System\HznnjwF.exe

C:\Windows\System\HznnjwF.exe

C:\Windows\System\IyCqDRV.exe

C:\Windows\System\IyCqDRV.exe

C:\Windows\System\JLFYQep.exe

C:\Windows\System\JLFYQep.exe

C:\Windows\System\xBwsGRc.exe

C:\Windows\System\xBwsGRc.exe

C:\Windows\System\KJaUvEC.exe

C:\Windows\System\KJaUvEC.exe

C:\Windows\System\MQswEaz.exe

C:\Windows\System\MQswEaz.exe

C:\Windows\System\YSjOGwK.exe

C:\Windows\System\YSjOGwK.exe

C:\Windows\System\iBqfApq.exe

C:\Windows\System\iBqfApq.exe

C:\Windows\System\EZdKDFy.exe

C:\Windows\System\EZdKDFy.exe

C:\Windows\System\ibMrzkG.exe

C:\Windows\System\ibMrzkG.exe

C:\Windows\System\PnapYMm.exe

C:\Windows\System\PnapYMm.exe

C:\Windows\System\dxczxgU.exe

C:\Windows\System\dxczxgU.exe

C:\Windows\System\naWCDXm.exe

C:\Windows\System\naWCDXm.exe

C:\Windows\System\mQZhNYc.exe

C:\Windows\System\mQZhNYc.exe

C:\Windows\System\BIdwhEN.exe

C:\Windows\System\BIdwhEN.exe

C:\Windows\System\VEJreFr.exe

C:\Windows\System\VEJreFr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2220-1-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2220-0-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\dZRkryR.exe

MD5 093b6e6796849592667075b182a71df4
SHA1 4144e19c29d95977db5c14bc13a84d28bcfc1d5d
SHA256 4beed4ec93300b9efdd1a82d2c47206169726bffbd7aa25f0ac3184d1194fcef
SHA512 249579cb600ec772f4f0c5d30fb382ec734fa02d4d22c05e21a5fac7b3d6ec32efef22dcb11be6f56253518ce29784e3acb7d264991fac30da721fdcb6fac8a6

memory/1044-9-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2220-7-0x000000013FD30000-0x0000000140084000-memory.dmp

\Windows\system\lWpkXRD.exe

MD5 8290a538025cac3659219f713f5febdf
SHA1 e20d7af1fe4c1be4a967aae99a6ffb2067e3c5c6
SHA256 cab179f52042de83b625c055b696fe9985ad30e924b9322d9259bcf0d0ca0427
SHA512 982360a482386148415cbc20b12e6c0c8c245737abe227d4b5257bfff88abcf0ada16e72c532a382ac39ec2846de98751fd7c98d6faf0cac5dbba5ad309d2a87

memory/2300-16-0x000000013F390000-0x000000013F6E4000-memory.dmp

C:\Windows\system\ZsDVzSW.exe

MD5 4f4c2347184810c274f00660f440f5f5
SHA1 3807d89f3cfd45cf20e6941a82ba4a355fd97bcd
SHA256 4651719e2cf8527ce1b2b628cedb8c779290516b74d6ec3bd6fd6e1439b7c7f9
SHA512 a6da63f7dd4099d16210c9b97ea07eaa7fabd855cfbe4a1cee675b4706561dec25984f750912c1e71a87a4432a5aa0a326ab1607901483e892a0cfc72ddf938e

memory/2220-15-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\yymadwV.exe

MD5 fd02b0339a8534d94e5ab81a90fc680b
SHA1 e4bc4d4a392df3a48ca8d2b08fcc7ee6423f07d5
SHA256 8dc1b486515edf611d06b33a319382ba9d28f166a03327a3242f341bd0cd2c43
SHA512 ad4534c5af07fc8a775ff1bc46179a558ea1bd9fe7b0b6ca30c891be56f0b721a8db2c40f958a5f0440a2b886ca97c76bbee7f0dbde3d8cc006ef18029e22ddf

memory/2220-28-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2644-29-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2376-23-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\xBwsGRc.exe

MD5 bc09a6fc1fc1cbaee341b4641c65853f
SHA1 d330205c4705238717251d401a73a96f424886fc
SHA256 617fee0895a7d29a959e450a359c6b6db369fae7fc3d95cca45a6ee0a12fa172
SHA512 af389eb75eda949e8d17df98a0d14e5b1215151aa627e416c5b309fd84d5ab0b07759538638cd01b500136455fb99d9c5b064c95d49667f32c0c0df4e190fbc2

memory/2564-62-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2528-68-0x000000013F2D0000-0x000000013F624000-memory.dmp

