Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-psdgzsbf9v
Target 2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike
SHA256 7be60f99fb8a5f9fb7fdcdf4584d0bc5346f78ab8a3c677a9c5a58a54fd181d2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7be60f99fb8a5f9fb7fdcdf4584d0bc5346f78ab8a3c677a9c5a58a54fd181d2

Threat Level: Known bad

The file 2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 12:35

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 12:35

Reported

2024-06-08 12:37

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\STUaixh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KRsnGIp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uRgHevw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EUrfsaN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VDWBkMO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Fmluany.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NrnwHxH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWVGekw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JzvYWRr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\moSTRNV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jdeHpmv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\liQaZxj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oDNGDhl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HNyZcdp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MTuArke.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MTWXvxU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KopIdHg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SxhIUhG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VvEnrlj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MHazAVm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dWRxBRD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRsnGIp.exe
PID 2408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRsnGIp.exe
PID 2408 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRsnGIp.exe
PID 2408 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fmluany.exe
PID 2408 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fmluany.exe
PID 2408 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\Fmluany.exe
PID 2408 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNyZcdp.exe
PID 2408 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNyZcdp.exe
PID 2408 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNyZcdp.exe
PID 2408 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHazAVm.exe
PID 2408 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHazAVm.exe
PID 2408 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MHazAVm.exe
PID 2408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MTuArke.exe
PID 2408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MTuArke.exe
PID 2408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MTuArke.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWVGekw.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWVGekw.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWVGekw.exe
PID 2408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWRxBRD.exe
PID 2408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWRxBRD.exe
PID 2408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWRxBRD.exe
PID 2408 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\NrnwHxH.exe
PID 2408 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\NrnwHxH.exe
PID 2408 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\NrnwHxH.exe
PID 2408 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUrfsaN.exe
PID 2408 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUrfsaN.exe
PID 2408 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUrfsaN.exe
PID 2408 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRgHevw.exe
PID 2408 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRgHevw.exe
PID 2408 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\uRgHevw.exe
PID 2408 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzvYWRr.exe
PID 2408 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzvYWRr.exe
PID 2408 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzvYWRr.exe
PID 2408 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\moSTRNV.exe
PID 2408 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\moSTRNV.exe
PID 2408 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\moSTRNV.exe
PID 2408 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MTWXvxU.exe
PID 2408 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MTWXvxU.exe
PID 2408 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\MTWXvxU.exe
PID 2408 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\STUaixh.exe
PID 2408 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\STUaixh.exe
PID 2408 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\STUaixh.exe
PID 2408 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdeHpmv.exe
PID 2408 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdeHpmv.exe
PID 2408 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdeHpmv.exe
PID 2408 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\liQaZxj.exe
PID 2408 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\liQaZxj.exe
PID 2408 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\liQaZxj.exe
PID 2408 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KopIdHg.exe
PID 2408 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KopIdHg.exe
PID 2408 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KopIdHg.exe
PID 2408 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDNGDhl.exe
PID 2408 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDNGDhl.exe
PID 2408 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDNGDhl.exe
PID 2408 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxhIUhG.exe
PID 2408 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxhIUhG.exe
PID 2408 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\SxhIUhG.exe
PID 2408 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\VDWBkMO.exe
PID 2408 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\VDWBkMO.exe
PID 2408 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\VDWBkMO.exe
PID 2408 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvEnrlj.exe
PID 2408 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvEnrlj.exe
PID 2408 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvEnrlj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KRsnGIp.exe

C:\Windows\System\KRsnGIp.exe

C:\Windows\System\Fmluany.exe

C:\Windows\System\Fmluany.exe

C:\Windows\System\HNyZcdp.exe

C:\Windows\System\HNyZcdp.exe

C:\Windows\System\MHazAVm.exe

C:\Windows\System\MHazAVm.exe

C:\Windows\System\MTuArke.exe

C:\Windows\System\MTuArke.exe

C:\Windows\System\sWVGekw.exe

C:\Windows\System\sWVGekw.exe

C:\Windows\System\dWRxBRD.exe

C:\Windows\System\dWRxBRD.exe

C:\Windows\System\NrnwHxH.exe

C:\Windows\System\NrnwHxH.exe

C:\Windows\System\EUrfsaN.exe

C:\Windows\System\EUrfsaN.exe

C:\Windows\System\uRgHevw.exe

C:\Windows\System\uRgHevw.exe

C:\Windows\System\JzvYWRr.exe

C:\Windows\System\JzvYWRr.exe

C:\Windows\System\moSTRNV.exe

C:\Windows\System\moSTRNV.exe

C:\Windows\System\MTWXvxU.exe

C:\Windows\System\MTWXvxU.exe

C:\Windows\System\STUaixh.exe

C:\Windows\System\STUaixh.exe

C:\Windows\System\jdeHpmv.exe

C:\Windows\System\jdeHpmv.exe

C:\Windows\System\liQaZxj.exe

C:\Windows\System\liQaZxj.exe

C:\Windows\System\KopIdHg.exe

C:\Windows\System\KopIdHg.exe

C:\Windows\System\oDNGDhl.exe

C:\Windows\System\oDNGDhl.exe

C:\Windows\System\SxhIUhG.exe

C:\Windows\System\SxhIUhG.exe

C:\Windows\System\VDWBkMO.exe

C:\Windows\System\VDWBkMO.exe

C:\Windows\System\VvEnrlj.exe

C:\Windows\System\VvEnrlj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2408-1-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2408-0-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\KRsnGIp.exe

