Malware Analysis Report

2024-10-24 18:15

Sample ID 240606-q7xpvafa3y
Target 2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike
SHA256 2b2261edd39720358e5c9ab42bbd27af769ae3262824bdb0ed2c34fe651ec3fb
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b2261edd39720358e5c9ab42bbd27af769ae3262824bdb0ed2c34fe651ec3fb

Threat Level: Known bad

The file 2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobaltstrike family

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:54

Reported

2024-06-06 13:57

Platform

win7-20240221-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wyrSFQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jtClFWA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\feZNVKu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzdIWEH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXBoQoY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DOwtQMz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DrqeuYE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ovadjxs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qiVdGbk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aCNqHQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vTiIGXk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XGCJuZP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mzpZzsa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIESsnu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qTCvSgJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfYffoa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YwbNGmw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApEnsyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sBiVzJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ddspjdh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GNmFcxV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtClFWA.exe
PID 1196 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtClFWA.exe
PID 1196 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtClFWA.exe
PID 1196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\feZNVKu.exe
PID 1196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\feZNVKu.exe
PID 1196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\feZNVKu.exe
PID 1196 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzdIWEH.exe
PID 1196 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzdIWEH.exe
PID 1196 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzdIWEH.exe
PID 1196 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXBoQoY.exe
PID 1196 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXBoQoY.exe
PID 1196 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXBoQoY.exe
PID 1196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfYffoa.exe
PID 1196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfYffoa.exe
PID 1196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfYffoa.exe
PID 1196 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YwbNGmw.exe
PID 1196 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YwbNGmw.exe
PID 1196 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YwbNGmw.exe
PID 1196 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTiIGXk.exe
PID 1196 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTiIGXk.exe
PID 1196 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTiIGXk.exe
PID 1196 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApEnsyj.exe
PID 1196 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApEnsyj.exe
PID 1196 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApEnsyj.exe
PID 1196 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOwtQMz.exe
PID 1196 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOwtQMz.exe
PID 1196 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOwtQMz.exe
PID 1196 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGCJuZP.exe
PID 1196 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGCJuZP.exe
PID 1196 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGCJuZP.exe
PID 1196 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrqeuYE.exe
PID 1196 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrqeuYE.exe
PID 1196 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrqeuYE.exe
PID 1196 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBiVzJL.exe
PID 1196 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBiVzJL.exe
PID 1196 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBiVzJL.exe
PID 1196 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzpZzsa.exe
PID 1196 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzpZzsa.exe
PID 1196 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzpZzsa.exe
PID 1196 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIESsnu.exe
PID 1196 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIESsnu.exe
PID 1196 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIESsnu.exe
PID 1196 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddspjdh.exe
PID 1196 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddspjdh.exe
PID 1196 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddspjdh.exe
PID 1196 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyrSFQl.exe
PID 1196 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyrSFQl.exe
PID 1196 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyrSFQl.exe
PID 1196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovadjxs.exe
PID 1196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovadjxs.exe
PID 1196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovadjxs.exe
PID 1196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNmFcxV.exe
PID 1196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNmFcxV.exe
PID 1196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNmFcxV.exe
PID 1196 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiVdGbk.exe
PID 1196 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiVdGbk.exe
PID 1196 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiVdGbk.exe
PID 1196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCNqHQl.exe
PID 1196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCNqHQl.exe
PID 1196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCNqHQl.exe
PID 1196 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qTCvSgJ.exe
PID 1196 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qTCvSgJ.exe
PID 1196 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qTCvSgJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jtClFWA.exe