C:\Windows\system\EZdKDFy.exe

MD5 c97c20c18f3312d3952c9c51198cc579
SHA1 fe675f0e4570ac441326850ab1c83d4df5d788ac
SHA256 d940039ddff667dc857cd1d25b56cd7a643527d2c565ce1e772bad12a7bb0a91
SHA512 ce669475bd621dd291b6d78f614d084af817aa047ac4b16a67a060f4e60b0282e4eb35048d6c9f13b923912b5f8f15a65dfdbe321c46becb9b1ee094fc1046e8

C:\Windows\system\naWCDXm.exe

MD5 1990363a5ae1ccd8e26e44d6bab8eccc
SHA1 52df02dd84393a81f8b7001da8a3fa3476eadb9a
SHA256 3a54d58b6bcc7d053eca615f34ce9c800aa159371ed46a1328da29cf6886eead
SHA512 cd445760df43d813fb42c608036c5e0e476555d3eff672acb350a3db289a7461f82cf7cb532ac9509f4144575db566c5a4d3734a674f4be372f121333b1f6617

\Windows\system\VEJreFr.exe

MD5 2a57bbaeb6eee601dd7e02e4b5f93404
SHA1 ca666f4e4fa5157c61c2732dd0893262d4ee7fce
SHA256 047800c79b9cef27c066ebb7357eb7652f9e7b1b7b10a0e4617659b813166baa
SHA512 6845089183879fb97a7cd1615cf22b79056eebafc8ee1a37237ce1aac39105039f38e2205dc5d7c4a5ab033db491d452257f862759ac99f4246f9054acdd30c4

C:\Windows\system\mQZhNYc.exe

MD5 3905bb3ec66fa43ad493a29490bf449d
SHA1 02f51db0e925b474a89c518a9fdc63687df2958c
SHA256 9eb93e8e5002ce81cd6bb04c1e95f203471eb4b688205ece3710f0dbe9bf1d3f
SHA512 f8658acf436394bfd72ba5a824715608d99284c02a930fda22dc1a6382b5ea6403c1789890d529681fe01d2afbbb865987bfa60fef24b9a178c2885562c24e43

C:\Windows\system\BIdwhEN.exe

MD5 af2327e35d5232ec006d85558f4d99ef
SHA1 2f5b6950caabbf1b55bef78d3b9e43e17f0b0127
SHA256 5342209ba8397902a89543148bd390d1136752d39942a97106dbd3de76ebdfab
SHA512 9da5f05222841d409fa3f41ad9da9e17e52c555a6aba0eaaabeea627b022a5fe6d16817890ca6428a3393ff8136eceed7985a6ff24d8e37db5767d0373ccfb23

C:\Windows\system\dxczxgU.exe

MD5 9b713da160f2a676d29f2cdeb50e42e7
SHA1 3763c3af527eb8e329d21e6730db1d43a83aee04
SHA256 2595f0b0c6c9a6ab493d238f65f0c0a190cbfd07263f8b110fb933850e41c6ae
SHA512 44057ea145addcc6dcb236656066bb05c40f8987f37b6d376d7dfa12b40362c85825e18a6613f7c9486626571c95a0b47ce810aacb93f1eab2b2408618bf1b1a

C:\Windows\system\PnapYMm.exe

MD5 dc76774e226a7c25d35da688711fb304
SHA1 d4de70152e50f8f0e4cbcd7acb0fe1603535f36d
SHA256 8941271521aafcf517847ede0afe841fd04073d3af1e090d76bc9bbd59cd6ec7
SHA512 bf0adff6d718a0a553fb4bd48566b975e1a7002ff53caf0538c4a3b509120a64c4ea7c297c2bc776a1f09d1d6e3a22d8334df0572294a4266927bc2584666998

memory/2220-92-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\ibMrzkG.exe

MD5 e6a090008bcf16417318a749db9ed789
SHA1 b30190f787a4fedcf003bb6e6c47cfa85ba4d4c8
SHA256 b6a5b3e2099b144c39acbb9a300f3fdfaed38977da58b791a85b34d0dea9e94a
SHA512 729515b4d5ebba314f8d79b55de2c059fc63e44350c4167475ac9f9826d6d7f8588016c12c9a69e64ce09a16e49197f762879468aeb3ccb40fd3001af44a3fd0

memory/740-87-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2100-81-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2220-86-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2220-80-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2644-79-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\iBqfApq.exe