MD5 e1a31a251b709fcc75609b8d955b029a
SHA1 c34dacd2ea6bd2d386c1575fabf6053ce5971d23
SHA256 0e29fba91b7a148248795f641cea541d54d6836cd0dc274fc22effad19dcea87
SHA512 ba292cc113d00bf52be61fe93772f9f295824500ab9fc5f7ab04eb9be3b1fd68871b62be19e3af08dc374e49901eca9fdf1de0b62335c43e11fc70ee93a0c64a

memory/2428-8-0x000000013F7B0000-0x000000013FB04000-memory.dmp

\Windows\system\Fmluany.exe

MD5 a814f8248ab21a6ff5c063c377a885bf
SHA1 b2cd121f98d021d3f496857be72053005ad68019
SHA256 681d5fc5e2e535ae473602c0e1c3a8fe48703595c1b07777ed0d126d5e3e7dc6
SHA512 0f122518f14ef9ad12e6e93df3a2cf13428ba62b3babd5f4dadfea88b6252e6d373ce9b450a2cc7005f076bb2c67fdcbdeb247cc7573819ab76140ff57cedac6

memory/1400-14-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\HNyZcdp.exe

MD5 85585875add30e97f25d8d14d5cd72e5
SHA1 06649941f8b243d29f6ead634606f4e4182da752
SHA256 24005614c9338e9b56f91f16e0920b32d8c8f89316199707b6e33181d52a0024
SHA512 f9b674cc5a4d9a6f7c0cce53ac135a1f74158514befff58e3ddf502ec8176fbea6ecd03e5e9d23c64b6e975f08b80982496f4c9587108491aa6340ba8b1155a8

memory/2448-20-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2408-19-0x0000000002240000-0x0000000002594000-memory.dmp

\Windows\system\MHazAVm.exe

MD5 6d32464e329d724b818a42f9b6b16ba3
SHA1 e214133098cc636f25cc176c6bb9d528e873703d
SHA256 21a5efaf8680445e2e5c29353cfc39aaac2b0b97adfb97b9e114d6bd2b3029e8
SHA512 effa99c2edec67e3dd4aa49ed1dbff5892f5e8eaca3e930cde429de8fadf9677d2fe06720388927c53abb52d22145c2fe1ab0a921c3c4bd354a783fe25270a5b

memory/2708-39-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\MTuArke.exe

MD5 b735803980c4ec1e6ee6a012e692f828
SHA1 1e71f30067b32d2dce85f8b95431ad69d8fbb5c9
SHA256 bbe1d4dfa4a6ddc7697efd0583fcc31dbf52fed45259786f22192ddad9ebfdb1
SHA512 6fa479a89289a2831d24789b704d61fd3a122773de02fa5869f3043a6756fc29179705680e9161385c217337b4efa80d2bf01c458f85946d7dfdfdcd0d3ce694

memory/2668-41-0x000000013F1B0000-0x000000013F504000-memory.dmp

\Windows\system\NrnwHxH.exe

MD5 cc66e388489d1891e84f554728672fd9
SHA1 e1402ac2e3034b214d4b2e811c2b2bb74ecf72a8
SHA256 9e78ba37edf4610c593ab10a39da66495e2b5b91612e8049154492af4d9d800e
SHA512 839b3d77f7da1aa0995311c647f030a7f899e6970a52168aa4fdb4978c3aaef67c7cc9ac76fe978ce4f20c71d274fcfea31bc0a9640b5c1c81a33b9a2c591edf

memory/2408-53-0x000000013F520000-0x000000013F874000-memory.dmp

\Windows\system\dWRxBRD.exe

MD5 6203d28a7a9b7a28063ff3b50135b397
SHA1 f8d3bfe72cb67e33e5a3b5a5c2deac00c4c12595
SHA256 237530c2ec4877973457790b169123daf61a1ab34040d4b1f15e2898c1a1a575
SHA512 d39c3a7f74706e67cc076683ba879378810c3cc9f501cd2f9cb271c7de82f9f55c9900d1497d11ddea2194a62a9b3fe2fc9dc7ac349731b3bd28f4043c229c79

memory/2760-48-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2408-47-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2676-54-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2408-38-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2616-34-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2408-33-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\sWVGekw.exe

