Malware Analysis Report

2025-01-22 19:53

Sample ID 240601-szg1jagc78
Target 2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike
SHA256 6c346143928bb8d6ebdab335cdc17403286288887c222dc5d8f6987f1dc749b9
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c346143928bb8d6ebdab335cdc17403286288887c222dc5d8f6987f1dc749b9

Threat Level: Known bad

The file 2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike family

Xmrig family

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:33

Reported

2024-06-01 15:36

Platform

win7-20240221-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ANcSoLJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\icMsxmH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xvJFBlk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VyTKblV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kHqoUcw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SXIJfli.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IEoHnfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Wnepmcv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KsOFudn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xiGMMxf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZmRjiiN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kzXnPGa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QPIVwhm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\onEAcHk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iScmToK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BdKDirX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GYtJzyb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QBQFcSp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DbnwdaH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wSFrBth.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TxjnLdg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\onEAcHk.exe
PID 1688 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\onEAcHk.exe
PID 1688 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\onEAcHk.exe
PID 1688 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSFrBth.exe
PID 1688 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSFrBth.exe
PID 1688 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\wSFrBth.exe
PID 1688 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\iScmToK.exe
PID 1688 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\iScmToK.exe
PID 1688 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\iScmToK.exe
PID 1688 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiGMMxf.exe
PID 1688 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiGMMxf.exe
PID 1688 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiGMMxf.exe
PID 1688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmRjiiN.exe
PID 1688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmRjiiN.exe
PID 1688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmRjiiN.exe
PID 1688 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEoHnfJ.exe
PID 1688 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEoHnfJ.exe
PID 1688 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\IEoHnfJ.exe
PID 1688 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzXnPGa.exe
PID 1688 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzXnPGa.exe
PID 1688 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzXnPGa.exe
PID 1688 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\Wnepmcv.exe
PID 1688 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\Wnepmcv.exe
PID 1688 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\Wnepmcv.exe
PID 1688 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANcSoLJ.exe
PID 1688 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANcSoLJ.exe
PID 1688 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANcSoLJ.exe
PID 1688 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\icMsxmH.exe
PID 1688 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\icMsxmH.exe
PID 1688 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\icMsxmH.exe
PID 1688 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvJFBlk.exe
PID 1688 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvJFBlk.exe
PID 1688 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvJFBlk.exe
PID 1688 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\QPIVwhm.exe
PID 1688 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\QPIVwhm.exe
PID 1688 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\QPIVwhm.exe
PID 1688 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\GYtJzyb.exe
PID 1688 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\GYtJzyb.exe
PID 1688 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\GYtJzyb.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyTKblV.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyTKblV.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyTKblV.exe
PID 1688 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\kHqoUcw.exe
PID 1688 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\kHqoUcw.exe
PID 1688 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\kHqoUcw.exe
PID 1688 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIJfli.exe
PID 1688 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIJfli.exe
PID 1688 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIJfli.exe
PID 1688 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBQFcSp.exe
PID 1688 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBQFcSp.exe
PID 1688 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBQFcSp.exe
PID 1688 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdKDirX.exe
PID 1688 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdKDirX.exe
PID 1688 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdKDirX.exe
PID 1688 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\TxjnLdg.exe
PID 1688 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\TxjnLdg.exe
PID 1688 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\TxjnLdg.exe
PID 1688 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\KsOFudn.exe
PID 1688 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\KsOFudn.exe
PID 1688 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\KsOFudn.exe
PID 1688 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbnwdaH.exe
PID 1688 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbnwdaH.exe
PID 1688 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbnwdaH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\onEAcHk.exe

