Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-nxnyvabc91
Target 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike
SHA256 4105b92740cadfe5fd32b5ec6a3e60657866dbdeb37e435b4e1131fe39e0ef77
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4105b92740cadfe5fd32b5ec6a3e60657866dbdeb37e435b4e1131fe39e0ef77

Threat Level: Known bad

The file 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobaltstrike

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 11:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 11:46

Reported

2024-06-08 11:49

Platform

win7-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QpnDeVx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UyfBiBv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xlqrnOm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YALPepz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ENKqZwX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pTlqmPv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEdRDLP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HKpZmvG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qguPOBv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YDPMtEU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QJYtFxs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EQkMxPM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYPvAcd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fEJhSwf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HllWRzS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uTDnJmr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DdzpJxE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XhbnuLS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nEmgDWy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kucIuBg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kmgJXkx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEmgDWy.exe
PID 2952 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEmgDWy.exe
PID 2952 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEmgDWy.exe
PID 2952 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YALPepz.exe
PID 2952 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YALPepz.exe
PID 2952 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YALPepz.exe
PID 2952 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKpZmvG.exe
PID 2952 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKpZmvG.exe
PID 2952 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKpZmvG.exe
PID 2952 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ENKqZwX.exe
PID 2952 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ENKqZwX.exe
PID 2952 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ENKqZwX.exe
PID 2952 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYPvAcd.exe
PID 2952 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYPvAcd.exe
PID 2952 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYPvAcd.exe
PID 2952 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fEJhSwf.exe
PID 2952 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fEJhSwf.exe
PID 2952 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\fEJhSwf.exe
PID 2952 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTlqmPv.exe
PID 2952 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTlqmPv.exe
PID 2952 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTlqmPv.exe
PID 2952 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kucIuBg.exe
PID 2952 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kucIuBg.exe
PID 2952 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kucIuBg.exe
PID 2952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmgJXkx.exe
PID 2952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmgJXkx.exe
PID 2952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kmgJXkx.exe
PID 2952 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpnDeVx.exe
PID 2952 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpnDeVx.exe
PID 2952 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpnDeVx.exe
PID 2952 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qguPOBv.exe
PID 2952 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qguPOBv.exe
PID 2952 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qguPOBv.exe
PID 2952 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDPMtEU.exe
PID 2952 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDPMtEU.exe
PID 2952 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDPMtEU.exe
PID 2952 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEdRDLP.exe
PID 2952 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEdRDLP.exe
PID 2952 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEdRDLP.exe
PID 2952 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HllWRzS.exe
PID 2952 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HllWRzS.exe
PID 2952 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HllWRzS.exe
PID 2952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTDnJmr.exe
PID 2952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTDnJmr.exe
PID 2952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTDnJmr.exe
PID 2952 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJYtFxs.exe
PID 2952 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJYtFxs.exe
PID 2952 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJYtFxs.exe
PID 2952 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyfBiBv.exe
PID 2952 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyfBiBv.exe
PID 2952 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyfBiBv.exe
PID 2952 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQkMxPM.exe
PID 2952 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQkMxPM.exe
PID 2952 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQkMxPM.exe
PID 2952 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DdzpJxE.exe
PID 2952 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DdzpJxE.exe
PID 2952 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DdzpJxE.exe
PID 2952 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhbnuLS.exe
PID 2952 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhbnuLS.exe
PID 2952 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhbnuLS.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xlqrnOm.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xlqrnOm.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xlqrnOm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\nEmgDWy.exe