MD5 75f1686716333cd3368d20e43b19297a
SHA1 c30c5e5731325539550bb562a6e3cda120c784c7
SHA256 1dd3f80d81169e05e1d57f6e3a737d7bca598d953506348dc3f2c3eb4a9b22f5
SHA512 0bdb0eb7659a826f53990a2dd5d387a51b4195bca59b083515e461de320b3cb7c6ecf7491fc4faf95dbc989a8189d8449224e83d2a7c318b75c39c68e77f5977

memory/2408-30-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2408-57-0x0000000002240000-0x0000000002594000-memory.dmp

\Windows\system\EUrfsaN.exe

MD5 809c58fbdb7ca5c84056ba0a0dc47d57
SHA1 fe3c6687eb78bd32c21aa086833584767097f40a
SHA256 39815ba4321fb548565443b7e95072d604840c75df3b11dc3462d0e3ce3cf6a9
SHA512 2cae3c5ab4c94277e01dfcc8988cf1a4cd4c45e0a4adb4417f810afa4c49d054ae47b3289d29024b7434957062d0305ae911c83b821d8ea4c52619cb98035bde

memory/2428-61-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2532-65-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2408-62-0x000000013F0E0000-0x000000013F434000-memory.dmp

C:\Windows\system\uRgHevw.exe

MD5 69d06a79b789e302ea8eb4107a2102ea
SHA1 f1e3dab0901cb67bd533d2f0834a7711e69b6523
SHA256 16cc785761f334a50e16e84373ed0ec18c581316fef7244434965ac45feea082
SHA512 661377a9b5d1c5264443c788619cbb2527315b3c96a02e7b8a88448a6a639c0bbbccba48886f4ee99438be72985a897c948032f39b3ab8cd8c45454650c2f4c4

memory/1400-71-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2072-73-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2408-72-0x0000000002240000-0x0000000002594000-memory.dmp

\Windows\system\JzvYWRr.exe

MD5 0279b302254494724e4250c02afba26f
SHA1 e5d7229af814d7eb8009643e2162a53ae36da30f
SHA256 040799ddb5192a3befc2befa44371a84ff01792945cd1b7f8a282bf67ee26c81
SHA512 c169f74cb6a390246e8388acd4f1a4efa854ba2a556b9b6c9112185cf5b272a496b5515b0c4064aa7b2da574675586b8008622c470a0e64aa7f48b22bb3fec8b

memory/2560-83-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2616-82-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2408-80-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2408-78-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2448-75-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

C:\Windows\system\moSTRNV.exe

MD5 ce502276be4d478b05dc3dc19098f0b9
SHA1 91c50964a1df7f46002b96831ceb5204933edb9e
SHA256 b526e663c7d616d72d72b894a06b19a87d101e7b7b96a1646cfade9bcaa6a388
SHA512 45c0bccee6fe5014ec8aeef75a12d577b3d02ba20585d1e1d4f92a17356b5f9d5c0974f7f38e0d2e53301e303d73e049c27c19107c1650320da0e9adda721200

memory/2864-89-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\STUaixh.exe

MD5 d9e64f6496388657f56b2a69bb2cdd9e
SHA1 d23c56377494f3b12cede6ea1e6cfe34842e7add
SHA256 8c2155f4c119bf5bf475a59163f6b76469bf8400b0d236ac0df111655055bc41
SHA512 b05ae19b88937c8c631bcf01c9611ce3629227d6c63becaa6df561e8763d06da94657d08a6a90162fd2922388bc2daca3b3b480ec7825d3fc2a5b79f05e49a5d

memory/2676-102-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/3024-104-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/3004-97-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\oDNGDhl.exe

MD5 687d2c4d4cc69ed00337394a36fed61f
SHA1 4bfeb8b6e1c9d2ec1d8c8522a0add7e40a10db8f
SHA256 8f6bb7760b25e8411d41ba65b07de53996b100cb74f3378cd90027f215836110
SHA512 780dcf0d2f8be1d7d65670e8e78e1f2f5fe20e381f9af718e212bfafcbb26785921ad2a9b5ca9849f4a22b4ad32a9318dc3d151de8d5d933a874b8d88bec3d75

\Windows\system\VvEnrlj.exe

MD5 aaee5ccafd104f2d525674a4372fb775
SHA1 047582b02cf846c1dd2ea25155e149162b63cd94
SHA256 8daaf03238aaf488ca21d30b74d810e3493627cc972c9b9d9edce3bcf64f6ff5
SHA512 7fa1397a7ecf1faf9bc4e1b3de99fa26406a4700dbd0c2de653c7f65e5fdc7eccc96958ffe6cb458e2024a75d0280ca3190eb548bb9a56d3aa3eb4813641d0c0

C:\Windows\system\VDWBkMO.exe

MD5 babae703e86666b3e0a12a9fdc747f5c
SHA1 c2eb9533bba4f5d9441daa56eb99a078520f90ec
SHA256 348ad98016bf0e1e270bc83d4c8dc7978335967bb312ccd50d792d818e3c76cf
SHA512 12f3db2c3dc8bcbc533cba379c5b159a8b14a7dc8eea85f6fb714428e569ab4af22e0355d7392011e799dc8ee66fc03611ca6faa1c0731ba80e2e29e223b14fe