C:\Windows\System\jtClFWA.exe

C:\Windows\System\feZNVKu.exe

C:\Windows\System\feZNVKu.exe

C:\Windows\System\QzdIWEH.exe

C:\Windows\System\QzdIWEH.exe

C:\Windows\System\KXBoQoY.exe

C:\Windows\System\KXBoQoY.exe

C:\Windows\System\yfYffoa.exe

C:\Windows\System\yfYffoa.exe

C:\Windows\System\YwbNGmw.exe

C:\Windows\System\YwbNGmw.exe

C:\Windows\System\vTiIGXk.exe

C:\Windows\System\vTiIGXk.exe

C:\Windows\System\ApEnsyj.exe

C:\Windows\System\ApEnsyj.exe

C:\Windows\System\DOwtQMz.exe

C:\Windows\System\DOwtQMz.exe

C:\Windows\System\XGCJuZP.exe

C:\Windows\System\XGCJuZP.exe

C:\Windows\System\DrqeuYE.exe

C:\Windows\System\DrqeuYE.exe

C:\Windows\System\sBiVzJL.exe

C:\Windows\System\sBiVzJL.exe

C:\Windows\System\mzpZzsa.exe

C:\Windows\System\mzpZzsa.exe

C:\Windows\System\gIESsnu.exe

C:\Windows\System\gIESsnu.exe

C:\Windows\System\ddspjdh.exe

C:\Windows\System\ddspjdh.exe

C:\Windows\System\wyrSFQl.exe

C:\Windows\System\wyrSFQl.exe

C:\Windows\System\ovadjxs.exe

C:\Windows\System\ovadjxs.exe

C:\Windows\System\GNmFcxV.exe

C:\Windows\System\GNmFcxV.exe

C:\Windows\System\qiVdGbk.exe

C:\Windows\System\qiVdGbk.exe

C:\Windows\System\aCNqHQl.exe

C:\Windows\System\aCNqHQl.exe

C:\Windows\System\qTCvSgJ.exe

C:\Windows\System\qTCvSgJ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1196-0-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1196-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\jtClFWA.exe

MD5 ac3b160f0e93fedc84234555f7d65e10
SHA1 31a1a6b1b1618de05679296d2da1bc7bd50c7dd3
SHA256 58a9a73d02ef5a4185fb0f6a7ab0c1a755b4691a66e575cd62df30ec8fa78921
SHA512 5c14ef0bad2239d656c697bacf77a1cc9a02c4bd791f7d5e34eb8a547bc1f27fd0e9a5a4a2c52ecf651412ebed3d79d34b20e4cfd96b8eea1e3a8108aed452f9

memory/1196-6-0x00000000023C0000-0x0000000002714000-memory.dmp

\Windows\system\feZNVKu.exe

MD5 342143ad763fa7f7727f0ce8ff099146
SHA1 5c5f78539e92aed862ececb6ee83705ce567ae34
SHA256 556e6a2feae89ec70a802df952209181bd12903562e384249020158236bc34b6
SHA512 581e158ec96eb6c408d8ae8d75f052596f1132e27d8cb502059fbe7784115771621710fa78bd65902e878f4cd45e4e7c6e10bdb55ec9356ba56cf46a4127935e

memory/1196-15-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2792-16-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2956-14-0x000000013FC90000-0x000000013FFE4000-memory.dmp

C:\Windows\system\QzdIWEH.exe

MD5 ae9c360936df8b961b0266d9dc08a3ed
SHA1 f51e7e792a1460472b321399405f0c4534c1f8ac
SHA256 448fe072d8e2ea27c76d0f1c50177fbb5a183fee865573751265c74a9fbf62ad
SHA512 0af0d01ace737068cf7be4e738b1ab50e87ffc386af6a7d30b02a1ac6f786a4cf9c64567729f684f7fb6cf72ce5fd7164a2b663951fb169a30156ba83051b222

memory/1196-23-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\KXBoQoY.exe

MD5 bd67652ddec5a987850dff0b27e58e23
SHA1 f9837b0c911f1e6b45912a2701986cf896045d22
SHA256 b97b7befbc81d1093ff1b874b165a2a412a6b6804448bb53a3308f5c4e6a9476
SHA512 625886b8643a3f1b0cbad09e14f3e015a21a3ed1b913564577edf37a8f643eee9aed88c09bb119fa86aeafa93e819f3713b6c2349ea7197cf69e7d6205961004

C:\Windows\system\yfYffoa.exe

MD5 6199a73d9d554fa82363c928e9925ef6
SHA1 6c86738eddbf95d1135e53d45c7eca9424b98543
SHA256 0f5482a84c09f30578e0d3c5d098d7cd1600b301e66f58440f4a99f99d62852e
SHA512 9fa40f052b0d565fedf0f2afdec3b6fa21b1655cdfc88d4ca99fd7c202006273754919e6621278e52806e4aa725dbd84e4ca68a16035123a08ad68c4fd7cad57

C:\Windows\system\YwbNGmw.exe

MD5 49dadf434c66b060acf5edc4e01dc822
SHA1 9c426da465215930bb4bf8560e87efe0f84d34a1
SHA256 1761d81f968302bd95cd5783414627cf5430767de1c975310911213327136284
SHA512 36b5cd2da378bd3266937904ad4eb3a0cf5670272e84cf4095d448e2a211d5765849959070ae99ccec6e3345587c55fb38e4865a40870834aaa5167ea4df019d

C:\Windows\system\vTiIGXk.exe

MD5 ef496d45eff454fbecbf3312cb734061
SHA1 2fe602769afcc0535519ec9c269947264d28da48
SHA256 a2fa54fda4124db0db2771d7cc36c739ca4d9a83dbcc5a3096519674b4952c4e
SHA512 c12194701263b5b65054c243b3a401b864cb0eb085b302443651e7c48299894efca25ff6f251be5b199ad50d9ee073b3a96c56599bbd182bd258e473de245770