C:\Windows\System\nEmgDWy.exe

C:\Windows\System\YALPepz.exe

C:\Windows\System\YALPepz.exe

C:\Windows\System\HKpZmvG.exe

C:\Windows\System\HKpZmvG.exe

C:\Windows\System\ENKqZwX.exe

C:\Windows\System\ENKqZwX.exe

C:\Windows\System\xYPvAcd.exe

C:\Windows\System\xYPvAcd.exe

C:\Windows\System\fEJhSwf.exe

C:\Windows\System\fEJhSwf.exe

C:\Windows\System\pTlqmPv.exe

C:\Windows\System\pTlqmPv.exe

C:\Windows\System\kucIuBg.exe

C:\Windows\System\kucIuBg.exe

C:\Windows\System\kmgJXkx.exe

C:\Windows\System\kmgJXkx.exe

C:\Windows\System\QpnDeVx.exe

C:\Windows\System\QpnDeVx.exe

C:\Windows\System\qguPOBv.exe

C:\Windows\System\qguPOBv.exe

C:\Windows\System\YDPMtEU.exe

C:\Windows\System\YDPMtEU.exe

C:\Windows\System\TEdRDLP.exe

C:\Windows\System\TEdRDLP.exe

C:\Windows\System\HllWRzS.exe

C:\Windows\System\HllWRzS.exe

C:\Windows\System\uTDnJmr.exe

C:\Windows\System\uTDnJmr.exe

C:\Windows\System\QJYtFxs.exe

C:\Windows\System\QJYtFxs.exe

C:\Windows\System\UyfBiBv.exe

C:\Windows\System\UyfBiBv.exe

C:\Windows\System\EQkMxPM.exe

C:\Windows\System\EQkMxPM.exe

C:\Windows\System\DdzpJxE.exe

C:\Windows\System\DdzpJxE.exe

C:\Windows\System\XhbnuLS.exe

C:\Windows\System\XhbnuLS.exe

C:\Windows\System\xlqrnOm.exe

C:\Windows\System\xlqrnOm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2952-0-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2952-1-0x00000000003F0000-0x0000000000400000-memory.dmp

\Windows\system\nEmgDWy.exe

MD5 d9e14003c87d696c667c9766d9e05557
SHA1 aecd060ba0ee97c9fc8c45946ad4772acf64a430
SHA256 172449f0de4057066062a723f425e3e7942eb19369ed92fed869bc7e4fae6490
SHA512 922353791c1a11253d7c1bd7a43b447e05d7c494080f7a2e4a0cb5c7b504843cc351ccd28adbd300c702500f0b25a878deeefc2adb228daa7522a5c943a81065

memory/2952-6-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2476-9-0x000000013FFC0000-0x0000000140314000-memory.dmp

C:\Windows\system\YALPepz.exe

MD5 1d7326579af738e5dd3ad4aaeebb6817
SHA1 5ab957d6bcc18ae02f5e7fcb0f993ffe394886ff
SHA256 7b7cf8d4b4e3e29f2cb88faa31d2a3913e419f600820be9f1cf19be7fc7c2e76
SHA512 905ab2b800170f2e687a883451178b5f7af5972c5594ed2cd5e57cfe570f809a956c7a15302e0f3b34dd68ca221628b7dc87419e1f28cca8de2e18f6cab178a6

memory/2128-14-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\HKpZmvG.exe

MD5 e9a4aaf1cb53d32f234770f1445ed676
SHA1 0d5089e1efbf083a4a620ba13ad6a116efe030cc
SHA256 336103cc8deadc474973f27e73cf446b4079f42debcc3fc2e36287f05ff8c7e1
SHA512 0081d8363c9b7f917a665f980aa7bd44bfceeaea7300f4a273f9c8d458b36cbbe6b75b416f0afeb380abf42d317391c375d554028d24011820479d153cbb5d49

\Windows\system\ENKqZwX.exe

MD5 228815067a226e1207434d3d519bd5f2
SHA1 5984e3d5525a408de388df8f8641464e0c71222b
SHA256 dfd3b8c282f214c2d0794bd4e73cc6aee95ddc364f01d4300de0f78b4054ce28
SHA512 2c937bacd53bf17484ad40ab5fcce058044399da6d31be3c10bd81f235700d2a157bf74dfcd5e03019705459076497cbd407bc0bd34e37b7642da65a23c5ab74

memory/2952-19-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2632-29-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2952-28-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2372-27-0x000000013FEB0000-0x0000000140204000-memory.dmp

\Windows\system\xYPvAcd.exe

MD5 ea3fee1ef9e7045d08e481b5ae1a760a
SHA1 d89759746b78f94f86a2c7a96ca7df5ce5e56526
SHA256 f44cbe7a3dcf8b12d7b3c650b154cd15c9b2f8e3ca57c934349ca2c06d76af70
SHA512 564d0e7ed2a0ac800c42d31cfd27d8acb4505a46bcfe70c161953a3c2c09558eb15f23ed88294b7d9b4d57b0b8d630ad89d2b18258ae53cfbe07a9f922a8e504

memory/2096-35-0x000000013FAB0000-0x000000013FE04000-memory.dmp

\Windows\system\fEJhSwf.exe

MD5 14234ae3d4d313e7faeea7b590c40030
SHA1 691fe545c234827055818878c9397b796c7656e7
SHA256 4a5a7961c0454d413c4a1b5742cbe858947a625b6f9520beed7b60e0e699de56
SHA512 40427f9557a88487a1db896f982b1ea91b7a60d3af685a5f5c379647476dfd1483c65cf718de197ed1970df5f3d7b8a9ecb704c0fd66d77af32793463418e5f9

memory/2788-42-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2952-40-0x000000013F730000-0x000000013FA84000-memory.dmp

\Windows\system\pTlqmPv.exe

MD5 698908fa998bfa287e55779777cb068c
SHA1 14dcdff184778a807f5e2827e04b68d06e7c842b
SHA256 e6d49822475bf5073e1c3248910e20e473864dc4a54d747626394c6d45dbdd49
SHA512 195cedcd7cc189d540570eae687c436d4bb25f53e17f223c6fef42b8c69bd9b145f8ba8acc25165b9426fa20028bfe8ae9d2fab73e59933ba0df3f528107adb1