C:\Windows\system\SxhIUhG.exe

MD5 5f768581c87df40d483cb12e20f70f53
SHA1 58285bebce27e5cc90340ca2560fe4fa42af753a
SHA256 cc4904862146d7cf39bd602229377f31f69d193f724b1e483de0ee54d27e605b
SHA512 0a026ca11536d2430d8ef2cdc50051304298bae7d317666f1bda65dd42c2d105a191f6d162effeff805a6fa31926f7fbc50c264506be734f5b5b654ea5048cb9

C:\Windows\system\KopIdHg.exe

MD5 bd1bdac0203d6b0ba100705a6c9c5253
SHA1 fc40cd871a1a39b899cbf13732b55cd2bd37081a
SHA256 90fb2de7f9da26edae021e23be01af43a5ed2952b0077f20c1cce2df45e44bcb
SHA512 2f566f04e7374f17c46ae341d48d5524f224bd717fd8f8ee7afe1afd9959e8e28d59375dc4dd4a2ccf45558ed8e77892fea93949c8905c4155cad55d3743111d

C:\Windows\system\jdeHpmv.exe

MD5 e10a6ac50359a946c328fc9f72993127
SHA1 925b975aeb136c328537be5181f7a1aaffaf6144
SHA256 8ead03fb7de7eebf921bc0cb02d2b81dbebf0d8dea9eefacaede45db25be2f3f
SHA512 8554349afcd005b997c0f1693972c4539e68d57cb4f124e9ac9e84164222f706ba3929eba40d68d2ff3102f61930605e5d0c38219de641f1d9845656b3716eb6

memory/2408-106-0x0000000002240000-0x0000000002594000-memory.dmp

C:\Windows\system\liQaZxj.exe

MD5 47c68f550d0b23b35a0397243d838be0
SHA1 51d71b5c4f6e134fd6d3626eda17491d5fa5940d
SHA256 f54fff8b7dd63bcc94f09e2590be26d1e9bf1605544d670746d25be63549b53f
SHA512 47676aece93abbe5dcadcf1ac69b0e11a48c239c22fdb4512632529a56ea1d8c63c870c74653aedeaa4430853dd12cea0b47e2f01e3dc14b284c68cec9b1f9d2

memory/2760-96-0x000000013F550000-0x000000013F8A4000-memory.dmp

C:\Windows\system\MTWXvxU.exe

MD5 c4cb3441c964c9bb75df30dd2c0dc975
SHA1 4eab1eae5c1bed3fb9f27883315a674b552fdb56
SHA256 f7ccc35689b0edf5bdcceab2f859144fd72b38294034376a143d5a1417b04f46
SHA512 b05e6e978091cbe94b32a776e0adedf54cf560fdfd2016a42088e44c39fc7c5553adf815c889b9b70e479d8539b3dbd1044624d6636a3e4d8875be0f50d4ed90

memory/2408-93-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2668-91-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2408-141-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2408-142-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2408-143-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2408-144-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/3004-145-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2408-146-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/3024-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2428-148-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1400-149-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2448-150-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2708-151-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2616-152-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2668-153-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2760-155-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2676-154-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2532-156-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2072-157-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2560-158-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2864-159-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/3024-160-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/3004-161-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 12:35

Reported

2024-06-08 12:37

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iBPEsBX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\boDrGcL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DfhVTAf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cCrvMKZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GxjuYsP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KcmjPDG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZZEocw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aVeucWn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uOEKVxY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nHOZlzF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knEXgQT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mAsOLFq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NBMSRjh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxaEtnt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fyZsMzc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gTjxRMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gpLKywA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\voAtsRI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OzxQnAY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOOBFvE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CFFegge.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\NBMSRjh.exe
PID 4468 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\NBMSRjh.exe
PID 4468 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\aVeucWn.exe
PID 4468 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\aVeucWn.exe
PID 4468 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxaEtnt.exe
PID 4468 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxaEtnt.exe
PID 4468 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOEKVxY.exe
PID 4468 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOEKVxY.exe
PID 4468 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\cCrvMKZ.exe
PID 4468 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\cCrvMKZ.exe
PID 4468 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\voAtsRI.exe
PID 4468 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\voAtsRI.exe
PID 4468 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHOZlzF.exe
PID 4468 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHOZlzF.exe
PID 4468 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyZsMzc.exe
PID 4468 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyZsMzc.exe
PID 4468 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\GxjuYsP.exe
PID 4468 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\GxjuYsP.exe
PID 4468 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzxQnAY.exe
PID 4468 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzxQnAY.exe
PID 4468 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\gTjxRMm.exe
PID 4468 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\gTjxRMm.exe
PID 4468 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOOBFvE.exe
PID 4468 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOOBFvE.exe
PID 4468 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcmjPDG.exe
PID 4468 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcmjPDG.exe
PID 4468 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZZEocw.exe
PID 4468 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZZEocw.exe
PID 4468 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBPEsBX.exe
PID 4468 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBPEsBX.exe
PID 4468 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFFegge.exe
PID 4468 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFFegge.exe
PID 4468 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\boDrGcL.exe
PID 4468 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\boDrGcL.exe
PID 4468 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAsOLFq.exe
PID 4468 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAsOLFq.exe
PID 4468 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfhVTAf.exe
PID 4468 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfhVTAf.exe
PID 4468 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\knEXgQT.exe
PID 4468 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\knEXgQT.exe
PID 4468 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\gpLKywA.exe
PID 4468 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe C:\Windows\System\gpLKywA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NBMSRjh.exe