MD5 831a6b93f2921d222ab9bf3eb6b977c9
SHA1 96a7a8c4edf6c8dbf9dbcf18393f469fe1251047
SHA256 256067710c0ac7d13cbde06b03bfa02de80ffecb4a6ef0c41d6158376f98c855
SHA512 7d7f71a215fc073df43b9216108f1c0d79ba4e3ed5fda0a9d629cc6e44f158494f47d429678b1618e08da711842574be7c133feb2096df063e19593a34531e3d

memory/2680-74-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\YSjOGwK.exe

MD5 11742b782ff2b60c7e5618f8d3572a99
SHA1 a3f7d2fa031712df38cd347852e4dd65a8fce9a5
SHA256 d616678a398722984c113a4286dd60948a300c615583a58903bd21b232683c3c
SHA512 be36cba0794cfd5899e11bf6ba782b6147870c1c51e96c3fa39600ddbc9e11e36d46f2904afadb6cc321399ae3e88609ba116674997a0fb2487ba76384711b5a

memory/2220-70-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2076-134-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1044-67-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\MQswEaz.exe

MD5 d4200c46458296f35f0a329a2c9ed471
SHA1 6dc286436027910770b38659365b3d15351aacd3
SHA256 d15075853f819adb5bfc356a93075d4e18195cbe82cc259b03702bd03e7d516e
SHA512 0115f7e28550f35cc89ac6ae123e28caadefdb8119d34af250ecdcdd3587b9ae7145b4ba22fd6a2cf0975ec83842510e6ea7925932006ffdf7c63c22e86876b9

memory/2220-61-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2804-56-0x000000013F070000-0x000000013F3C4000-memory.dmp

C:\Windows\system\KJaUvEC.exe

MD5 aa0406a5e09dd7d3b674c3a6530c0b27
SHA1 611f18c1777f6f93366a3f1bbb482b611ec6e0c9
SHA256 090a6f4b5291b3a261a586abb3fcb2d0b56b0a1b705c85a66671957da45e1605
SHA512 f949ba2f66c0b7714bfb2f5f929bda475699820279905405e6f72c5460b824e43dfe405981b2fbe9646fd795deee23087718b67506abf9c58df04e4e09368dec

memory/2076-51-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\JLFYQep.exe

MD5 3cde96cc1b5d5f2f604fbbff680ba52f
SHA1 c31b0565a8eb03b029980a4889a49d10e75b572d
SHA256 2de11cd9318c4f92961627c2c7e69e13fca81d9ca9669cb17ccfb2e364990957
SHA512 94ac4f4d90e0a39e6bef3d47ba6f223d8eab2621e12cb0b02fa0f97c7b6ba57ff5a24be4811e1557025b018a9bebe44328d925ceafbc2dedd1443d74bd410f95

memory/2672-46-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2220-45-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\IyCqDRV.exe

MD5 0c6fd0d792d55cf1950aa6a69fa0617f
SHA1 fcc4ba7b734039d8a8f5a40280a60ca78234ede5
SHA256 4e800900a51829b19aafcb251bbcd2e23e963135ae7a865054d757a0b3377447
SHA512 136aa66ef01f6fb1e35ce25c73daaede2f5a4575172ecf75d0cca6d0db1f9c88fa14057ec80a20269f07916d9beb2bc109104495e03ba1ac3c00f15efc9dce4a

memory/2804-135-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2664-40-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2708-35-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2220-34-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\HznnjwF.exe

MD5 9bec93ed3581c27a14bc711d3c722a56
SHA1 7b753d9069295129a6c5ddfb0f85e525d542a9f6
SHA256 47b7513cbc2786dc5f8e45248b7abb412e0bf573f1ee3e9b0e2a106243eaf9ad
SHA512 f597de56567f3d64bc3e629d26154084b8830a0a05a3928cd27258b7d0f82d50403e62e73964b8d150a6471842b99350c8f21916f638978ce634e7566e875ccf