\Windows\system\ApEnsyj.exe

MD5 9608eb1a1e2a43113c6b8e152a5e09cf
SHA1 340dfb7f7708b5dc0e7419b2b06d22101a2dbfc8
SHA256 4f389e0fc78d10ed0c5a1ec5bd1e5360a54f55ba7335921f5208c924b41b5499
SHA512 e154165cd20df80eba0877bbb65be5e182f96939d5b513ea9477342d0b379ce088cd7ac0fbe272ebf21ebc18fa8715b9d04f121be54f9e2a229b30cd600a4fde

C:\Windows\system\XGCJuZP.exe

MD5 244344f25ac3ca30192426157f95a13c
SHA1 19677cb6665c2e6d7e6d80156a76953b29a4bedb
SHA256 bc8cea31a23e3a318d89e92fae78da0a0f70eeec01afd3697b1557b514d0644f
SHA512 784f85383b83c94eca174b81938077dca13e8075f98dbd2c820c42491ecd8abf92b0ae9927ffd0adf1a0bc90484b386e4576c084189928fed81f0e49d2481c3e

C:\Windows\system\GNmFcxV.exe

MD5 0bca5ddf2d6465205fa8f203fad764a5
SHA1 2ab4ecc0e3277715029f45eb7cceac1ddbb0e854
SHA256 868c6a3afa74aeb4edadd00fd12afa3c44a80730c92c7429de632285bfc42275
SHA512 54924d644ced1c6e2ecae674c6f2ff878ab69fba5a4effce0c5816783a42e75612a871f3a74667386b535ccc5751cfb81e68bee007087ba72466000717098b97

C:\Windows\system\aCNqHQl.exe

MD5 7597555d7c5385ebd0c89f3e69a57c59
SHA1 7c504dac46bc12cb1a0058cb33eb8be9155092a3
SHA256 b23e1ca5d06945cd9ae5a3df1639db0b432d6eb093b686fc17d1c611b006df03
SHA512 c952abe001d70d2a9f8812db038185259d4e261553167a6508d9b8a20e5958d6672dade8a7fdd6abaa7225e587d8019be89fc60d39dc27cebef410f1fc466b8c

\Windows\system\qTCvSgJ.exe

MD5 173a4831d15c4d837a81e6d5b0187940
SHA1 0e9b6353f89d8a5aab582edb2c64232d13cef9f8
SHA256 2383acc8252cbed3b3bdfcddab6aa612a42bb6ca70a18037bf42a58c1114641e
SHA512 2adc51e129db20b4d9327391e2a69cab0c278e4d9f623d93ab43f8193b6598660c70906874a3723426c2d0e03344e3b353dd5e127bb19b924fc1eca604eacd9b

C:\Windows\system\qiVdGbk.exe

MD5 ab059148e4a8469808bd1910e7ccddb3
SHA1 285d001442e8fac1c782f9cc934a7a0c8e79a6f5
SHA256 fefdeed1e9c0f7bb98e0717c293b8cac9cb6218ec2df14ffa97854f3390c4da5
SHA512 70ce847564b9b47417931d0cf3ebc1a06f280c532c2ea69711516045e49a01cda17a13de721cd1a2f2b6853979af3f289d87b4e8863ac01935771b026fbdd6e3

C:\Windows\system\ovadjxs.exe

MD5 64f9d1c3277576de1fe9214fd53e314e
SHA1 ea6ca9ad6ad828bec4cafc452ebfcd83df4656ea
SHA256 11185e0120f42a8a8d0c732779f92d95afeb41a6bdff2812a136b4be681401a4
SHA512 c3bf7bc569555dc52815a1b683cf528d60e721a73e53cb225a2ab79dd9a5b49a29a1b978f9ec8697465a2c5b6e1f214702bf99ff014cb7995661f9e190494170

C:\Windows\system\wyrSFQl.exe

MD5 403f6138b6928dae4ccc8b71857da99f
SHA1 b5ffd46d8baf78b695ff386002596370f0522091
SHA256 be701643e5d823742008395e3b93a3fef45fe0bcea12384bb4d79ba5686dc87d
SHA512 100cfcef32d2f07108b5de680f212214fc0e0c59e5712c35b6e5121faa3495b0b136b313145d75952e805cb883a1f95b49f280cac44fdf63ba0b59e425f0ee21

C:\Windows\system\ddspjdh.exe

MD5 0c7acf0eca61a14cf355d1bfa4b7b6f8
SHA1 3f7d6f67c00650421a1c2dc9d58b88078fb6c192
SHA256 68efc12372b6d9c8873d3344b0c79643023aa1ff5ca940cb23f520a21164a023
SHA512 785b6ea371806f7e5ce0e9291bacdb585b566076498da588cf1f4a1f8e23833fbb9250850175e8c216fb879087045db07cd361be3e0aed70c3f344eb9ee20af6