C:\Windows\System\NBMSRjh.exe

C:\Windows\System\aVeucWn.exe

C:\Windows\System\aVeucWn.exe

C:\Windows\System\qxaEtnt.exe

C:\Windows\System\qxaEtnt.exe

C:\Windows\System\uOEKVxY.exe

C:\Windows\System\uOEKVxY.exe

C:\Windows\System\cCrvMKZ.exe

C:\Windows\System\cCrvMKZ.exe

C:\Windows\System\voAtsRI.exe

C:\Windows\System\voAtsRI.exe

C:\Windows\System\nHOZlzF.exe

C:\Windows\System\nHOZlzF.exe

C:\Windows\System\fyZsMzc.exe

C:\Windows\System\fyZsMzc.exe

C:\Windows\System\GxjuYsP.exe

C:\Windows\System\GxjuYsP.exe

C:\Windows\System\OzxQnAY.exe

C:\Windows\System\OzxQnAY.exe

C:\Windows\System\gTjxRMm.exe

C:\Windows\System\gTjxRMm.exe

C:\Windows\System\eOOBFvE.exe

C:\Windows\System\eOOBFvE.exe

C:\Windows\System\KcmjPDG.exe

C:\Windows\System\KcmjPDG.exe

C:\Windows\System\uZZEocw.exe

C:\Windows\System\uZZEocw.exe

C:\Windows\System\iBPEsBX.exe

C:\Windows\System\iBPEsBX.exe

C:\Windows\System\CFFegge.exe

C:\Windows\System\CFFegge.exe

C:\Windows\System\boDrGcL.exe

C:\Windows\System\boDrGcL.exe

C:\Windows\System\mAsOLFq.exe

C:\Windows\System\mAsOLFq.exe

C:\Windows\System\DfhVTAf.exe

C:\Windows\System\DfhVTAf.exe

C:\Windows\System\knEXgQT.exe

C:\Windows\System\knEXgQT.exe

C:\Windows\System\gpLKywA.exe

C:\Windows\System\gpLKywA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4468-0-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp

memory/4468-1-0x00000238F10F0000-0x00000238F1100000-memory.dmp

C:\Windows\System\NBMSRjh.exe

MD5 1ff441287eb9a0d5ff2a43c7731f2b2a
SHA1 7ea00b097dbebea4a4f45b994b2c7dac650026f5
SHA256 c93a80ece2e55a2d673b6adceb62849fb29e0429d260e53a58eb43f84c371ad4
SHA512 e2f9d615a87d7574e2a0231c462631199a539a80d5847a32efcc49f081ce72d0c7edb52d2d59b95ed848e28da9c23a8bf1d8783b9a4a3e910cd4e5ad76bdc689

C:\Windows\System\qxaEtnt.exe

MD5 7b3a940cdf7718914c2182fad9f89a6f
SHA1 41747781cb4651dfa332a0bdac4eccefc0d81fa8
SHA256 b6546a614632c5125fc613b2804bf2db6c7ff153702ea560c58baf65b2637b6d
SHA512 a0a559685e8d3abb70f5feca6d1c54983cdd08766cdbec81f917ff0e1f22826ef1cda8cb1068b5262fff0e0f1366167b7e76c9b18ff7c2ca1d9a33db6370d9e1

C:\Windows\System\aVeucWn.exe

MD5 d4fe4ba1603bbaad528e7925f94e64f3
SHA1 1252a18efebe362cf99effb97c99076216c68831
SHA256 e91a726214de099875823a31b94ea635ba4d050d6fc63420f6f5e89330c2b079
SHA512 8bce6052737843db39d70504678fd569e1600e0f57180f86784dfe514a6e4e58f8d7b92e3def2ac1586479e671656896aac820aed390811d61f719566d02cbcd

C:\Windows\System\cCrvMKZ.exe

MD5 9b52db840dd6ca9ff5544b1383273402
SHA1 d84f44c93a00f9fa6e13092d232ea320903f5ed6
SHA256 ba6688ac5cb31d8d7c77a8fab1342fba2978a69a34a525159a750e6ba2ec967a
SHA512 40a6d48275f5e8d032ba1a3d7ba2788b18b14f2ab6fbe856c92b6dd35181ce62f9a944029aa77da8f742d0cc5303bdbee1b066e8dc727ca590ef92f38c48dcd9