C:\Windows\System\onEAcHk.exe

C:\Windows\System\wSFrBth.exe

C:\Windows\System\wSFrBth.exe

C:\Windows\System\iScmToK.exe

C:\Windows\System\iScmToK.exe

C:\Windows\System\xiGMMxf.exe

C:\Windows\System\xiGMMxf.exe

C:\Windows\System\ZmRjiiN.exe

C:\Windows\System\ZmRjiiN.exe

C:\Windows\System\IEoHnfJ.exe

C:\Windows\System\IEoHnfJ.exe

C:\Windows\System\kzXnPGa.exe

C:\Windows\System\kzXnPGa.exe

C:\Windows\System\Wnepmcv.exe

C:\Windows\System\Wnepmcv.exe

C:\Windows\System\ANcSoLJ.exe

C:\Windows\System\ANcSoLJ.exe

C:\Windows\System\icMsxmH.exe

C:\Windows\System\icMsxmH.exe

C:\Windows\System\xvJFBlk.exe

C:\Windows\System\xvJFBlk.exe

C:\Windows\System\QPIVwhm.exe

C:\Windows\System\QPIVwhm.exe

C:\Windows\System\GYtJzyb.exe

C:\Windows\System\GYtJzyb.exe

C:\Windows\System\VyTKblV.exe

C:\Windows\System\VyTKblV.exe

C:\Windows\System\kHqoUcw.exe

C:\Windows\System\kHqoUcw.exe

C:\Windows\System\SXIJfli.exe

C:\Windows\System\SXIJfli.exe

C:\Windows\System\QBQFcSp.exe

C:\Windows\System\QBQFcSp.exe

C:\Windows\System\BdKDirX.exe

C:\Windows\System\BdKDirX.exe

C:\Windows\System\TxjnLdg.exe

C:\Windows\System\TxjnLdg.exe

C:\Windows\System\KsOFudn.exe

C:\Windows\System\KsOFudn.exe

C:\Windows\System\DbnwdaH.exe

C:\Windows\System\DbnwdaH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1688-0-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1688-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\onEAcHk.exe

MD5 dd39fcd84f00a94dd9704873b0f63fbc
SHA1 39d791719af7d5efa55e390f3ae80f7e0201793b
SHA256 25384896cfb7468ac609cbe7c89e8ba9681432a0a00d0aab18c5814a7a686afa
SHA512 f23c06cd1b77ced5a267232c78d8beabcf48d997f2871b6017436ba4759c929504483dfe6e05eb1902cd549b0d9768046e35fbee7d2133a3a0cb65b56835e794

memory/1688-6-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2948-8-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\iScmToK.exe

MD5 80d72d8d47d131914baed404eed64dd0
SHA1 40b731d4ddae41ae05186fe039a32bde1d5759f5
SHA256 6bf3cef1d9cebeced2db7242c6336b30e4dddbf3d84440b1cb9c311db52ddf45
SHA512 190b3cf650c278c4e449e42b3f6fdad82a419361077e9ae511f0a9d5a5058aeef67a42a2c5c2fb0b87f6524bc1debdb9ceedd73d396669ee6fcdc3584e9b9d6d

memory/1688-14-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2480-22-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1688-23-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2440-18-0x000000013FCF0000-0x0000000140044000-memory.dmp

C:\Windows\system\wSFrBth.exe

MD5 391daf65b7e246f9d8192c6d8d653253
SHA1 9024fc0b114e517e794f79e060e3ecdcb6d82d57
SHA256 c759efbcdc61b502d7536a04dad9d5da477d6088b5e1e5f17ca57d1fd9a4cd34
SHA512 4257c968910455999414d23ffa40f4d1df76535e62da055b7e1e2e6b099dfb0a2052b49a94c6864bfdaa6fa7a66cfedc4704f5df10025de23fe8df6010366a0f

C:\Windows\system\xiGMMxf.exe

MD5 759e94d90d40834817349b47cfc2f83f
SHA1 6364442e7cb86fc7055680ebe5de71bbcba4694e
SHA256 60900e7393af57dc3ba482236f58b70bc349e038fa88482e5a43200f32018712
SHA512 4d83df23cb26828ee6c5e509ebb620d95fcf2c0791d89acd11c1ef3cc93dbb4588dd8c24d635bb7b80fac3031b50513c820ee975404ac2d90e05a63b72d97146

memory/1688-28-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2508-30-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\IEoHnfJ.exe

MD5 8799396249ec1432a566183204e5e823
SHA1 5181c4490c2a1186a1862fde3efb3c27ff38de3e
SHA256 64876f22c2c6b0e4ce68baa79458d9361148dca8fd44ff2fcd54ed7defbe7ad1
SHA512 246b7d8c42aa80e0f8245dd0346eeb7a7aa3edffe551f328271b776e5281b363ea9894f4e4020a068482afbf9e81a2e40be2dcda25e9697219370e6db3202d75

memory/1688-42-0x000000013FEF0000-0x0000000140244000-memory.dmp

\Windows\system\ZmRjiiN.exe

MD5 71448f818beb5e5d1e4014a117fc7a79
SHA1 5c649242d9513472fd9bf5e518e6ffb88c8b1819
SHA256 3054dc2a02773d41776838297bd64e06bb0d51a4e3a1d22ca08310efaf55585f
SHA512 de46a471fc9dc39664921599db8e8239bf0815fc4eb6b5c3e716dc40901bb62eb93376d69ecd0b48ba558ac8142004f615d424f308de5ce2d06d55871299c75f

memory/2704-43-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2540-41-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

\Windows\system\kzXnPGa.exe

MD5 0e776831ce6dc89e987a5f31d1a1f77a
SHA1 e522ffcc0c59099e3e852572c8538e032a0f3aff
SHA256 187a5d2a4ed77cb3e1166022919df75a4fe6ba8573b332d82069a48b01121013
SHA512 fb5b659ea8bc37c60044543c673e55b89688662a20eb9b5ed0cbebe8b8483bd5d3ef4039a52c0364e4822373a13e3f1c531f555a678ed9ff2295b55ec4a52c45

memory/1688-47-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2376-49-0x000000013F720000-0x000000013FA74000-memory.dmp