C:\Windows\system\gIESsnu.exe

MD5 2b153ddd62f386554b1b9261991eb639
SHA1 627d95d6b281f4ab944bb8592925c06a14074d07
SHA256 75ad8f2b0d2d168a67e7b5eddb5f9c08e222eb74af7060c87913f81c9d57deac
SHA512 8f667a73c689427c57a042de408a7b740c67ad876228d9ccdc77997c3ae02f77e2c1edcaec8ec3e405d63e72b0dee2e03d3733b08ab956d3ffa845e0aa56e1a0

memory/1196-117-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2996-120-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1196-119-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2528-118-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2552-116-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/1196-115-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2604-114-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1196-113-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2488-112-0x000000013FC30000-0x000000013FF84000-memory.dmp

C:\Windows\system\mzpZzsa.exe

MD5 71831d1cefa7112155d1ae6824c9df9d
SHA1 15163968c6f1c60bf5af8150b40660420f5f0795
SHA256 3890db041dd5be703f2a3af80145d083fd70515e9492dcb8da5bd14248b77c59
SHA512 0692baa44b32c8fb1d7160e75fd24b1f3b4cbf75ae62de15c57b97159019615599eeeeb75f3403b421b39f57675395f4873097162daa08e3f616437538e57e80

C:\Windows\system\sBiVzJL.exe

MD5 010fb2677f24dbd66cde4e0d76bb31e7
SHA1 b993e1859ef552e7259d149bea350e5374a7a23c
SHA256 6c3934719acfc91135448c999897e84ae586d074ce457c832066fa67cf54492f
SHA512 efa0f1fd62aab94d82e246a14ef1fa5fb528c0e7f4332bae11c10be2010c86b4c89b3f8d45f1888da052a68f2ca03b65e693e1df2d422f10090d683009c7abeb

C:\Windows\system\DrqeuYE.exe

MD5 94523ecf655c8ae8c8f92dc54a4b649b
SHA1 60f2c1fff8c38f20f6d5e8dddfe734b5f2c2c752
SHA256 0dd524784910a9c4fc57f68f94ab24715c845902babf703f078b8165f2fe98ba
SHA512 ddba88ed1014b78e3c97500705645beeb7b5447d8d02c6c52baf0693b828193e11f6bf4b10a692cbb2dd431a34d26fe1f9ace2c0a1170d55d79feedd38be7c2b

C:\Windows\system\DOwtQMz.exe

MD5 361b6218a3eea3ef7865c8ea90cad96f
SHA1 14d471249c1efb6aeb682e44c03c46724d8ca452
SHA256 bcfdc46da6dbc8dc06d543036e4033f00ae691fbae6cafe69ed4cf49365c89b8
SHA512 d42f839d1e9aa337ac4fa0c2e76bac2833e34f4c9eb324eae40d7c629e4b70fea4973c78520a68210794ed0458b399dc3e968fbec734b6639ee737dd975e00dc

memory/2432-121-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2772-122-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2396-125-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2444-127-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/1196-126-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/1196-130-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1196-128-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2536-131-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2904-129-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2568-124-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1196-123-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1196-132-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2956-133-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2488-134-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2792-135-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2956-136-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2536-137-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2552-138-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2528-140-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2604-139-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2996-141-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2432-142-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2772-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2568-144-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2396-145-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2444-146-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2904-147-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2488-148-0x000000013FC30000-0x000000013FF84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:54

Reported

2024-06-06 13:57

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ovadjxs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzdIWEH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vTiIGXk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApEnsyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XGCJuZP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ddspjdh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXBoQoY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfYffoa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DrqeuYE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qTCvSgJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jtClFWA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\feZNVKu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YwbNGmw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sBiVzJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIESsnu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aCNqHQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DOwtQMz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mzpZzsa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wyrSFQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GNmFcxV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qiVdGbk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtClFWA.exe
PID 2064 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtClFWA.exe
PID 2064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\feZNVKu.exe
PID 2064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\feZNVKu.exe
PID 2064 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzdIWEH.exe
PID 2064 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzdIWEH.exe
PID 2064 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXBoQoY.exe
PID 2064 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXBoQoY.exe
PID 2064 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfYffoa.exe
PID 2064 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfYffoa.exe
PID 2064 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YwbNGmw.exe
PID 2064 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YwbNGmw.exe
PID 2064 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTiIGXk.exe
PID 2064 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTiIGXk.exe
PID 2064 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApEnsyj.exe
PID 2064 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApEnsyj.exe
PID 2064 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOwtQMz.exe
PID 2064 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DOwtQMz.exe
PID 2064 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGCJuZP.exe
PID 2064 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGCJuZP.exe
PID 2064 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrqeuYE.exe
PID 2064 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrqeuYE.exe
PID 2064 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBiVzJL.exe
PID 2064 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBiVzJL.exe
PID 2064 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzpZzsa.exe
PID 2064 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzpZzsa.exe
PID 2064 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIESsnu.exe
PID 2064 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIESsnu.exe
PID 2064 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddspjdh.exe
PID 2064 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddspjdh.exe
PID 2064 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyrSFQl.exe
PID 2064 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\wyrSFQl.exe
PID 2064 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovadjxs.exe
PID 2064 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovadjxs.exe
PID 2064 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNmFcxV.exe
PID 2064 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNmFcxV.exe
PID 2064 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiVdGbk.exe
PID 2064 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qiVdGbk.exe
PID 2064 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCNqHQl.exe
PID 2064 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCNqHQl.exe
PID 2064 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qTCvSgJ.exe
PID 2064 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qTCvSgJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jtClFWA.exe