C:\Windows\system\kucIuBg.exe

MD5 00c853582444007c73312046456d18ba
SHA1 8e0e5412094e25963efb147076ee34fa4bc7a082
SHA256 1960a9cdbd541c0a63b893cf5edf6bc9b3172ea277e3a02ab031776ea42a2429
SHA512 0a558659f5e2fc62619bd437dff4364e1b661579ac117ca5f0d189957621907721d98a69baa1965884a2947f362e8ab40f265bf16618ed86a2fbffc5973d45d4

memory/2476-51-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2784-55-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2688-54-0x000000013F770000-0x000000013FAC4000-memory.dmp

C:\Windows\system\kmgJXkx.exe

MD5 cad131e4ee29d5e06ab62b160ead46c6
SHA1 ed7fe8f00332640283513c5a3b392c2a52755125
SHA256 e6438eaa44981bf022a06c30c5a97192e422054822f4be9167bc5fd483e5df90
SHA512 b9512c1ca5e46f3252cbbdbf27f5446afc05808d126bdb7636668c59f1e8ef5c42752cd604937dd2f65448f4af6b4b1772031062b7a6f024aefd15e7a3fa6d16

memory/2536-61-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2952-59-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2128-57-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2372-62-0x000000013FEB0000-0x0000000140204000-memory.dmp

\Windows\system\QpnDeVx.exe

MD5 7252a10b864f326c3f29a1ba0e882bc5
SHA1 c6e043af6dff9bb129b9f08876e2ac20e969fcc0
SHA256 5cacbaf77b5a6bfa86d09058d6322dd3d5afd50300b02e324a974d9ab0faaada
SHA512 1dde1973bcca03f306e74a24444b9f49d62f2400cd725462249d316db9c5fda667b0c00e074d247fc4708d9a4abd95e713f46313e6e8c777eac6880c9ef7d9d2

\Windows\system\YDPMtEU.exe

MD5 71c4e41f95003b42a17daf8b776afae0
SHA1 fa72241a4b92d4ea030a3fb616d2577f966e599a
SHA256 b7a7dc1322b8e76cb0b51540c0657fa06f84c43b5a1d71bcc57ab29efaa7e2d7
SHA512 d032fa4180fae0ea1d95aed58698e9ac4179b15a0f5c41c242f307b412b191eca0403009475d0df0750afd342b880cea2c56609874483a4d32c98af3c65afade

\Windows\system\QJYtFxs.exe

MD5 0963fab59afcdf2b59f2cefc4cccd654
SHA1 1897b31be452ced36abd4d7d45a6010b6a7db553
SHA256 a281ee5158f1e1ca7fabcbbc46af6134ba1a454cfdbb4743cec047162d563e05
SHA512 2fe8eba8abb156d0dad5f4f809b5f404ddbb0dd2fc862bbda79202117b8cd6caf2eacacee96e50ca166a8eb4ddfee4e792db783eb2eb40ba363142c4197efc4f

C:\Windows\system\EQkMxPM.exe

MD5 c35887cd42805e73e956a60537a2d925
SHA1 efe1a35dd3b3184cd9cad64241c3f6d06df71e69
SHA256 ffb584e029b5e8fb636bf33d87a5c114d9bc4fac83a38090db8a9b9654503f0b
SHA512 7ea28d25e0683e1026dd54c0c47c0ab160d485223bfd5dea7450a65afc40e89694e84702f5b7b30fdc1dd549594ca37c42ff0cd29d0d86f36234ab4043d7d285

memory/3064-110-0x000000013F110000-0x000000013F464000-memory.dmp

C:\Windows\system\TEdRDLP.exe

MD5 4c6d7ef80dde89da8f05b10f9502bab2
SHA1 04773605a4a3a9388eb90ccc286204f8b832a4f4
SHA256 dad328323f743014993a1f9ac6b15563e88d2fb8beba9300c760c426dc2bc6fe
SHA512 1d326145185d9c42d3b7a0be9f9561c5a28447a054e5d7fcd5a5cb2ba0aad493905bcb0d11815ea00ee189db39b47e5f0221789020ac9be0a6fea439e4e2cc70

C:\Windows\system\UyfBiBv.exe

MD5 07586515ef6f483dddadd12a2efe7429
SHA1 4b932a37f193e096bc08d2df5b47b008ae169921
SHA256 2601f1c8799fb47a2970c0d271e3685dceeb9c067c4733d625c37a964632584d
SHA512 0eabcadf11b8d05f039e75804632e826718fe0ff1f75edc8003c3369d15374ed95d01f483b35b6b1a2f999882184cfea21a317d2a366242c96a5f1b9622498f8

memory/2952-95-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2708-94-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2832-92-0x000000013FB40000-0x000000013FE94000-memory.dmp