C:\Windows\system\Wnepmcv.exe

MD5 e56176411bc2ac2778e0f61808c08cf2
SHA1 5be3f75998408ec6b2a503cc933a3ef7ad701840
SHA256 5ee03d3283053e56327bf0574e5a175c6b89dcef0cb71ac231ec913b5f08995e
SHA512 0777e7d31a91ef07b3be812836501ecef35f538dccb5d3001985976c6f5535936c117f9a04e80692855c930f867705b081a7c67a6866ba5bcfe574ee2bfb05e9

memory/1688-53-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2464-56-0x000000013FD10000-0x0000000140064000-memory.dmp

\Windows\system\icMsxmH.exe

MD5 dc8065041351e1cbd8ba65d2140efb78
SHA1 7f6f530b9c3d135fb7ac71c8015547719268434b
SHA256 53122be4bfb6403d5439f67565c9d452d8b88b5f37cb4cb4e9b41fda2ea7a684
SHA512 7e36b01776c5e4f07e83874da37c1c2e80323d4742019baf746d95597bb911e30395af724466226f27708949aa9f9109e65ce3479f3d191019f6adc4b7a11cb9

memory/2440-71-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2948-70-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2368-69-0x000000013F450000-0x000000013F7A4000-memory.dmp

C:\Windows\system\xvJFBlk.exe

MD5 ec269f46cd75138ea33fb6d339379e47
SHA1 fe0137d6b3e00f3085da5941c09212cf5477c8bc
SHA256 af8b573d67b0d80d30241d763d74559d7640592e2e104085d0040208a7488178
SHA512 fd2adb3604546874f463b2b0bce84dfe1b3fbe095f818196eacb0a5dac09ddf92012abfac0d9c8227a9738dbfd14d923fff1f1357646f3aed39c447a0d82f642

memory/2784-79-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1688-86-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/1476-87-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\VyTKblV.exe

MD5 2fe4347f7fa0a954252cae9900434dbc
SHA1 83bd7c4bcaec3cbae44d8ca5d5f0362359764d4e
SHA256 3589eacfe6300863707de308dabb8c4d807e30a7bee46337b7ff6e068addceb1
SHA512 1506a82a78e183f79cac6739fb8021f9c9380f201e6c6260be3f08d9f9b85671645a34f32fca2d8848cf7bfb4f33ea19fcfccb806c12a1b25385696a3bba2998

memory/536-94-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1508-100-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1688-99-0x0000000002380000-0x00000000026D4000-memory.dmp

C:\Windows\system\BdKDirX.exe

MD5 bb9d653524726c1b550616e6fd5d87dc
SHA1 bb13a12e8c0cf93b4760526c574346dbcbe121a3
SHA256 93fcb30cfd27deb13359ceb51b05a06895d505444bad87f7f2a6240537482199
SHA512 86d4d3aba560379fe7b4da9cfaf3ede69cbef82e12bd2d82c8e0d79662f2ba0c102334d8cd5cd4bed171055457503713b509142817e8a05a46920e33c97f502c

C:\Windows\system\TxjnLdg.exe

MD5 b024d50b1d48f844571ef9b3ae661011
SHA1 3c80e306eff8e76db78aed1bcbbef76ad9ce8803
SHA256 4c7bf1e4c827381ceccdab005c91cb60f60e3fe2dc50482aa538c2c006767dea
SHA512 7383bbc5a4318dfc35d80daad644c6c3e03302b7f59b7885bb6f45101954600c17b572b0b1210cb4fd238496fd4c912c85d28a874e675256666b68cc1b1aa525

\Windows\system\DbnwdaH.exe

MD5 a19ff3e61e4032b70d6ea245a20de0ff
SHA1 e495e872eec6229c20297f24facc5e24af4512ef
SHA256 2444af42f45feb5f2cc3f48f67ae56f8c242d452c94d2de9db23a782c843c100
SHA512 c7278ca181d868684209ca5beeaefed293de8c2d7816116f6eb501c4b51d6f90f9a1e5581fd870d77362695bbeb15ffc4ee5a418a24ce751fa981b9911402897

C:\Windows\system\KsOFudn.exe

MD5 a2c8435c316d9fbb27901da9273a9d5e
SHA1 9c83386c11ef4c224e8dea5c0c8d21c11a7805dd
SHA256 e868a73d76ce7402466ba7f51756401cadc2ebbfcbdaa2f15fcc945fbea7fd62
SHA512 eef82bb82b29208f92072e5a5ae92d4e22e748bdfa34b2f78532a7f0fbcd2cca1388ed8cf13f00caa0a7d359887b7694b01634df619f21ea7564f1019f17beb8