C:\Windows\system\gYojtXr.exe

MD5 2967a3ad29ca4d4ab05c2afce959c151
SHA1 884d12c194ee0585c12423c0c9e9408011263e1c
SHA256 9b6da1cf944200bf21890d3482a9c27e077a2a7dc06af39fd193cb7edf8f5a6d
SHA512 d889d8a7173cb4d9d5528231cb86bbc635efab8840929c8c04ff84017a0f33bcea0dbae5026f144c8206891473e6ea5906154bdf861b1eef2193caee24585cfb

memory/2220-22-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2564-136-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2528-137-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2220-138-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2680-139-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2220-140-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2100-141-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2220-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/740-143-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/1044-144-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2300-145-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2376-146-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2680-147-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2564-149-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2100-157-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2528-156-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2804-155-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2672-154-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2708-153-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2644-152-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2664-151-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2076-150-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/740-148-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:33

Reported

2024-06-01 11:36

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XSbnaFj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\flsEawX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\srZdlbh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vSXCwIW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QYZGCJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NiiZceg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TawXTDe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMwKnpn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKBtNNI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AroTPPi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YgaeyFS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KHwZxWf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iTYJTUy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rbNfZnc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yGtvSIA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uhjQSqo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwEmeIp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jmNucrC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Socrbjh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BWgWbJY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hqvGnfs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jmNucrC.exe
PID 1940 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jmNucrC.exe
PID 1940 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Socrbjh.exe
PID 1940 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Socrbjh.exe
PID 1940 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbNfZnc.exe
PID 1940 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\rbNfZnc.exe
PID 1940 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGtvSIA.exe
PID 1940 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGtvSIA.exe
PID 1940 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiiZceg.exe
PID 1940 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiiZceg.exe
PID 1940 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TawXTDe.exe
PID 1940 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TawXTDe.exe
PID 1940 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMwKnpn.exe
PID 1940 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMwKnpn.exe
PID 1940 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uhjQSqo.exe
PID 1940 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uhjQSqo.exe
PID 1940 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWgWbJY.exe
PID 1940 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWgWbJY.exe
PID 1940 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKBtNNI.exe
PID 1940 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKBtNNI.exe
PID 1940 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwEmeIp.exe
PID 1940 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwEmeIp.exe
PID 1940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XSbnaFj.exe
PID 1940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XSbnaFj.exe
PID 1940 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vSXCwIW.exe
PID 1940 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vSXCwIW.exe
PID 1940 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AroTPPi.exe
PID 1940 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AroTPPi.exe
PID 1940 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgaeyFS.exe
PID 1940 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YgaeyFS.exe
PID 1940 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqvGnfs.exe
PID 1940 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqvGnfs.exe
PID 1940 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHwZxWf.exe
PID 1940 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KHwZxWf.exe
PID 1940 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTYJTUy.exe
PID 1940 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTYJTUy.exe
PID 1940 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYZGCJL.exe
PID 1940 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYZGCJL.exe
PID 1940 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\flsEawX.exe
PID 1940 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\flsEawX.exe
PID 1940 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\srZdlbh.exe
PID 1940 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe C:\Windows\System\srZdlbh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jmNucrC.exe