C:\Windows\system\HllWRzS.exe

MD5 a11b4946cf46b89a022aef3a20b3c5d6
SHA1 846d187ae29d3f98da46dde35c4deb3036e3dfa3
SHA256 840a20a45f804658b842e1cc7ab493e98d8b41737f5c1e2732a9382f97d26c53
SHA512 7e0da2608a6a2b2f649f8c588d955925c618362390cd8c14a38bea0774706f475df625842337d91be83ac04fff7d10352d4c3b13b32f9986fd12db53c7caecea

\Windows\system\uTDnJmr.exe

MD5 9784d0b21d42b071c723ec5a65e2442d
SHA1 f22913a033c5f08cd8b133a26e8e6f4648927dcc
SHA256 49e26e47a07b243449b77a73261144e2454c2019aec923d1d16d5871a9a406cb
SHA512 c8568def626367b3102eeee1cfdc144b7111e332a47d53f3553b02fc7e3d4dc5ba062c5122b121169c422fb46e7c0f8473a9caf81a796b7ebba7f3a33be8b97c

memory/2952-83-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1360-74-0x000000013FC70000-0x000000013FFC4000-memory.dmp

\Windows\system\qguPOBv.exe

MD5 7fa7c7a7d4087848bfcb2738f78cdae1
SHA1 c4b529f260f01b0e6a2cfb1532d0d78799925e41
SHA256 f02cf6b971bf385e3a6821954f21af290b3b37041ae5e31acb5f4bc0804367c3
SHA512 5243a3d8e5ea00b219a07a8ee3a443e6ad626794ceb2352bc72b2495628305647f51c73fe1dad0db8784b30020f444fc1c2ea0db283b8ed55d8705f29e2131a3

memory/2952-109-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2952-107-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2788-87-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2952-78-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2952-69-0x000000013FC70000-0x000000013FFC4000-memory.dmp

\Windows\system\DdzpJxE.exe

MD5 b332bac768f5efbf4b8ddcb2adc39872
SHA1 8e1d14340dc6381935e3b755ae83a0f910f4e22f
SHA256 84bd5d37aa483d4a3570e327d4ffa89818790d69436fc5d3355d831813bbddbe
SHA512 6b1702416658978590f29de8d0fc28fb49516878e770eab1cdb1743027e1cd965ed3db1ac40cd5a146c9334893ecc49977825ddbb196e471e445755d3b08bd24

C:\Windows\system\XhbnuLS.exe

MD5 aad6cd8fcc3b31aec54f5a34b6a13c2a
SHA1 b7a3fcb0401bc98715d725c686428768f0d30da1
SHA256 cfe5dd0488a94f9079937fb594deebd7411373f2d289910e5a84abf5a720c301
SHA512 02e9de3bc455b680dce3bc39648c46abf111f53c1e15c29e5f627f9e34be35a5dae356919aa4bf1774063eab65eb1ca8291a62c17524e753d85f5cb07de980f7

\Windows\system\xlqrnOm.exe

MD5 83f25c324aad80e6d0341b768a04908c
SHA1 4c7138ac87d0bb2550190733296b4c503640f3da
SHA256 9814515eaf74b54e9f6d07c68053a374bf9007860d74b346a6f4c3eb6e7c09b3
SHA512 399553d29373259eab1669ccb1a5cb1fdda84ee2248ece9b17a4ff5d8f3a52828ffda0c8a9b660a66a0e3b168c2814c524fc2746b83368927a8ac7adc722a56c

memory/2952-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2536-136-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2952-137-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2832-138-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2952-139-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2708-140-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/3064-141-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2476-142-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2128-143-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2632-144-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2372-145-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2096-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2788-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2784-148-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2688-149-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2536-150-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/1360-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2832-152-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2708-153-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/3064-154-0x000000013F110000-0x000000013F464000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 11:46