C:\Windows\System\jtClFWA.exe

C:\Windows\System\feZNVKu.exe

C:\Windows\System\feZNVKu.exe

C:\Windows\System\QzdIWEH.exe

C:\Windows\System\QzdIWEH.exe

C:\Windows\System\KXBoQoY.exe

C:\Windows\System\KXBoQoY.exe

C:\Windows\System\yfYffoa.exe

C:\Windows\System\yfYffoa.exe

C:\Windows\System\YwbNGmw.exe

C:\Windows\System\YwbNGmw.exe

C:\Windows\System\vTiIGXk.exe

C:\Windows\System\vTiIGXk.exe

C:\Windows\System\ApEnsyj.exe

C:\Windows\System\ApEnsyj.exe

C:\Windows\System\DOwtQMz.exe

C:\Windows\System\DOwtQMz.exe

C:\Windows\System\XGCJuZP.exe

C:\Windows\System\XGCJuZP.exe

C:\Windows\System\DrqeuYE.exe

C:\Windows\System\DrqeuYE.exe

C:\Windows\System\sBiVzJL.exe

C:\Windows\System\sBiVzJL.exe

C:\Windows\System\mzpZzsa.exe

C:\Windows\System\mzpZzsa.exe

C:\Windows\System\gIESsnu.exe

C:\Windows\System\gIESsnu.exe

C:\Windows\System\ddspjdh.exe

C:\Windows\System\ddspjdh.exe

C:\Windows\System\wyrSFQl.exe

C:\Windows\System\wyrSFQl.exe

C:\Windows\System\ovadjxs.exe

C:\Windows\System\ovadjxs.exe

C:\Windows\System\GNmFcxV.exe

C:\Windows\System\GNmFcxV.exe

C:\Windows\System\qiVdGbk.exe

C:\Windows\System\qiVdGbk.exe

C:\Windows\System\aCNqHQl.exe

C:\Windows\System\aCNqHQl.exe

C:\Windows\System\qTCvSgJ.exe

C:\Windows\System\qTCvSgJ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2064-0-0x00007FF627CB0000-0x00007FF628004000-memory.dmp

memory/2064-1-0x000001CD00ED0000-0x000001CD00EE0000-memory.dmp

C:\Windows\System\jtClFWA.exe

MD5 ac3b160f0e93fedc84234555f7d65e10
SHA1 31a1a6b1b1618de05679296d2da1bc7bd50c7dd3
SHA256 58a9a73d02ef5a4185fb0f6a7ab0c1a755b4691a66e575cd62df30ec8fa78921
SHA512 5c14ef0bad2239d656c697bacf77a1cc9a02c4bd791f7d5e34eb8a547bc1f27fd0e9a5a4a2c52ecf651412ebed3d79d34b20e4cfd96b8eea1e3a8108aed452f9

C:\Windows\System\feZNVKu.exe

MD5 342143ad763fa7f7727f0ce8ff099146
SHA1 5c5f78539e92aed862ececb6ee83705ce567ae34
SHA256 556e6a2feae89ec70a802df952209181bd12903562e384249020158236bc34b6
SHA512 581e158ec96eb6c408d8ae8d75f052596f1132e27d8cb502059fbe7784115771621710fa78bd65902e878f4cd45e4e7c6e10bdb55ec9356ba56cf46a4127935e

C:\Windows\System\QzdIWEH.exe

MD5 ae9c360936df8b961b0266d9dc08a3ed
SHA1 f51e7e792a1460472b321399405f0c4534c1f8ac
SHA256 448fe072d8e2ea27c76d0f1c50177fbb5a183fee865573751265c74a9fbf62ad
SHA512 0af0d01ace737068cf7be4e738b1ab50e87ffc386af6a7d30b02a1ac6f786a4cf9c64567729f684f7fb6cf72ce5fd7164a2b663951fb169a30156ba83051b222

memory/4688-21-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp

C:\Windows\System\KXBoQoY.exe

MD5 bd67652ddec5a987850dff0b27e58e23
SHA1 f9837b0c911f1e6b45912a2701986cf896045d22
SHA256 b97b7befbc81d1093ff1b874b165a2a412a6b6804448bb53a3308f5c4e6a9476
SHA512 625886b8643a3f1b0cbad09e14f3e015a21a3ed1b913564577edf37a8f643eee9aed88c09bb119fa86aeafa93e819f3713b6c2349ea7197cf69e7d6205961004