C:\Windows\System\jmNucrC.exe

C:\Windows\System\Socrbjh.exe

C:\Windows\System\Socrbjh.exe

C:\Windows\System\rbNfZnc.exe

C:\Windows\System\rbNfZnc.exe

C:\Windows\System\yGtvSIA.exe

C:\Windows\System\yGtvSIA.exe

C:\Windows\System\NiiZceg.exe

C:\Windows\System\NiiZceg.exe

C:\Windows\System\TawXTDe.exe

C:\Windows\System\TawXTDe.exe

C:\Windows\System\UMwKnpn.exe

C:\Windows\System\UMwKnpn.exe

C:\Windows\System\uhjQSqo.exe

C:\Windows\System\uhjQSqo.exe

C:\Windows\System\BWgWbJY.exe

C:\Windows\System\BWgWbJY.exe

C:\Windows\System\iKBtNNI.exe

C:\Windows\System\iKBtNNI.exe

C:\Windows\System\EwEmeIp.exe

C:\Windows\System\EwEmeIp.exe

C:\Windows\System\XSbnaFj.exe

C:\Windows\System\XSbnaFj.exe

C:\Windows\System\vSXCwIW.exe

C:\Windows\System\vSXCwIW.exe

C:\Windows\System\AroTPPi.exe

C:\Windows\System\AroTPPi.exe

C:\Windows\System\YgaeyFS.exe

C:\Windows\System\YgaeyFS.exe

C:\Windows\System\hqvGnfs.exe

C:\Windows\System\hqvGnfs.exe

C:\Windows\System\KHwZxWf.exe

C:\Windows\System\KHwZxWf.exe

C:\Windows\System\iTYJTUy.exe

C:\Windows\System\iTYJTUy.exe

C:\Windows\System\QYZGCJL.exe

C:\Windows\System\QYZGCJL.exe

C:\Windows\System\flsEawX.exe

C:\Windows\System\flsEawX.exe

C:\Windows\System\srZdlbh.exe

C:\Windows\System\srZdlbh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1940-0-0x00007FF6CF620000-0x00007FF6CF974000-memory.dmp

memory/1940-1-0x000001EFF3ED0000-0x000001EFF3EE0000-memory.dmp

C:\Windows\System\jmNucrC.exe

MD5 4f3aec2b086422cddea9269d32127aae
SHA1 c67a61bd482424541be42c18910ccfc575d95815
SHA256 423b46068b31098061d73fa9928ad38c53893974c2b333aaa2934c40a82df822
SHA512 62c444daf5de154c6eff7c3af28bae9ec9ab569c6af08b5b51e53fbc2fd93b39a6814137cbdd98d147e84e78d72586f1bfe0ff9f142e6331de04def3abce01b5

memory/3796-9-0x00007FF68F120000-0x00007FF68F474000-memory.dmp

C:\Windows\System\Socrbjh.exe

MD5 fc3e2ec74b6d13bba4f021bbe729b505
SHA1 539b043b027eb7cf08f47b991924abb73d535249
SHA256 af0cfc8cb1a0a880fd39a6a7b9210dd967be8c9772f1373f8cb6cc893ca43781
SHA512 40515e96f7f0b2443c5922d0984b7c3208dd600d04a2e5f715f5c052692b7cdfbff31448223d967b67981205e8ce1b2395efc4986d68bfad998f4a89b7224f5d

C:\Windows\System\rbNfZnc.exe

MD5 8f62ce3a9dec1f9849d9dad730f6fd94
SHA1 ff9a6d6d780bcb3a5549a5378eb9739704b524a8
SHA256 6b98a497452e4bd82121a34d1b118831ff622a8c14866b64afa7edffeb5c081d
SHA512 731b5420520e1ff2af8ccc9a8881b296d4ced13cd95aae10c770194e77884c8b12b5c0c1ee3da37232a47ff3f17c4a6a6e78819862f731e10132cb6d741db5af

memory/1736-14-0x00007FF787530000-0x00007FF787884000-memory.dmp

C:\Windows\System\yGtvSIA.exe

MD5 9f95f66878c9260dcd65b36008054172
SHA1 f5b031121f4c1d045182fcc701afc001a886fd31
SHA256 16f6ab48ee5085693b6f960d4fc1550ea9b705da45f6309affa6d3d92b54ee23
SHA512 92807e2bb18841c19ec4602fb1cc05c132c79803107f1ad3ba47c09e14c7773731646af23e5dd9dd6227c968484600460fbe762d11475b3531f43c0763446287

memory/2736-21-0x00007FF791AF0000-0x00007FF791E44000-memory.dmp

memory/3016-26-0x00007FF737D60000-0x00007FF7380B4000-memory.dmp

C:\Windows\System\NiiZceg.exe

MD5 ebdc1fd5168380d76a9db65966dbabbd
SHA1 ba9f18ec45507c61ac1fcb295c52a41f5c26ae85
SHA256 8d9e8040c6e12f2631aef6c413c338e8d725b2faaf691389f589ac1bf045a39b
SHA512 dfc056848da858b55a9df9751f81a6cd163db4bd6ed27375f310e8d6b1963abec951dbbbf40543ec061f6d09460d254ef6dff133fe4bb413c84a0ac92aaf6150