Reported

2024-06-08 11:49

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BCrvnEU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AhYCWmN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwEfmJC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qNBJbIq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GQmUNEY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hkrPyqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UYFdvcb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WRyIoOf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gHYwkcs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YUJxzWn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BIzbhrF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZizoXj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\diJlrja.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vrNcwdD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kfSJuDL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iMHEwjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YvGlNNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXRaHPD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NSyPjId.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZmzjUQN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MNaTPAC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZizoXj.exe
PID 3388 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZizoXj.exe
PID 3388 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSyPjId.exe
PID 3388 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSyPjId.exe
PID 3388 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmzjUQN.exe
PID 3388 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmzjUQN.exe
PID 3388 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNaTPAC.exe
PID 3388 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNaTPAC.exe
PID 3388 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\diJlrja.exe
PID 3388 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\diJlrja.exe
PID 3388 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfSJuDL.exe
PID 3388 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfSJuDL.exe
PID 3388 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AhYCWmN.exe
PID 3388 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AhYCWmN.exe
PID 3388 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRyIoOf.exe
PID 3388 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRyIoOf.exe
PID 3388 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gHYwkcs.exe
PID 3388 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gHYwkcs.exe
PID 3388 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vrNcwdD.exe
PID 3388 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vrNcwdD.exe
PID 3388 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iMHEwjl.exe
PID 3388 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iMHEwjl.exe
PID 3388 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YvGlNNl.exe
PID 3388 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YvGlNNl.exe
PID 3388 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUJxzWn.exe
PID 3388 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUJxzWn.exe
PID 3388 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwEfmJC.exe
PID 3388 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwEfmJC.exe
PID 3388 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXRaHPD.exe
PID 3388 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXRaHPD.exe
PID 3388 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNBJbIq.exe
PID 3388 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNBJbIq.exe
PID 3388 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIzbhrF.exe
PID 3388 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIzbhrF.exe
PID 3388 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQmUNEY.exe
PID 3388 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQmUNEY.exe
PID 3388 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\hkrPyqm.exe
PID 3388 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\hkrPyqm.exe
PID 3388 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCrvnEU.exe
PID 3388 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCrvnEU.exe
PID 3388 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UYFdvcb.exe
PID 3388 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UYFdvcb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\uZizoXj.exe

C:\Windows\System\uZizoXj.exe

C:\Windows\System\NSyPjId.exe

C:\Windows\System\NSyPjId.exe

C:\Windows\System\ZmzjUQN.exe

C:\Windows\System\ZmzjUQN.exe

C:\Windows\System\MNaTPAC.exe

C:\Windows\System\MNaTPAC.exe

C:\Windows\System\diJlrja.exe

C:\Windows\System\diJlrja.exe

C:\Windows\System\kfSJuDL.exe

C:\Windows\System\kfSJuDL.exe

C:\Windows\System\AhYCWmN.exe

C:\Windows\System\AhYCWmN.exe

C:\Windows\System\WRyIoOf.exe

C:\Windows\System\WRyIoOf.exe

C:\Windows\System\gHYwkcs.exe

C:\Windows\System\gHYwkcs.exe

C:\Windows\System\vrNcwdD.exe

C:\Windows\System\vrNcwdD.exe

C:\Windows\System\iMHEwjl.exe

C:\Windows\System\iMHEwjl.exe

C:\Windows\System\YvGlNNl.exe

C:\Windows\System\YvGlNNl.exe

C:\Windows\System\YUJxzWn.exe

C:\Windows\System\YUJxzWn.exe

C:\Windows\System\EwEfmJC.exe

C:\Windows\System\EwEfmJC.exe

C:\Windows\System\sXRaHPD.exe

C:\Windows\System\sXRaHPD.exe

C:\Windows\System\qNBJbIq.exe

C:\Windows\System\qNBJbIq.exe

C:\Windows\System\BIzbhrF.exe

C:\Windows\System\BIzbhrF.exe

C:\Windows\System\GQmUNEY.exe

C:\Windows\System\GQmUNEY.exe

C:\Windows\System\hkrPyqm.exe

C:\Windows\System\hkrPyqm.exe

C:\Windows\System\BCrvnEU.exe

C:\Windows\System\BCrvnEU.exe

C:\Windows\System\UYFdvcb.exe

C:\Windows\System\UYFdvcb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3388-0-0x00007FF7819C0000-0x00007FF781D14000-memory.dmp

memory/3388-1-0x000002756FC30000-0x000002756FC40000-memory.dmp

C:\Windows\System\uZizoXj.exe

MD5 9d1b1cc261b7601f29ef59a92cfef3af
SHA1 d81b4b29a8ad7ba137e76af52098da25bf997e42
SHA256 c23a7277be36c6dd2f09109fee4af1c2532065471b9b2afbf33c9d1d82a638a3
SHA512 d72d53c27ef503491055322ee3301537aae95835f21c3b9d4fe829281a7ebe37e3c46593d1b0dd95021483c0bb127cb9f6ad1fd3321978ff5bc21f1f31d6f468

C:\Windows\System\NSyPjId.exe

MD5 a37c2967a7d2ce3bd1ac8e08f56bbe0b
SHA1 8e9737443f55fa4ca778b748058c15d4ceb2f903
SHA256 c5e301901fef459a3e38e9d11926aa3820ff0373c6a2eeb6b1db58891f4913da
SHA512 1da0d21b95e89e19f2f951a1d9fa0101f7e40753441feab20c544966301425e8257ec10ecf1ac5ceed59c5bdb6fa6c2383197d9cdb8d2c5dcc6ed400331dc7c8