memory/1436-22-0x00007FF7DDE00000-0x00007FF7DE154000-memory.dmp

memory/1772-16-0x00007FF70A7F0000-0x00007FF70AB44000-memory.dmp

memory/4756-7-0x00007FF7E35B0000-0x00007FF7E3904000-memory.dmp

C:\Windows\System\yfYffoa.exe

MD5 6199a73d9d554fa82363c928e9925ef6
SHA1 6c86738eddbf95d1135e53d45c7eca9424b98543
SHA256 0f5482a84c09f30578e0d3c5d098d7cd1600b301e66f58440f4a99f99d62852e
SHA512 9fa40f052b0d565fedf0f2afdec3b6fa21b1655cdfc88d4ca99fd7c202006273754919e6621278e52806e4aa725dbd84e4ca68a16035123a08ad68c4fd7cad57

memory/5008-31-0x00007FF72A4F0000-0x00007FF72A844000-memory.dmp

C:\Windows\System\YwbNGmw.exe

MD5 49dadf434c66b060acf5edc4e01dc822
SHA1 9c426da465215930bb4bf8560e87efe0f84d34a1
SHA256 1761d81f968302bd95cd5783414627cf5430767de1c975310911213327136284
SHA512 36b5cd2da378bd3266937904ad4eb3a0cf5670272e84cf4095d448e2a211d5765849959070ae99ccec6e3345587c55fb38e4865a40870834aaa5167ea4df019d

C:\Windows\System\vTiIGXk.exe

MD5 ef496d45eff454fbecbf3312cb734061
SHA1 2fe602769afcc0535519ec9c269947264d28da48
SHA256 a2fa54fda4124db0db2771d7cc36c739ca4d9a83dbcc5a3096519674b4952c4e
SHA512 c12194701263b5b65054c243b3a401b864cb0eb085b302443651e7c48299894efca25ff6f251be5b199ad50d9ee073b3a96c56599bbd182bd258e473de245770

C:\Windows\System\ApEnsyj.exe

MD5 9608eb1a1e2a43113c6b8e152a5e09cf
SHA1 340dfb7f7708b5dc0e7419b2b06d22101a2dbfc8
SHA256 4f389e0fc78d10ed0c5a1ec5bd1e5360a54f55ba7335921f5208c924b41b5499
SHA512 e154165cd20df80eba0877bbb65be5e182f96939d5b513ea9477342d0b379ce088cd7ac0fbe272ebf21ebc18fa8715b9d04f121be54f9e2a229b30cd600a4fde

C:\Windows\System\DOwtQMz.exe

MD5 361b6218a3eea3ef7865c8ea90cad96f
SHA1 14d471249c1efb6aeb682e44c03c46724d8ca452
SHA256 bcfdc46da6dbc8dc06d543036e4033f00ae691fbae6cafe69ed4cf49365c89b8
SHA512 d42f839d1e9aa337ac4fa0c2e76bac2833e34f4c9eb324eae40d7c629e4b70fea4973c78520a68210794ed0458b399dc3e968fbec734b6639ee737dd975e00dc

C:\Windows\System\XGCJuZP.exe

MD5 244344f25ac3ca30192426157f95a13c
SHA1 19677cb6665c2e6d7e6d80156a76953b29a4bedb
SHA256 bc8cea31a23e3a318d89e92fae78da0a0f70eeec01afd3697b1557b514d0644f
SHA512 784f85383b83c94eca174b81938077dca13e8075f98dbd2c820c42491ecd8abf92b0ae9927ffd0adf1a0bc90484b386e4576c084189928fed81f0e49d2481c3e

memory/4104-56-0x00007FF6D66B0000-0x00007FF6D6A04000-memory.dmp

memory/4548-53-0x00007FF6CB130000-0x00007FF6CB484000-memory.dmp

memory/4256-50-0x00007FF6A5440000-0x00007FF6A5794000-memory.dmp

memory/3552-40-0x00007FF7ADA60000-0x00007FF7ADDB4000-memory.dmp

memory/1736-61-0x00007FF6C9850000-0x00007FF6C9BA4000-memory.dmp

C:\Windows\System\DrqeuYE.exe

MD5 94523ecf655c8ae8c8f92dc54a4b649b
SHA1 60f2c1fff8c38f20f6d5e8dddfe734b5f2c2c752
SHA256 0dd524784910a9c4fc57f68f94ab24715c845902babf703f078b8165f2fe98ba
SHA512 ddba88ed1014b78e3c97500705645beeb7b5447d8d02c6c52baf0693b828193e11f6bf4b10a692cbb2dd431a34d26fe1f9ace2c0a1170d55d79feedd38be7c2b