C:\Windows\System\TawXTDe.exe

MD5 b05271006b1b5178fd39e55f47ff4b3b
SHA1 12c6a550164a184ae131b1dbc952e7c0dd836429
SHA256 6a2218aa3926a8a625f3c569e954c52f3e1a78f1c4002951002e81802afaf690
SHA512 db6c0834310e34961f7d622faf3985e2833bca40921b6133e06c005adc3850ee94cb087ab3abc4024b680ffe0d7de50847e1cde1878c6c0112e19420ef2bbfce

memory/4516-36-0x00007FF6A9820000-0x00007FF6A9B74000-memory.dmp

C:\Windows\System\UMwKnpn.exe

MD5 aeb39fe36a150f9992b7bdb249d2cfee
SHA1 ff55af3d62fb27408e7087b78c4d3caf94afd2a9
SHA256 a56da95dce672d60e7db7120c0b34b96ab0200b05c79f9ed0ad2a31ad5d426aa
SHA512 a11791923bebc8666857bc2c592ceac1abcd763afd5db83b55b7b0606bab1b29375737a8bf62c30ebc79e75aa2edb3492e7908c42589f0df116372a7a8bcc60b

memory/436-42-0x00007FF6E5340000-0x00007FF6E5694000-memory.dmp

memory/3620-49-0x00007FF693D70000-0x00007FF6940C4000-memory.dmp

C:\Windows\System\BWgWbJY.exe

MD5 829dd416cb1f55e5158d934b7505c7b8
SHA1 a5d0afca948b902895e44597546175acc17df365
SHA256 f923943f3215955aa9e4b807ecf4823a507fe6c5250cc2e309f7b7605ada4de7
SHA512 2cc78c689d4334016fe4fa4be7d095b8de6bbeaf9c4c63bf55352915971911a83eefc6bee37b888265875d8184bbbed35b61e01561ec5d3035bedcfec90993d2

C:\Windows\System\iKBtNNI.exe

MD5 dc1c38b84240872f143be89cefd4170f
SHA1 356abe82e9da6a49ec7621263f8da576d6249b6a
SHA256 a3e559226d79a32b9050f24ac5b4bbec471abacf619a0fe27a4482680d537ad0
SHA512 469dca32e5781daa09f098e7e49fa70c021e4b8eeb5c283aa75c375cc2e9e9b060a41db2480e33225d72a9f92d66c831530df90035bff3f7ba884d709a20ec1c

C:\Windows\System\EwEmeIp.exe

MD5 edc87f1b3c29965562e1257373828005
SHA1 f82f025638324f9a79c13742315f2f991a501b51
SHA256 f0dccc7968bf4227e3aed8a626389a63a0155b225a85ad27637c28833c32e4f3
SHA512 9abdab2b29977fd82f78246f167a324c34b86a0aea8f927bb40c883ab4df110b9db00b01592aed0d38ef036d6457b914418cbded012b8039b86cf7d1f844a68c

C:\Windows\System\XSbnaFj.exe

MD5 ab07e8301a454018ed745a6b702c7711
SHA1 e3baeab8ea96eee1a1009908b0e67ceec5c55794
SHA256 68619af4ee0ec7e41ca1c35c43cb81d99854c4a2634ab21cf1066fda9bf548d4
SHA512 9b1675cc887ef2d67080f4279232783a94ccc49547aba19017fb8a1ed2ad1cc63a20dd99a038b86ae9dee5ffd694fc7b37b680720b3f2b7849ab2cf6aa3794ac

C:\Windows\System\AroTPPi.exe

MD5 d01532153e666a222cc6f5ce1f218e7f
SHA1 f7ad9ef78121e3d7548a1fabe0c836d11016c94c
SHA256 f713128d09e5890120da1489b6b8b6eeaa5c255103e79af247c81c7504c0c981
SHA512 36a70808895a90dc516f730498623ea72652153fcd7ae9aff18d49697ecc335823eb3e2bc06769e8fce4a8e57609717828c17f195efaf768a73c3bf0c9ac4544

C:\Windows\System\KHwZxWf.exe

MD5 8cc16c89ad9d53990658b03111bf52e4
SHA1 8b9b5e0c11f73ba5ef18a93dd58d4f8186132dde
SHA256 a5ed9468a28509fd1cb51aeb4690105d76a6106fceeb873417d89ba3a35da653
SHA512 9f0620482e0111b28e7b4f229f5a75b0aea90de446ddf1e20a298fc9c7382abc5218adace35e5ff5c19a41b34dbb0433f5bfb3815860f4f93f854149f4967ab8