C:\Windows\System\uOEKVxY.exe

MD5 64213e35cdd5d4132660117ee6cfde95
SHA1 1417b8253824001e69455d3742989de3783013dc
SHA256 bb3051aaf547269d591b69783c589c225d47b847c57700af9c712db787354c55
SHA512 35f0b48a78b69c1d6ab6ea92466056cfc73d9603fbe58778365086330a7692912e082df54e87537064f65e5ce223b91493f487ede42547b1872ae76f20453b42

memory/4916-24-0x00007FF6E64C0000-0x00007FF6E6814000-memory.dmp

memory/1984-18-0x00007FF615DC0000-0x00007FF616114000-memory.dmp

memory/5092-10-0x00007FF6D72E0000-0x00007FF6D7634000-memory.dmp

memory/4416-25-0x00007FF65B050000-0x00007FF65B3A4000-memory.dmp

C:\Windows\System\voAtsRI.exe

MD5 e3c7608364f80d93004eff0ded9cc926
SHA1 bff3e5e9d38d1c38317adee3bd522da6ee5786ec
SHA256 5901dc136c4a191f6cc020963ca319d0be3cef647c35339fe2b180b261b66c03
SHA512 58dbc621f7e270e4d2b332cd57930a66caa72f75fc80590175277909e909e52dd6e3cfc09a9e3af27e3970e96362dacb7463c2cfb00f8340cc173d060c3d3cef

C:\Windows\System\nHOZlzF.exe

MD5 94e2617bd6985d8aa3c98dbcef075e41
SHA1 2f7d7a23eecf92f738679a92a70c4e0d5218a3b6
SHA256 fe421496c56e976ff786cb0eb5b0235bec9ba104ba5122c5cdb420875d70d8d1
SHA512 c3ab82bbb04b6597f72752bf0bba9f08477ae66d56996a98c148ad799a65c6961acde951086c37370cfecd583a8dd0479f62194fbb083b97e0b449ae05157393

C:\Windows\System\GxjuYsP.exe

MD5 a8175b0ecfe2610686224df53e2b026f
SHA1 84451c4bed55e0352e37387dd4f9f15836d30d4a
SHA256 cdeb69ceb1528461f1f6ec657df5f58e4fcad77adaa95434bf3de3d737a56643
SHA512 5d7433e3b19ebdc77f1f767bad67b259de53a049df8923394af1dde97b442a9d35d80a8f480d2de7fab6d9c86637fc1270c7e69102128eec290707723c114bee

C:\Windows\System\OzxQnAY.exe

MD5 53fa329820b873a982f27f22f2291634
SHA1 893884a3fb51c8d9d6680301d57dfe32e55ff87f
SHA256 0c47da51da633b3d9b96b00b4381954fb8e7fdad368be15bd11b3fae96b7bcf1
SHA512 5bb5b18ac513af419d19b5652cdc485e7e2a1acbb05b2bf3dc29bcf625557a2df7481732a2fe935af10a0cc67a99b5ea6f4b49a0416a20528a8224437b6bcd64

C:\Windows\System\gTjxRMm.exe

MD5 486667971ecb2f1ec311ac7ff44da69e
SHA1 f037952ebf661253107fba37536b58bc12957e67
SHA256 0ce95ec8cdded05f455ac0a7dc8185882df605877fc341b46cacd70aff77db9f
SHA512 b4ebb52086d1bb3127fb6766e4c24bd325ee99da67ec0e819193575332ca10dcad7ca641cc6e0549d2bc5a6e4f40c2f0a8897df775f9366f0cb3412f28d691bc

memory/4048-66-0x00007FF7FC630000-0x00007FF7FC984000-memory.dmp

memory/4444-65-0x00007FF6E4C40000-0x00007FF6E4F94000-memory.dmp

memory/3304-56-0x00007FF7EC4D0000-0x00007FF7EC824000-memory.dmp

C:\Windows\System\fyZsMzc.exe

MD5 55c77d2ca94d931cc2aa321dcbc02672
SHA1 4b343ccc8e7fa1c7cc5abac923fafed585204f92
SHA256 1c4c9bb348e16b428a62ab4df80c10a22e69043c2c8ca9b59a262bba3c559eb2
SHA512 0b3eb1517ac29e18bbefee958bf25fde56f32a3af1b13a4febb0cf0e6d26b241acf7ad4b61c467ba63474f4bc99c71ec1b7c4396851061c30521b49e8083d5dc

memory/4676-51-0x00007FF694B00000-0x00007FF694E54000-memory.dmp

memory/2180-45-0x00007FF6896B0000-0x00007FF689A04000-memory.dmp

memory/3348-37-0x00007FF62D350000-0x00007FF62D6A4000-memory.dmp

memory/1820-26-0x00007FF63D6D0000-0x00007FF63DA24000-memory.dmp

C:\Windows\System\KcmjPDG.exe

MD5 7ecbbb9dd8c60ba345a68fce801baa18
SHA1 756cbabc4c8faaf22a1404fbd1c2fed81e4bcb3f
SHA256 b074278fa53ce1a1d38885c8d025246356baeb4186903fc1e3c8f4f602f1fb23
SHA512 39c77d6617cb70a2d0d4b61af0200814358f001fc4b660edacefce9d2bad75cf4b83e49c9bc0d5993ecd4abf4080a4c2a7d3ce92738a71db15d354d71d34aa58