C:\Windows\System\ZmzjUQN.exe

MD5 0fbabe34efec1dee9567e5add3ca394b
SHA1 e128b339bf3dc1307130234f88f04d4923505b41
SHA256 1babbde42790bee296b5cca26223e33777ccaf33f5a4ce8adba903e79180807a
SHA512 1c65ccd047e9c334f88615e2c3ebe3d8e2f5c3212f4789d357b6b9197e9fac61a4d5def27b3abf0939587a003359da55ecfc0104b52371f8d3947635704e2892

memory/4932-13-0x00007FF6EEAB0000-0x00007FF6EEE04000-memory.dmp

memory/4892-20-0x00007FF6A4900000-0x00007FF6A4C54000-memory.dmp

memory/1496-7-0x00007FF6F5240000-0x00007FF6F5594000-memory.dmp

C:\Windows\System\MNaTPAC.exe

MD5 af0f8cb1db8f64a1476a5667117f3853
SHA1 73009e133dc891d38ebbd6ed843d3b8097c302f7
SHA256 388863ed3dcc6e44691f1fa4d42d8986f3b44ea80e36cc2a1ef9d6a053acc489
SHA512 14c415a48b693fef47ff5067f7e3e9353517ffe08d73fe4eaab3277345eaa6ae131051a7e6667d976c57a1587702eb6dbaeb568a71a2a6773c09bbebc645f04c

memory/4028-26-0x00007FF70A260000-0x00007FF70A5B4000-memory.dmp

C:\Windows\System\diJlrja.exe

MD5 93509993b22e50b4caab0729a043be35
SHA1 cd017009ebd86e30711e9eed452c3463f5efde13
SHA256 513c27e93d5e500710789935f3c491373730467df22e27385eeeca0fb2e3a03e
SHA512 0fffd5e128ab78adc62c8eed224e0f5a27308dcaec132c9f1b5098fb476a30170d9f8d336933932c9fec40325f3b6f7d389adb8d82daff3cc2bf782f8e3dbd15

memory/3704-32-0x00007FF6B7180000-0x00007FF6B74D4000-memory.dmp

C:\Windows\System\kfSJuDL.exe

MD5 460039d22a6d9c490abd1f309743385a
SHA1 57d6ecaee8eeed4f2bc026bcd167053130c882cb
SHA256 29822257afbd85dddec4c90aaad056350b71fea490d15c342b0cbb4528cffd31
SHA512 d28609c1510db8d20f430d2e8f9d914ad46b454d43350a12a3c105678d1c9ce5351c4c55145799b7241448ba968d49cdc34ef771ee7d14f9fc4612a7188d7ccb

C:\Windows\System\AhYCWmN.exe

MD5 862e900c1b25636012ad2f78bdd3f4b2
SHA1 15e1b8fd3eeec0cdb4fca8b845302c7b75c2ea0b
SHA256 b90ac0b33cb787199292aa4a9d32dee3e58ce7fb533811ed2531311abc4939c7
SHA512 844c640e8118f33c64aa16a0acecedb53861542aa35fbcc1ae2eaab0656b947e4e187d55442913d0867875ccdeafc4ee092223d61f6936e31358d84e9c742210

C:\Windows\System\WRyIoOf.exe

MD5 afca3b8f3ac6b70a3848bae1d30fe686
SHA1 3ef1156a5b4e4538c921e5d49cbfa1375831dc8d
SHA256 deb173df6f9b3d9349f960d8aa12b382753fd83e7366e1a638fb796947cdf2b9
SHA512 483bb08378548f42d3951567a49ef3170b1706713db60b660276eefdeae7de5c95c906f58c99ade10f62b1e9b98d92ce0608bd3edee65216743b59ea9b4d42a9

memory/3448-48-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp

memory/2612-44-0x00007FF640020000-0x00007FF640374000-memory.dmp

memory/4124-38-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp

C:\Windows\System\gHYwkcs.exe

MD5 3240607bf7051aa5a8fcd8496f9c0edc
SHA1 7ddae819ee5952518dac95819ccbb5fedb94da1b
SHA256 37ab1e475277750d1eff958c0fa745cb674a605e12d9fd2c7c19c514a42080e8
SHA512 36ce0af50fca08012fb6210ea9e6fb6f3072dd75a9d0d81d1b082192d8f636fbddca88daaab084e12b01aa8eb9cf273e7c0ae8e23c6699826e75d6da1666d5ed

memory/4876-56-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp

C:\Windows\System\vrNcwdD.exe

MD5 f84823b82906de4ca097edf2bd56411a
SHA1 4d4784d62973c34de96b0c1ff998821006efea3f
SHA256 44bccf162fa5ec2f4eac833d5a46d6bc2dd6821f85e15762f92e5235952e6579
SHA512 9a9505d1ce5fac35eb357be36ade91d64d92ec16d00c9f6c4c4e7b7a1d979872054d382c29fbe767957ae66706b86c630f589f2b8740d13130526cd77842f397