C:\Windows\System\YgaeyFS.exe

MD5 87e2ecee179d9967a99be0f39ac3d939
SHA1 82b00e03be30898a0689d81e03110109e355b5fa
SHA256 f67f8cc3b61c677398e78b36076221c4a2e13dd2d39eb94254c791c89166f129
SHA512 1e03f103e48aaec9f596072466e2ef6f0142c4b3a7a84ef95d5f6beb2ab68a5a221d3e3140fb4565c37e2c8aa88d970366ee7266d1909a9335ea59f8e6d36c4c

memory/3376-98-0x00007FF74C940000-0x00007FF74CC94000-memory.dmp

C:\Windows\System\hqvGnfs.exe

MD5 7ae42621229a2db447fc876fb43b03d4
SHA1 b9ad14e608cf9bc64ab9cbba16c4f6acc24953f2
SHA256 1e3cf75ab5929aef587b0d459a1eff6930980f2db64f62f51334ff31ec75ec78
SHA512 fb2c8cd84ad06ab27e14bc3886e07a10636a60ffd627662ea4040e32ed0334f79e0627c79626cf5206fc30d92dfc14764452eec7b3a733a3aa60c910631a4836

memory/4720-93-0x00007FF6D3290000-0x00007FF6D35E4000-memory.dmp

C:\Windows\System\vSXCwIW.exe

MD5 b09792614e0f37482deca88c7bb3a90c
SHA1 d64c83795ff2cf19b53e2174990f337e37bee895
SHA256 b0ae1eb9df65051c6119392dca5787be71475b2a053aa1496cda54a747194d28
SHA512 e67d1580bffefd25dfa4e21b00506caa0f40102e0b04a785dcb27a3edd00755a4268accd1a06a083881d3c5a36494ea0a71443078fdeaa31d7aa526a0221125b

memory/4628-89-0x00007FF7F24B0000-0x00007FF7F2804000-memory.dmp

memory/4852-85-0x00007FF7FDD80000-0x00007FF7FE0D4000-memory.dmp

memory/2768-84-0x00007FF79F930000-0x00007FF79FC84000-memory.dmp

memory/748-78-0x00007FF74ADD0000-0x00007FF74B124000-memory.dmp

memory/2776-65-0x00007FF680D20000-0x00007FF681074000-memory.dmp

memory/1940-64-0x00007FF6CF620000-0x00007FF6CF974000-memory.dmp

memory/1444-57-0x00007FF744010000-0x00007FF744364000-memory.dmp

memory/5016-55-0x00007FF6D1CD0000-0x00007FF6D2024000-memory.dmp

C:\Windows\System\uhjQSqo.exe

MD5 97fb13b92bebc9b9289c6d72f0be53bc
SHA1 e4e66a28075defff3a530bfb10e2c5643d8e1949
SHA256 81e0d93247c4453eec3233935194fcfe950a89f4e31949526cb86adeb5b5c126
SHA512 a53a7debdc31abeb613b427ea79b87eef210f170d7fb4c87d2823cca32fa031c358681a6a7a4edd7e271927ff7388f11a195a283ef1bc9c51dc6ba8d2da5bcd9

memory/3656-104-0x00007FF751030000-0x00007FF751384000-memory.dmp

memory/4784-112-0x00007FF7EFE60000-0x00007FF7F01B4000-memory.dmp

C:\Windows\System\iTYJTUy.exe

MD5 b3506b2bbf3075ee27782de9e419bc5e
SHA1 334383d839068e855d9b0eebbe932c7e1d15995b
SHA256 16e308d40fb9572a0b35e5f687537b2f13d5738d4e6f205970ab992ca7d259b9
SHA512 8498a5baaf4a18bcf436d251493af257f39decff159ba5f34fb5318023080c047894c7977e634b79b0a0381f8e13c31907f67397ab13be1a365720598728c343