C:\Windows\System\eOOBFvE.exe

MD5 7e01900ae8f87bcc09f0bb027c32fcf6
SHA1 2acc28afc0d64d1a74042c5ecd1aa34a27db2e1f
SHA256 9473a1ea55d26acf7eafa24893049b605dad6a01d7e0a621a8bd31dbab76905b
SHA512 68d97cf83efcfb567621e0d3344d8dbaac337d2b5dc0c540fb2d8c74c5f56f72aae7c5402dd137a3a480e1f262e2fd46dd81739b1ef9c91d53b7860a64312dc1

C:\Windows\System\uZZEocw.exe

MD5 18395fa6ac0c829d9804f40e2b29dfb1
SHA1 c8aa9d9e73bab7dde28bd445762693375c961107
SHA256 8b70eba480214c564fe4382a1262939bae57018726214420792a4fb8920c0950
SHA512 9ae25e6798ae742cac8776582f5c1995ac088c0ca7aed7a51c2f482a425242aba61239db2f7122ade1617898f2b17fefd156b8d2c863ae1b35823c92fcbc7bd6

C:\Windows\System\iBPEsBX.exe

MD5 70d872c1a00d66ab7e94e09b2fd2bab0
SHA1 8d892b68753029956975543f581b45486be5dddd
SHA256 e5ab8620524a5866b161473448ce904d19dca10f555c3573391e259a8968c844
SHA512 31dcddd49eb27cd7b71152c74a00dc795d2f347df86ee9fc26d6691cefeb047b636e5e07b0ee07e0f0eeee0c8fbd4489a1b6be48ffb92c51742d487a2d83c302

memory/1416-92-0x00007FF77ECA0000-0x00007FF77EFF4000-memory.dmp

memory/5092-91-0x00007FF6D72E0000-0x00007FF6D7634000-memory.dmp

memory/4132-85-0x00007FF7E69C0000-0x00007FF7E6D14000-memory.dmp

memory/4496-84-0x00007FF7E5F50000-0x00007FF7E62A4000-memory.dmp

memory/4468-80-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp

memory/4036-74-0x00007FF6A8DA0000-0x00007FF6A90F4000-memory.dmp

C:\Windows\System\CFFegge.exe

MD5 46162c023818fa715e1abc268481ba9b
SHA1 5d50d87c7088d93fe1750271ee6515fe4bc02817
SHA256 08f2935a00924faf97bb6737cc4ce088b58ad4dc0d71aecefc80d06edf25f577
SHA512 98f418ad8c4e8ff7d4dcea96f792e63426a41fa6a6e8366a8dae4dc161518f552f368affbadd0cb1192861b165bc614f96b1791decf69ae010f20f7d319ee5a9

memory/1984-100-0x00007FF615DC0000-0x00007FF616114000-memory.dmp

C:\Windows\System\boDrGcL.exe

MD5 15506d619841c35fa3fb0a1f45da6662
SHA1 63753273a0d0949b721cd49ae103c59161206b5b
SHA256 f8edde7665374b761dc1a952a6166fdd61c7408b92fe1f50e2a579c2c46a7b68
SHA512 21bd1c369598861cf3462d15e6bf5405a38ecafcb4d7991e38ef1103d342de2763a8365a645c5b49d97e8cf23fd09c3dc496a195a7f531c029c45d01909ba722

memory/4364-103-0x00007FF72F530000-0x00007FF72F884000-memory.dmp

memory/4916-105-0x00007FF6E64C0000-0x00007FF6E6814000-memory.dmp

C:\Windows\System\mAsOLFq.exe

MD5 4480f8d7ba5c9a9e8540e8283b902544
SHA1 df5fa3491157612c7d43aeeef708acbac7fb876e
SHA256 00813502be40dc34e7297443e288d65aecae17322e9788790a4878a9d78cc654
SHA512 50b15f0bde17bcf8e50c7aff5ac02df8f97cc3e4ed4499cec0a2257b41df6bb768833f09eda152c583aceaf4debe7d1aa7a5f20fd19fadc58db6c1ec86511f2a