C:\Windows\System\YvGlNNl.exe

MD5 0d11dcc71760da48c47bca361144d845
SHA1 b15a9bb5d1bba9cc578c2fe7e2aba06af3b17423
SHA256 52cef66977bf2a272350698c94837999a27788731f802a3b1f298812110eecff
SHA512 9a7d59adbf4cd8364e7d5759b840c2fb01de0fa9d769c4ebc1068dd02a76fa5d7283e0459812d2ff6d05432a3be4bb2ee7da8dc9b7013bce23f89363c79f259a

C:\Windows\System\iMHEwjl.exe

MD5 cfec44d5ee31cf5c97cefbe85689ae6a
SHA1 ee71c812ec515d8fda43215d1188fc89c94ac891
SHA256 78160966092484ba9f79b29989b5fa34a0a8e447f569293a08ec499da802bd28
SHA512 bc56437be1639ee9c4eb1d4cd941f5dce08a8392a84f3d002391d0eedf5bc00bcf3ccb073d3c529cb25bec6e6b72cea9e6f1a461c7dea209cc2369644fc87cc6

memory/3992-68-0x00007FF6697A0000-0x00007FF669AF4000-memory.dmp

memory/1496-67-0x00007FF6F5240000-0x00007FF6F5594000-memory.dmp

memory/3388-62-0x00007FF7819C0000-0x00007FF781D14000-memory.dmp

memory/5040-77-0x00007FF64F4B0000-0x00007FF64F804000-memory.dmp

C:\Windows\System\YUJxzWn.exe

MD5 332e01084ef898d0ccb067f8ac432b03
SHA1 542e0f649f215fbc8765411fd095f0d8d0ed6988
SHA256 6418f46b400c850322f62fb8224a07a175944ee4e301a022a79e8dbf3040b363
SHA512 981d7e55192fc4e59d803a86d7571c092bdc1c7aba1a1b06aaffaf2d9f0755f6a46d71622dcf040d1c8032c3effe07c7fdad247f176ecddd0ae1c68ed1f1e5ec

memory/4932-76-0x00007FF6EEAB0000-0x00007FF6EEE04000-memory.dmp

memory/2864-63-0x00007FF632AB0000-0x00007FF632E04000-memory.dmp

memory/4388-82-0x00007FF6F4B50000-0x00007FF6F4EA4000-memory.dmp

C:\Windows\System\qNBJbIq.exe

MD5 b170053a4e16cfef96cc526361357739
SHA1 2e7cc3ffb9c0634a4e6532cc00cfaf8a29b5f07a
SHA256 c77b791f653352022be8a578ca31ea37bfe54f4d483d8cd1df8b92ddd9b345f9
SHA512 79ed8431eb5955ebf2bb593c8c8527a4f03972f3eb00d91de7b15abbe77f38ce742dd295406a072a30549a3488a9bf1eab6f9cced04d905832aa42237aeb1c5d

C:\Windows\System\BIzbhrF.exe

MD5 d79bd3df55034f117054e5a1579e6bba
SHA1 7069e44868fe664f10fb971e0f7f3aa6046d66ec
SHA256 f61a3bd365a723c05605ffd422a82efdf9a35a7715b4b43d1cb60e908cf22db8
SHA512 99c113cdec8d63503853b29d438ceedc361ff5c7b781aa86985d89ef19bdab59443e5400c2d5779f47cd76ce8a776572e9f68f68d0e6caf3046adda2504b110e

memory/3828-104-0x00007FF712F20000-0x00007FF713274000-memory.dmp

memory/4136-100-0x00007FF6730E0000-0x00007FF673434000-memory.dmp

C:\Windows\System\sXRaHPD.exe

MD5 b529c52c19e12f4e35cc12a4d5d456b9
SHA1 b4e1242dfa6833ce68ba9c5950476db329db85bf
SHA256 1206d382af42db2b287ac5ffd040c538dd4ee01abcc39e84c3953447da852594
SHA512 befd024869a3cde24e6b99759686614e3b3469a8432cf1e81300493438f2408b41d4fbe28c2982528211d56d340ddd350e53d9a874e4a5577ea70517f5d4bf3f

C:\Windows\System\hkrPyqm.exe

MD5 520b0cfc122abf5f624572205764b011
SHA1 f60fd9ce2084c23801d962ffc70732b1870367ae
SHA256 28649351f0a114b1d999ccb7b7d5924e0a0c7780349f7b09682c5a8c34c0dcb4
SHA512 f293e44361e23f77b256e90ecdfe2f53459f5efe1e51e86c4dc990a76ab3c0a9c57dae23038e8bfcdd821738253f00bb1713d688019936bebf5790920acae96a