C:\Windows\system\QBQFcSp.exe

MD5 821c1abe1982a48d476704aa0b1afef0
SHA1 4f4774d525f0d24860b0c0493498213e6264a0b0
SHA256 d3ce8098d05442aeeec994e664d64cca6f66ea4756ba7622908b9173f6e286e7
SHA512 359caa00431da6b995a02b33c450285bbe0a00dac4fbe2e8d06c5f0b2db5af597fe6b84bad76c295e366571681a8d39583b28533440f19f37d87bbf73a5ebda5

memory/2376-138-0x000000013F720000-0x000000013FA74000-memory.dmp

C:\Windows\system\SXIJfli.exe

MD5 ace7c4b50d4a7d48c46d3dde09480582
SHA1 a6b756535b2e9cbe38322328fa7d33f6c358ba58
SHA256 709b716dd3f70490e8b5f29b9c91646051937550c0ad8f1453238a03d01a7425
SHA512 33fba870f58f148eeabe4e5e0d2bed16732746de63ce8a79bcc1952a4405005f9269491b84f574e9d23bfb4f7af07e3cbfb5b7f141fffef7ff7d8526dbbf155b

memory/1688-106-0x0000000002380000-0x00000000026D4000-memory.dmp

C:\Windows\system\kHqoUcw.exe

MD5 68e3b4bda3ccb8ab41b0057c7c6ac218
SHA1 84b98310d5d8e562a155817d15bab0ec17479136
SHA256 9e8d5813f2447e064a14bc0ee353c976789eb24476dbd44ff011c2ea92a15780
SHA512 7eb5b274ea0f31229f55dea6d1cc280a10ed69e9095b91a10f2171ad6b0b004973b7ab78f500dbeee2ff8583d7e9976368facde1d67467d0414b3b13c26fc8f3

C:\Windows\system\GYtJzyb.exe

MD5 e65d34e70f7de54448526844e3fa4b1f
SHA1 02daeaf8dd76a9a2f9748dfffc14d25678973069
SHA256 29ea56aaeb39d24599a6aed9d7a3c22c00588f44f27a453d856433ff00fa1b74
SHA512 3b247e271791ce370bcc62429f102e9d8bdcf1b519643717f96537c5282f420030fc5a048e0d5282fcddbd09461238d55230ebc78ec7864a0e696b2fc373dda8

memory/2508-85-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\QPIVwhm.exe

MD5 3cf6904d9f71b87de5b688b6d02482c1
SHA1 25e3ad945e65da42e9482dbb04a9968811c48f45
SHA256 e1b3b8352b205b2435863d4b9572d46546141873f085c92859fbc784ef66cbe9
SHA512 8c1dba5cbde691839e4c932304d394d04698afaceb975588f4846d93668af3c1d2b1efda9aef0f4813c3367b557b23650026a82ea1ee82495c6172affd40eeb2

memory/2368-140-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1688-139-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1688-77-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2480-76-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1688-75-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2056-74-0x000000013FA90000-0x000000013FDE4000-memory.dmp

C:\Windows\system\ANcSoLJ.exe

MD5 14999af42eafea81b7ae3ac6cd334e24
SHA1 36680e5c91170ec0cf7b3e1141a6b6ce04f465b1
SHA256 d79aa0f08413a74333f3f94d7e9ba520ded8c214e53b6cac41f57c195cc4a955
SHA512 20a61f4bbfa65a19d6564653209f2abfcadb43e55171a6ecc1d7d3ab2fb27bb48c04a2380f61dddd1e8ed83e49afb4068fb19b9465c7d5a2a8dc407f0401a33d

memory/1688-64-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1688-141-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/1688-142-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2784-143-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1688-144-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/1476-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/1688-146-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/536-147-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1688-148-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1508-149-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1688-150-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2948-151-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2440-152-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2480-153-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2508-154-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2704-156-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2540-155-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2464-157-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2376-158-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2056-159-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2368-160-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2784-161-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1476-162-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/536-163-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1508-164-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:33