C:\Windows\System\DfhVTAf.exe

MD5 cd1e3b7eb33224885c1c92802cb03aa3
SHA1 a58a00528d98582dcc971daa1b0f51eca419c0bc
SHA256 55915564a8727542ff4de128b733421d1fa7123edd60968c7984592e30814de8
SHA512 4082f2f95e4d9410d4077236d40c990ebc248a4ec09e07771bc50b372f5ab150b16cb79bbe9bfb0eca45986c5c11642d56efe74f99eb3ef1efd0593fd2772f0d

memory/4948-126-0x00007FF60FAA0000-0x00007FF60FDF4000-memory.dmp

memory/4676-128-0x00007FF694B00000-0x00007FF694E54000-memory.dmp

C:\Windows\System\knEXgQT.exe

MD5 8ad5811a58ef68820df8c0a743143161
SHA1 6947ecfbed9ef67fb91e1ee211e4aad1dc6186bc
SHA256 75e077350517db8e5ccc1fc194e27ee70c46ad19cc56fb19efc53d751c99a485
SHA512 39b004daa4905ca0627247866b40c6a7fec04c1756a343882ad7f84cbf3b95d0ef5c9b4e60d853b3e58cb3ea1871e0f10ed524a6dfa13838650df81e131ea7c6

memory/3260-129-0x00007FF651E10000-0x00007FF652164000-memory.dmp

memory/2180-127-0x00007FF6896B0000-0x00007FF689A04000-memory.dmp

memory/552-114-0x00007FF6A0020000-0x00007FF6A0374000-memory.dmp

memory/1580-113-0x00007FF72D340000-0x00007FF72D694000-memory.dmp

memory/3348-110-0x00007FF62D350000-0x00007FF62D6A4000-memory.dmp

memory/1820-109-0x00007FF63D6D0000-0x00007FF63DA24000-memory.dmp

memory/4416-106-0x00007FF65B050000-0x00007FF65B3A4000-memory.dmp

C:\Windows\System\gpLKywA.exe

MD5 64251ae772b619fa47a2919a51383761
SHA1 269449424cc6fed745f0a6435707bcff8a2befeb
SHA256 572a770717275cd27cb50736aea1746c100c4ee9161d3455e3404b1cacf4a643
SHA512 01939b1555abf44c6620858faa5a617e0b42d8ebdb70cfa5afbf407e17a00afcb1f64cc2b417ebc1e5523a43939618bba2922bd7a9380a731bcbeb16a1273b32

memory/392-136-0x00007FF6F9BA0000-0x00007FF6F9EF4000-memory.dmp

memory/3304-137-0x00007FF7EC4D0000-0x00007FF7EC824000-memory.dmp

memory/4048-138-0x00007FF7FC630000-0x00007FF7FC984000-memory.dmp

memory/4496-139-0x00007FF7E5F50000-0x00007FF7E62A4000-memory.dmp

memory/4036-140-0x00007FF6A8DA0000-0x00007FF6A90F4000-memory.dmp

memory/4132-141-0x00007FF7E69C0000-0x00007FF7E6D14000-memory.dmp

memory/1580-142-0x00007FF72D340000-0x00007FF72D694000-memory.dmp

memory/552-143-0x00007FF6A0020000-0x00007FF6A0374000-memory.dmp

memory/4948-144-0x00007FF60FAA0000-0x00007FF60FDF4000-memory.dmp

memory/392-145-0x00007FF6F9BA0000-0x00007FF6F9EF4000-memory.dmp

memory/5092-146-0x00007FF6D72E0000-0x00007FF6D7634000-memory.dmp

memory/1984-147-0x00007FF615DC0000-0x00007FF616114000-memory.dmp

memory/4916-148-0x00007FF6E64C0000-0x00007FF6E6814000-memory.dmp

memory/4416-149-0x00007FF65B050000-0x00007FF65B3A4000-memory.dmp

memory/1820-150-0x00007FF63D6D0000-0x00007FF63DA24000-memory.dmp

memory/3348-151-0x00007FF62D350000-0x00007FF62D6A4000-memory.dmp

memory/2180-152-0x00007FF6896B0000-0x00007FF689A04000-memory.dmp

memory/4676-153-0x00007FF694B00000-0x00007FF694E54000-memory.dmp

memory/4444-155-0x00007FF6E4C40000-0x00007FF6E4F94000-memory.dmp

memory/3304-154-0x00007FF7EC4D0000-0x00007FF7EC824000-memory.dmp

memory/4048-156-0x00007FF7FC630000-0x00007FF7FC984000-memory.dmp

memory/4036-157-0x00007FF6A8DA0000-0x00007FF6A90F4000-memory.dmp

memory/1416-158-0x00007FF77ECA0000-0x00007FF77EFF4000-memory.dmp

memory/4496-159-0x00007FF7E5F50000-0x00007FF7E62A4000-memory.dmp

memory/4132-160-0x00007FF7E69C0000-0x00007FF7E6D14000-memory.dmp

memory/4364-161-0x00007FF72F530000-0x00007FF72F884000-memory.dmp

memory/1580-162-0x00007FF72D340000-0x00007FF72D694000-memory.dmp

memory/3260-163-0x00007FF651E10000-0x00007FF652164000-memory.dmp

memory/552-164-0x00007FF6A0020000-0x00007FF6A0374000-memory.dmp

memory/4948-165-0x00007FF60FAA0000-0x00007FF60FDF4000-memory.dmp

memory/392-166-0x00007FF6F9BA0000-0x00007FF6F9EF4000-memory.dmp