C:\Windows\System\mzpZzsa.exe

MD5 71831d1cefa7112155d1ae6824c9df9d
SHA1 15163968c6f1c60bf5af8150b40660420f5f0795
SHA256 3890db041dd5be703f2a3af80145d083fd70515e9492dcb8da5bd14248b77c59
SHA512 0692baa44b32c8fb1d7160e75fd24b1f3b4cbf75ae62de15c57b97159019615599eeeeb75f3403b421b39f57675395f4873097162daa08e3f616437538e57e80

C:\Windows\System\gIESsnu.exe

MD5 2b153ddd62f386554b1b9261991eb639
SHA1 627d95d6b281f4ab944bb8592925c06a14074d07
SHA256 75ad8f2b0d2d168a67e7b5eddb5f9c08e222eb74af7060c87913f81c9d57deac
SHA512 8f667a73c689427c57a042de408a7b740c67ad876228d9ccdc77997c3ae02f77e2c1edcaec8ec3e405d63e72b0dee2e03d3733b08ab956d3ffa845e0aa56e1a0

memory/1880-88-0x00007FF644300000-0x00007FF644654000-memory.dmp

memory/1436-93-0x00007FF7DDE00000-0x00007FF7DE154000-memory.dmp

C:\Windows\System\ovadjxs.exe

MD5 64f9d1c3277576de1fe9214fd53e314e
SHA1 ea6ca9ad6ad828bec4cafc452ebfcd83df4656ea
SHA256 11185e0120f42a8a8d0c732779f92d95afeb41a6bdff2812a136b4be681401a4
SHA512 c3bf7bc569555dc52815a1b683cf528d60e721a73e53cb225a2ab79dd9a5b49a29a1b978f9ec8697465a2c5b6e1f214702bf99ff014cb7995661f9e190494170

memory/4948-105-0x00007FF7FC840000-0x00007FF7FCB94000-memory.dmp

C:\Windows\System\GNmFcxV.exe

MD5 0bca5ddf2d6465205fa8f203fad764a5
SHA1 2ab4ecc0e3277715029f45eb7cceac1ddbb0e854
SHA256 868c6a3afa74aeb4edadd00fd12afa3c44a80730c92c7429de632285bfc42275
SHA512 54924d644ced1c6e2ecae674c6f2ff878ab69fba5a4effce0c5816783a42e75612a871f3a74667386b535ccc5751cfb81e68bee007087ba72466000717098b97

C:\Windows\System\aCNqHQl.exe

MD5 7597555d7c5385ebd0c89f3e69a57c59
SHA1 7c504dac46bc12cb1a0058cb33eb8be9155092a3
SHA256 b23e1ca5d06945cd9ae5a3df1639db0b432d6eb093b686fc17d1c611b006df03
SHA512 c952abe001d70d2a9f8812db038185259d4e261553167a6508d9b8a20e5958d6672dade8a7fdd6abaa7225e587d8019be89fc60d39dc27cebef410f1fc466b8c

memory/3064-128-0x00007FF6DC750000-0x00007FF6DCAA4000-memory.dmp

memory/2504-131-0x00007FF6739B0000-0x00007FF673D04000-memory.dmp

memory/2140-134-0x00007FF64F770000-0x00007FF64FAC4000-memory.dmp

C:\Windows\System\qTCvSgJ.exe

MD5 173a4831d15c4d837a81e6d5b0187940
SHA1 0e9b6353f89d8a5aab582edb2c64232d13cef9f8
SHA256 2383acc8252cbed3b3bdfcddab6aa612a42bb6ca70a18037bf42a58c1114641e
SHA512 2adc51e129db20b4d9327391e2a69cab0c278e4d9f623d93ab43f8193b6598660c70906874a3723426c2d0e03344e3b353dd5e127bb19b924fc1eca604eacd9b

C:\Windows\System\qiVdGbk.exe

MD5 ab059148e4a8469808bd1910e7ccddb3
SHA1 285d001442e8fac1c782f9cc934a7a0c8e79a6f5
SHA256 fefdeed1e9c0f7bb98e0717c293b8cac9cb6218ec2df14ffa97854f3390c4da5
SHA512 70ce847564b9b47417931d0cf3ebc1a06f280c532c2ea69711516045e49a01cda17a13de721cd1a2f2b6853979af3f289d87b4e8863ac01935771b026fbdd6e3

memory/3212-124-0x00007FF676670000-0x00007FF6769C4000-memory.dmp

memory/4548-123-0x00007FF6CB130000-0x00007FF6CB484000-memory.dmp

C:\Windows\System\wyrSFQl.exe

MD5 403f6138b6928dae4ccc8b71857da99f
SHA1 b5ffd46d8baf78b695ff386002596370f0522091
SHA256 be701643e5d823742008395e3b93a3fef45fe0bcea12384bb4d79ba5686dc87d
SHA512 100cfcef32d2f07108b5de680f212214fc0e0c59e5712c35b6e5121faa3495b0b136b313145d75952e805cb883a1f95b49f280cac44fdf63ba0b59e425f0ee21