Reported

2024-06-01 15:36

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HoVwlnn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ptrQNTs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yEKnbJH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oroRfuX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZxdhkaF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aiICmOd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tpXWOHg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fPgfufm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GbGvMOr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RtehfYk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hBqkqfj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YdjrDle.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FaWIcQp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gvsBttc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KimlEJS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iYFJGaJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sPkMotd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vCALUvX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yzIByfT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Orlkqhk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vuteDVw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdjrDle.exe
PID 1432 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\YdjrDle.exe
PID 1432 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\Orlkqhk.exe
PID 1432 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\Orlkqhk.exe
PID 1432 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPgfufm.exe
PID 1432 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPgfufm.exe
PID 1432 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\GbGvMOr.exe
PID 1432 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\GbGvMOr.exe
PID 1432 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\oroRfuX.exe
PID 1432 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\oroRfuX.exe
PID 1432 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ptrQNTs.exe
PID 1432 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ptrQNTs.exe
PID 1432 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\vuteDVw.exe
PID 1432 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\vuteDVw.exe
PID 1432 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvsBttc.exe
PID 1432 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvsBttc.exe
PID 1432 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEKnbJH.exe
PID 1432 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEKnbJH.exe
PID 1432 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\KimlEJS.exe
PID 1432 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\KimlEJS.exe
PID 1432 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYFJGaJ.exe
PID 1432 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYFJGaJ.exe
PID 1432 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZxdhkaF.exe
PID 1432 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZxdhkaF.exe
PID 1432 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\aiICmOd.exe
PID 1432 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\aiICmOd.exe
PID 1432 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\sPkMotd.exe
PID 1432 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\sPkMotd.exe
PID 1432 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaWIcQp.exe
PID 1432 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaWIcQp.exe
PID 1432 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\RtehfYk.exe
PID 1432 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\RtehfYk.exe
PID 1432 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpXWOHg.exe
PID 1432 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpXWOHg.exe
PID 1432 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\HoVwlnn.exe
PID 1432 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\HoVwlnn.exe
PID 1432 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBqkqfj.exe
PID 1432 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBqkqfj.exe
PID 1432 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCALUvX.exe
PID 1432 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCALUvX.exe
PID 1432 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzIByfT.exe
PID 1432 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzIByfT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_498bcb6cb6975fc8e9d7a8056bde0769_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YdjrDle.exe

C:\Windows\System\YdjrDle.exe

C:\Windows\System\Orlkqhk.exe

C:\Windows\System\Orlkqhk.exe

C:\Windows\System\fPgfufm.exe

C:\Windows\System\fPgfufm.exe

C:\Windows\System\GbGvMOr.exe

C:\Windows\System\GbGvMOr.exe

C:\Windows\System\oroRfuX.exe

C:\Windows\System\oroRfuX.exe

C:\Windows\System\ptrQNTs.exe

C:\Windows\System\ptrQNTs.exe

C:\Windows\System\vuteDVw.exe

C:\Windows\System\vuteDVw.exe

C:\Windows\System\gvsBttc.exe

C:\Windows\System\gvsBttc.exe

C:\Windows\System\yEKnbJH.exe

C:\Windows\System\yEKnbJH.exe

C:\Windows\System\KimlEJS.exe

C:\Windows\System\KimlEJS.exe

C:\Windows\System\iYFJGaJ.exe

C:\Windows\System\iYFJGaJ.exe

C:\Windows\System\ZxdhkaF.exe

C:\Windows\System\ZxdhkaF.exe

C:\Windows\System\aiICmOd.exe

C:\Windows\System\aiICmOd.exe

C:\Windows\System\sPkMotd.exe

C:\Windows\System\sPkMotd.exe

C:\Windows\System\FaWIcQp.exe

C:\Windows\System\FaWIcQp.exe

C:\Windows\System\RtehfYk.exe

C:\Windows\System\RtehfYk.exe

C:\Windows\System\tpXWOHg.exe

C:\Windows\System\tpXWOHg.exe

C:\Windows\System\HoVwlnn.exe

C:\Windows\System\HoVwlnn.exe

C:\Windows\System\hBqkqfj.exe

C:\Windows\System\hBqkqfj.exe

C:\Windows\System\vCALUvX.exe

C:\Windows\System\vCALUvX.exe

C:\Windows\System\yzIByfT.exe

C:\Windows\System\yzIByfT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1432-0-0x00007FF705EE0000-0x00007FF706234000-memory.dmp

memory/1432-1-0x0000020E8A970000-0x0000020E8A980000-memory.dmp

C:\Windows\System\YdjrDle.exe

MD5 396e1e7c1ea486a7f8cf509641c7bc2c
SHA1 ca3bf5b9880ca7793665e56214e747f6b468a070
SHA256 1abe987baf5ffcbaf0b4e60e34bae14641e82893c940899e8b69316e4f40dd93
SHA512 e6a87e7a6e7adabcaa37825342f9c80ec25e4a63d0994cb217a47f11246306256c1a57b946011fe16d4ed2776a9969179261ee1b335f9e43bee62e315d820af8

memory/4104-7-0x00007FF608A50000-0x00007FF608DA4000-memory.dmp

C:\Windows\System\Orlkqhk.exe

MD5 2ed13a93b2bea7c88c650fa2f8315ec1
SHA1 1d4c6f74ea75061849ceb2933f50ccd0c14afc8d
SHA256 1a0d2e84e1ebceaeec3403251d0d42c058fd2639b1114ff847e81821b8e6e219
SHA512 3a055795a647adc295ecaaa08adfd5304d6104be0a157483aaf413c35f1a5950ad5595a1eadf9db8172d2ef8e1c0c7fe4a69f0d6ebd1eab0fe26cd870778ab49