C:\Windows\System\QYZGCJL.exe

MD5 915206c2d481da371f18f4c7d5c2328c
SHA1 dfdfbaa7a53b7790c80aeaec1b8ef1c930c30106
SHA256 736bf491e5656dc38e2894fbc20fc80fd39d448358f5a41a2bfef992f935310c
SHA512 9bbe218ddef5a71412bde9125cece7ec6e0e340396e4a2932209eef3d81cc09231ea4f0a0fed99feb8920c8c95d40d7db5450cafa972347b4a9e90aa795a3081

memory/4436-114-0x00007FF671740000-0x00007FF671A94000-memory.dmp

memory/436-113-0x00007FF6E5340000-0x00007FF6E5694000-memory.dmp

C:\Windows\System\flsEawX.exe

MD5 f6e31270ac7ed7c7ae70a118c4f43562
SHA1 3e1da8a89ad9678f1c8dd3e535752eeaecbff8f2
SHA256 ad19e4c79c17af395be9dfd397b13159b98e07a41d44d8040441a099913ee16b
SHA512 4476b29de001cb0335973e0de8925901c1447a412172e17c47528ccf654b80cb5c381d7d0699ba57b3068e390f94a653cc9703169d5c4b4dc1177da83f19b3a9

C:\Windows\System\srZdlbh.exe

MD5 7c832af2279652acdb624c3a084eea27
SHA1 d74ad6c48ea1ff5703cd87d4cde3a4cb6056d395
SHA256 1f82390cd01618c499061196f7e20cb29eafdc3effe2faa6dc79735c6790a60a
SHA512 e8318aaed9cefcc1acd3b7d15b52a8e3407beda21255cd68b94e4566b42d626d5d28bd4f8a24adc9b87cd03b9740cc755f6025df074ab8229ba569a2d5617a2e

memory/3968-125-0x00007FF7ECF50000-0x00007FF7ED2A4000-memory.dmp

memory/2796-129-0x00007FF6643F0000-0x00007FF664744000-memory.dmp

memory/2768-130-0x00007FF79F930000-0x00007FF79FC84000-memory.dmp

memory/4628-131-0x00007FF7F24B0000-0x00007FF7F2804000-memory.dmp

memory/4852-132-0x00007FF7FDD80000-0x00007FF7FE0D4000-memory.dmp

memory/4720-133-0x00007FF6D3290000-0x00007FF6D35E4000-memory.dmp

memory/3376-134-0x00007FF74C940000-0x00007FF74CC94000-memory.dmp

memory/4784-135-0x00007FF7EFE60000-0x00007FF7F01B4000-memory.dmp

memory/4436-136-0x00007FF671740000-0x00007FF671A94000-memory.dmp

memory/3796-137-0x00007FF68F120000-0x00007FF68F474000-memory.dmp

memory/1736-138-0x00007FF787530000-0x00007FF787884000-memory.dmp

memory/2736-139-0x00007FF791AF0000-0x00007FF791E44000-memory.dmp

memory/3016-140-0x00007FF737D60000-0x00007FF7380B4000-memory.dmp

memory/4516-141-0x00007FF6A9820000-0x00007FF6A9B74000-memory.dmp

memory/436-142-0x00007FF6E5340000-0x00007FF6E5694000-memory.dmp

memory/3620-143-0x00007FF693D70000-0x00007FF6940C4000-memory.dmp

memory/5016-144-0x00007FF6D1CD0000-0x00007FF6D2024000-memory.dmp

memory/1444-145-0x00007FF744010000-0x00007FF744364000-memory.dmp

memory/2776-146-0x00007FF680D20000-0x00007FF681074000-memory.dmp

memory/748-147-0x00007FF74ADD0000-0x00007FF74B124000-memory.dmp

memory/2768-148-0x00007FF79F930000-0x00007FF79FC84000-memory.dmp

memory/4852-149-0x00007FF7FDD80000-0x00007FF7FE0D4000-memory.dmp

memory/3376-150-0x00007FF74C940000-0x00007FF74CC94000-memory.dmp

memory/4720-151-0x00007FF6D3290000-0x00007FF6D35E4000-memory.dmp

memory/3656-152-0x00007FF751030000-0x00007FF751384000-memory.dmp

memory/4628-153-0x00007FF7F24B0000-0x00007FF7F2804000-memory.dmp

memory/4784-154-0x00007FF7EFE60000-0x00007FF7F01B4000-memory.dmp

memory/4436-155-0x00007FF671740000-0x00007FF671A94000-memory.dmp

memory/3968-156-0x00007FF7ECF50000-0x00007FF7ED2A4000-memory.dmp

memory/2796-157-0x00007FF6643F0000-0x00007FF664744000-memory.dmp