memory/3552-108-0x00007FF7ADA60000-0x00007FF7ADDB4000-memory.dmp

memory/5008-104-0x00007FF72A4F0000-0x00007FF72A844000-memory.dmp

memory/4624-101-0x00007FF781970000-0x00007FF781CC4000-memory.dmp

memory/3208-99-0x00007FF761640000-0x00007FF761994000-memory.dmp

C:\Windows\System\ddspjdh.exe

MD5 0c7acf0eca61a14cf355d1bfa4b7b6f8
SHA1 3f7d6f67c00650421a1c2dc9d58b88078fb6c192
SHA256 68efc12372b6d9c8873d3344b0c79643023aa1ff5ca940cb23f520a21164a023
SHA512 785b6ea371806f7e5ce0e9291bacdb585b566076498da588cf1f4a1f8e23833fbb9250850175e8c216fb879087045db07cd361be3e0aed70c3f344eb9ee20af6

memory/1612-91-0x00007FF615260000-0x00007FF6155B4000-memory.dmp

memory/4020-82-0x00007FF682A40000-0x00007FF682D94000-memory.dmp

memory/4688-81-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp

C:\Windows\System\sBiVzJL.exe

MD5 010fb2677f24dbd66cde4e0d76bb31e7
SHA1 b993e1859ef552e7259d149bea350e5374a7a23c
SHA256 6c3934719acfc91135448c999897e84ae586d074ce457c832066fa67cf54492f
SHA512 efa0f1fd62aab94d82e246a14ef1fa5fb528c0e7f4332bae11c10be2010c86b4c89b3f8d45f1888da052a68f2ca03b65e693e1df2d422f10090d683009c7abeb

memory/4756-74-0x00007FF7E35B0000-0x00007FF7E3904000-memory.dmp

memory/1996-72-0x00007FF6F92F0000-0x00007FF6F9644000-memory.dmp

memory/2064-66-0x00007FF627CB0000-0x00007FF628004000-memory.dmp

memory/1996-135-0x00007FF6F92F0000-0x00007FF6F9644000-memory.dmp

memory/1612-136-0x00007FF615260000-0x00007FF6155B4000-memory.dmp

memory/3208-137-0x00007FF761640000-0x00007FF761994000-memory.dmp

memory/4624-138-0x00007FF781970000-0x00007FF781CC4000-memory.dmp

memory/4948-139-0x00007FF7FC840000-0x00007FF7FCB94000-memory.dmp

memory/3064-140-0x00007FF6DC750000-0x00007FF6DCAA4000-memory.dmp

memory/2504-141-0x00007FF6739B0000-0x00007FF673D04000-memory.dmp

memory/2140-142-0x00007FF64F770000-0x00007FF64FAC4000-memory.dmp

memory/4756-143-0x00007FF7E35B0000-0x00007FF7E3904000-memory.dmp

memory/1772-144-0x00007FF70A7F0000-0x00007FF70AB44000-memory.dmp

memory/4688-145-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp

memory/1436-146-0x00007FF7DDE00000-0x00007FF7DE154000-memory.dmp

memory/5008-147-0x00007FF72A4F0000-0x00007FF72A844000-memory.dmp

memory/3552-148-0x00007FF7ADA60000-0x00007FF7ADDB4000-memory.dmp

memory/4256-149-0x00007FF6A5440000-0x00007FF6A5794000-memory.dmp

memory/4104-150-0x00007FF6D66B0000-0x00007FF6D6A04000-memory.dmp

memory/4548-151-0x00007FF6CB130000-0x00007FF6CB484000-memory.dmp

memory/1736-152-0x00007FF6C9850000-0x00007FF6C9BA4000-memory.dmp

memory/4020-153-0x00007FF682A40000-0x00007FF682D94000-memory.dmp

memory/1996-154-0x00007FF6F92F0000-0x00007FF6F9644000-memory.dmp

memory/1880-155-0x00007FF644300000-0x00007FF644654000-memory.dmp

memory/1612-156-0x00007FF615260000-0x00007FF6155B4000-memory.dmp

memory/3208-157-0x00007FF761640000-0x00007FF761994000-memory.dmp

memory/4948-158-0x00007FF7FC840000-0x00007FF7FCB94000-memory.dmp

memory/4624-159-0x00007FF781970000-0x00007FF781CC4000-memory.dmp

memory/3212-160-0x00007FF676670000-0x00007FF6769C4000-memory.dmp

memory/2504-161-0x00007FF6739B0000-0x00007FF673D04000-memory.dmp

memory/3064-162-0x00007FF6DC750000-0x00007FF6DCAA4000-memory.dmp

memory/2140-163-0x00007FF64F770000-0x00007FF64FAC4000-memory.dmp