C:\Windows\System\fPgfufm.exe

MD5 7845a60597d70a14617bc646b30e2a93
SHA1 c99d01de716d6ab8546f0190bdacbea003b93c5a
SHA256 73420af31a0e1512100151d24ecda17ac01f19f056a1fa2f480535a0cde5e4ac
SHA512 5f0d6470c47ff13d4fd2a46178a568913fba50ed69f6aa5d3c46c6bbe00976f1442a67acb9a94edfd0468bc1a3514795d633b52b4ec36adfc30d13b85b6688ec

memory/3840-13-0x00007FF668FA0000-0x00007FF6692F4000-memory.dmp

C:\Windows\System\GbGvMOr.exe

MD5 6c66b881a53e9a91c87990c365b37321
SHA1 a17e0beeed055e72642e1c9bedcebc0939c34341
SHA256 fa4f922417bd767ace46af79482880407a1c903627f7861871f8cb5aa6ed9e85
SHA512 8f6d94a8271374c9deccea0a2e04e0ffc3ee971039d52df7ed75858a3724ad5d203be8ff4ab841b957856abceff6c548b49c9931fd42bcbe747ddad9d5ead3f3

memory/2976-20-0x00007FF609800000-0x00007FF609B54000-memory.dmp

memory/2168-26-0x00007FF619300000-0x00007FF619654000-memory.dmp

C:\Windows\System\oroRfuX.exe

MD5 fd7674147f5b133d6a16d8f211f93ece
SHA1 ce2b2a69fb85ed842df3096d9cd6a0521a6ba1c9
SHA256 b40ecd13992b680f0cf1c9f92660d452c90b182eaf9fa85b45552c5035c6aba0
SHA512 02f8bbdd70202d51b3b90ee7d72ef03af315a233789877cbb0716c507f8833dfefb2d028799807a9b8291d618032bb99ce0d1d5e2fc1fb20317fad8ab3e1fdc9

memory/2460-32-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp

C:\Windows\System\ptrQNTs.exe

MD5 b95dcc10281d629e1256ad42d30a79ca
SHA1 be261387d1baaee224c3fe307f798f643da1f80e
SHA256 0b394308cdde061b6d6e591729dbe9b67c67b472455dd630c0044c7360da2c9b
SHA512 c9121988922b39541bff4411e77e0e6c4f7b6318dc19af86778587b52f21c2f0b73c59b60c45f4bc14dd6c1be2a8a319abd221e44333a067ee9625fa9dd0a6a4

C:\Windows\System\vuteDVw.exe

MD5 70035995e9daedd7cb8688f89855f96b
SHA1 27d4b8e915a888f820d6c57247aa4d395ff604bb
SHA256 7532f8da172a05eb040bdef3e13746490713c92fb17cf37195a5687b06e09497
SHA512 c72ad4bc9e383830598afbc825df3a94d4e6ee382acb99bdbc1d05e375ba74ea2afac90d564ffbb7a1879385abf50d2d5dde2a7dcd2605bf75de1a2b4cd6c231

memory/2904-38-0x00007FF765C40000-0x00007FF765F94000-memory.dmp

C:\Windows\System\gvsBttc.exe

MD5 f97330215f354d65453b579b60607cb6
SHA1 6f758d6137452753e6ccd1863da0b04c4e52eb78
SHA256 bdbbbcb6e58e2c950f0cb09b7cc1eef9f81c473c1aa452dd20881b36e5ff9a8f
SHA512 e9e701f95f95e6e03c95523f32ebd73ab7212ee88282d540de7528cb5c3149979f0af313c794e7cf5b281c5333d8414d1db82931b43f48ce307835253134c69c

memory/1424-44-0x00007FF64E1E0000-0x00007FF64E534000-memory.dmp

memory/3248-50-0x00007FF601FD0000-0x00007FF602324000-memory.dmp

C:\Windows\System\yEKnbJH.exe

MD5 f3a9457e224aaadd294dc17293833ed8
SHA1 a2c6115e4fa2fe107b6683b2045f85c768844541
SHA256 623e6d1925a2882399bb177734d4349c1a2301eeff2a805fb57cbc29a01bf980
SHA512 ee2480e8207079e6c7ef41b095a2ce6e666dff2801f0a06fead8ba730f247b4c1648373f9ab71a418def693b989606448a2c4331c24c34a36cbb90635ffe6112

memory/2000-56-0x00007FF66BAE0000-0x00007FF66BE34000-memory.dmp

C:\Windows\System\KimlEJS.exe

MD5 5b8c66a4dd8de77e2f215b1d2e45891c
SHA1 36f4199a28eda1832821e5f61bbfd925a05edecc
SHA256 4a35d2acb2241de69995d1f4c02174702bc4b179aad2ed4a5410142e2a282fb8
SHA512 21dfe98239f846d8afedff3eae246c4fc32e5e3501e4b5b437fad53a638cde8489d8d890098fccabccfd0ae82401d431c437c64a11fdfb26348dd13ef410185d