C:\Windows\System\BCrvnEU.exe

MD5 253023b8ee22aee07c6a1da63033f034
SHA1 6471d6d1cba8f498fb76e9f4f5ebd926c77c68c0
SHA256 0f7bcb05651d652e21144d28225396b7cda8146ccac7f43910bc5b363f10c2e6
SHA512 2e67b6687a26458f25494cb0e2318040cdb7932b65c22fe7ba4683360b226b4bb235caa7fc5d177893bb0ad95aa2dc7e065ccdd57f793dffec818561fe9b0267

memory/4060-121-0x00007FF679840000-0x00007FF679B94000-memory.dmp

C:\Windows\System\UYFdvcb.exe

MD5 b602318434e96a3ab281cb4492d18afd
SHA1 a025ebef5696e7c4e7cbd5f9d58b22ed08cb3ad8
SHA256 6f8df4e28cffd02b38f83100dec72d26cce27765b297f9f83e04cc8ce266ddee
SHA512 4ac7390c12bea8c9050165917cddebd7376dcfc8836d9ea1a56dd7e25fab5b60a7a0c1f708bfb011767317a40c229a76ea3ccd3ad71a90955aad0b4761b7f05a

memory/3448-131-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp

memory/2128-128-0x00007FF7B82A0000-0x00007FF7B85F4000-memory.dmp

memory/1404-127-0x00007FF66F590000-0x00007FF66F8E4000-memory.dmp

memory/2612-126-0x00007FF640020000-0x00007FF640374000-memory.dmp

memory/4052-124-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp

memory/3804-123-0x00007FF71B5D0000-0x00007FF71B924000-memory.dmp

memory/4124-119-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp

C:\Windows\System\GQmUNEY.exe

MD5 1910449748cc316d3ab047730477b85c
SHA1 99fedeee40a0c0cf7b4caaa5c25c7999dedefa0c
SHA256 c32d37f4eee64afa4c9cb33f8272d838024fb799485cc01aed47b1804f93b860
SHA512 09be8a0597633a9d30ac35899ed01072c8e42695ecf614cea8c9e410b086f621d537cc2eb8c9593871ca5af21a2fc046d8c9368a8eeea73e30e0931cfcb03c3e

memory/2212-88-0x00007FF613A00000-0x00007FF613D54000-memory.dmp

C:\Windows\System\EwEfmJC.exe

MD5 1e60a0fab43313e8121fb8925585a6c7
SHA1 5880c4da16333a1508a4fc7d8a7958869ace5b27
SHA256 17e9fe3b03e045d46045d8bc451d91915628eda24326ec2e68165544eaaf17e2
SHA512 97c443c409a381339624a978d29854d5ad96cc1fdd5364365929aee0f376fddbf74446df62061322870e4b407ecf39efcdd75b861485e5456ff908616aaf402b

memory/4876-134-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp

memory/3992-135-0x00007FF6697A0000-0x00007FF669AF4000-memory.dmp

memory/2212-136-0x00007FF613A00000-0x00007FF613D54000-memory.dmp

memory/1404-137-0x00007FF66F590000-0x00007FF66F8E4000-memory.dmp

memory/2128-138-0x00007FF7B82A0000-0x00007FF7B85F4000-memory.dmp

memory/1496-139-0x00007FF6F5240000-0x00007FF6F5594000-memory.dmp

memory/4932-140-0x00007FF6EEAB0000-0x00007FF6EEE04000-memory.dmp

memory/4892-141-0x00007FF6A4900000-0x00007FF6A4C54000-memory.dmp

memory/4028-142-0x00007FF70A260000-0x00007FF70A5B4000-memory.dmp

memory/3704-143-0x00007FF6B7180000-0x00007FF6B74D4000-memory.dmp

memory/4124-144-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp

memory/2612-145-0x00007FF640020000-0x00007FF640374000-memory.dmp

memory/3448-146-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp

memory/4876-147-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp

memory/2864-148-0x00007FF632AB0000-0x00007FF632E04000-memory.dmp

memory/5040-149-0x00007FF64F4B0000-0x00007FF64F804000-memory.dmp

memory/3992-150-0x00007FF6697A0000-0x00007FF669AF4000-memory.dmp

memory/4388-151-0x00007FF6F4B50000-0x00007FF6F4EA4000-memory.dmp

memory/2212-152-0x00007FF613A00000-0x00007FF613D54000-memory.dmp

memory/4136-153-0x00007FF6730E0000-0x00007FF673434000-memory.dmp

memory/3828-154-0x00007FF712F20000-0x00007FF713274000-memory.dmp

memory/3804-155-0x00007FF71B5D0000-0x00007FF71B924000-memory.dmp

memory/4052-156-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp

memory/4060-157-0x00007FF679840000-0x00007FF679B94000-memory.dmp

memory/1404-158-0x00007FF66F590000-0x00007FF66F8E4000-memory.dmp

memory/2128-159-0x00007FF7B82A0000-0x00007FF7B85F4000-memory.dmp