C:\Windows\System\iYFJGaJ.exe

MD5 2ce54f363e0ba97dc03f8e104fa6cc47
SHA1 80205c2fdfd22adec7d12325aae0d16e4aaf6f5f
SHA256 c5784c43fb0546e8e6029da3678c317e41a30c9d454a1bbc3984944c63970be0
SHA512 0c0a7a2849bc0460158481699f6c214f09a896addbc96e3dde3cfbf6e2be6dfb67c025f59962b169a10c3e05e6e14faac4841042d926aca9ac9aae95d6e34c3a

memory/4140-65-0x00007FF7B2600000-0x00007FF7B2954000-memory.dmp

memory/1432-64-0x00007FF705EE0000-0x00007FF706234000-memory.dmp

memory/1640-73-0x00007FF7EF460000-0x00007FF7EF7B4000-memory.dmp

memory/3840-74-0x00007FF668FA0000-0x00007FF6692F4000-memory.dmp

C:\Windows\System\aiICmOd.exe

MD5 f4e7a0dbd713d2313d1ac7d17c3ad250
SHA1 2ec902fe906ce18457c07d3273881c2e173ed106
SHA256 be6c2a732cbcc7a9dcef060e619082359d0b860b8cce03dfa7c6f31a38bad13d
SHA512 35351b821a08147b07ba7c63d0c08a706624002168dc4a8615b2b265390b2af01958130449aebb5d1b04bf86902165258aee7f69f54ab2cf526ac7170c11ff88

memory/424-77-0x00007FF629C60000-0x00007FF629FB4000-memory.dmp

C:\Windows\System\ZxdhkaF.exe

MD5 1d1a8f9a1508203e225c9ba22cc59f71
SHA1 04153775780ca42487810eb1afb78ceb4fda2be6
SHA256 036b9fcb07d4c2a643ae145a855da2fc59a7a9e8028bf77bc86ffbda1f726663
SHA512 85e4e346c4881039fcccac4b2046a9914339a76f41c9bc706a29358aee01ddc404513e561acb652f6c4b14366bb7d5ad06cb81847d0bc3aee4f0089eea0f3d2e

memory/4104-69-0x00007FF608A50000-0x00007FF608DA4000-memory.dmp

memory/1016-84-0x00007FF7F6A90000-0x00007FF7F6DE4000-memory.dmp

memory/2976-83-0x00007FF609800000-0x00007FF609B54000-memory.dmp

C:\Windows\System\sPkMotd.exe

MD5 25f2d33aca28cf72a90949ecd85ad57c
SHA1 ce7908d3a7effd8e92c2485fc7d470514a3f9801
SHA256 bb999d2d297636a4545b37479f789306696c4c41c596951893a1c1839715ec81
SHA512 dda86d3142c549eaea25c0f71f624d7ffcb1b54413b04d3eaae9033916b89a40aeb20d0d86e907ddc302e363c03fbcd6157d01b5d94d2ffe4057d92fdfff08af

C:\Windows\System\FaWIcQp.exe

MD5 d9d1c19817137b732101d533841ba96d
SHA1 ce753982f616949e3fd4a6ed9124262f7c5dbc7e
SHA256 99b70dddae434166d6ab0e8bd0dc0ba0d701aba49533c93804b58f3beda70b69
SHA512 4a370ddc010e888adacc56ecba8bec52dabd8131148afa704da2adcf59d51fe624d909f2cdeaefe9ea1c3497bbdc4dd67ce01a22855d0aac72a314a30ac7be3d

memory/5036-94-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp

memory/1260-90-0x00007FF7CF500000-0x00007FF7CF854000-memory.dmp

C:\Windows\System\RtehfYk.exe

MD5 3611e2c4831d9e5583de06d7222c9723
SHA1 a026fb005d4923edaa374c3df3b2bb0dca7466cd
SHA256 a3be59286aee0e7fbb2739f3379b900e3530dda4806225430c0caacadd2668ec
SHA512 1bbaf80e7811876b67a09ea48db1d371f3461932cefa2a7e9cd95dc18d916e2e3041d472e1d0f95ed4a85508eba23b1c86baa9793b562b2331861b2302f58af0

memory/1700-102-0x00007FF7D3950000-0x00007FF7D3CA4000-memory.dmp

C:\Windows\System\tpXWOHg.exe

MD5 2b2ca285e9c99f57ec688186ac610b69
SHA1 692edadc9a120729cafabddca37cbd9ba596d4c4
SHA256 63ef00941db9253251f2c51fcb978623e5aac9eb01fe0fc9f9aa35f73d74a787
SHA512 28cb3589ec26b12cc4b3e4683066d4f19cbbc30d86c56ca5fccfb9810ecd373c8c9dc5c65bcc787c5b03ad1206c2873ee0e171edf7f4841228b359bb6af965ea

C:\Windows\System\HoVwlnn.exe

MD5 c5161d9c7e77c71d94aceda7c3ba8d31
SHA1 ccc62e756ea14bb94704adb9f845916f17ac4b53
SHA256 6a977669dfea8705f84a08a4b4318f1589938c644b88ee6a38ee0fa7fe07abfd
SHA512 1c3b0143b1d5702851a31aa1b516ef7e828042d8b545ece309ac46e7a51b322e45736096bb4b7a2792e33c5007e200f95e08f056f3119dc4e854a3890a43e9f8

memory/748-111-0x00007FF7CC680000-0x00007FF7CC9D4000-memory.dmp

C:\Windows\System\hBqkqfj.exe

MD5 d432db5f0269b3b18b060714b81eb3f8
SHA1 2b44b51495e64299ff78e5b45f6b7de25f48b7dd
SHA256 dbf595ca56162f118123852b1445b29693ef2f744fa6851b23509017d29f1b17
SHA512 7acd76d70acc8d18659e2a12ef6f3160b6ba47eb5654ddb481eb9ab0f76ec097db6656e4b8a786fa44330aeaa00a0f4daaa4ead6c48726c48de0613986b23b22

memory/4372-110-0x00007FF7C06B0000-0x00007FF7C0A04000-memory.dmp

memory/5092-120-0x00007FF6AF730000-0x00007FF6AFA84000-memory.dmp

C:\Windows\System\vCALUvX.exe

MD5 3bf7e2ccfe1e8a93050b0b3151c47a82
SHA1 bf6d52b5a84b60ad3ad817f5a3a6885bc996fe83
SHA256 8ae8ad8a5f7cfae88512947af7333eb7de916a6b6e43f97c853c0a2c1dec53e3
SHA512 68b8689e0f8de99535ca1b0686f45c0bc039fb2462cc60c5573d296f0a1d23e74f9d9514e5daf79dbed0c2dfe435b906a51d084d0e9c9fb61f4852c2b70df70f

memory/3372-132-0x00007FF7FDF00000-0x00007FF7FE254000-memory.dmp

C:\Windows\System\yzIByfT.exe

MD5 744e35eb8677208a7f443e14d250e89f
SHA1 8f51257952d31f43ad1ce6a2aef3131d747d5579
SHA256 7fbbbd0b01e48bb122c1cd794dd72c48acc2d93c7ceb5211f0a675d16a3d78e6
SHA512 f0ae1042bac54b09eb03924fdb471c44317757e5e137cc52d6176802c4734a1ffc89caf7a1c19f0cb5fb022c3f699bfd1589e13c5061f83dbe2ba257e69db82c

memory/1128-127-0x00007FF6B7860000-0x00007FF6B7BB4000-memory.dmp

memory/1640-126-0x00007FF7EF460000-0x00007FF7EF7B4000-memory.dmp

memory/5036-133-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp

memory/748-134-0x00007FF7CC680000-0x00007FF7CC9D4000-memory.dmp

memory/4104-135-0x00007FF608A50000-0x00007FF608DA4000-memory.dmp

memory/3840-136-0x00007FF668FA0000-0x00007FF6692F4000-memory.dmp

memory/2976-137-0x00007FF609800000-0x00007FF609B54000-memory.dmp

memory/2168-138-0x00007FF619300000-0x00007FF619654000-memory.dmp

memory/2460-139-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp

memory/2904-140-0x00007FF765C40000-0x00007FF765F94000-memory.dmp

memory/1424-141-0x00007FF64E1E0000-0x00007FF64E534000-memory.dmp

memory/3248-142-0x00007FF601FD0000-0x00007FF602324000-memory.dmp

memory/2000-143-0x00007FF66BAE0000-0x00007FF66BE34000-memory.dmp

memory/4140-144-0x00007FF7B2600000-0x00007FF7B2954000-memory.dmp

memory/424-145-0x00007FF629C60000-0x00007FF629FB4000-memory.dmp

memory/1640-146-0x00007FF7EF460000-0x00007FF7EF7B4000-memory.dmp

memory/1016-147-0x00007FF7F6A90000-0x00007FF7F6DE4000-memory.dmp

memory/1260-148-0x00007FF7CF500000-0x00007FF7CF854000-memory.dmp

memory/5036-149-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp

memory/1700-150-0x00007FF7D3950000-0x00007FF7D3CA4000-memory.dmp

memory/4372-151-0x00007FF7C06B0000-0x00007FF7C0A04000-memory.dmp

memory/748-152-0x00007FF7CC680000-0x00007FF7CC9D4000-memory.dmp

memory/5092-153-0x00007FF6AF730000-0x00007FF6AFA84000-memory.dmp

memory/1128-154-0x00007FF6B7860000-0x00007FF6B7BB4000-memory.dmp

memory/3372-155-0x00007FF7FDF00000-0x00007FF7FE254000-memory.dmp