Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-ptasgsce94
Target 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike
SHA256 ac50e7ca93e199e177e6471425847e4ebc9a25214c96896985a726ec9493db22
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac50e7ca93e199e177e6471425847e4ebc9a25214c96896985a726ec9493db22

Threat Level: Known bad

The file 2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Xmrig family

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 12:36

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 12:36

Reported

2024-06-08 12:39

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ANHofLM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nPMUIIh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GWQHzhT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\INKZVkb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FprZOuL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PjnmIzj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ockHrkR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\feXqrgt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CYXzbAc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xJrTfZK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uoqkODq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XrAyDHM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OTEuVUz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vLkwPoc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NsTndpb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kxMwVhj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vmyXzRf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rZrJwOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TZNBWyH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LosdpiY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uiGiUxh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LosdpiY.exe
PID 1020 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LosdpiY.exe
PID 1020 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmyXzRf.exe
PID 1020 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmyXzRf.exe
PID 1020 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZrJwOZ.exe
PID 1020 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZrJwOZ.exe
PID 1020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTEuVUz.exe
PID 1020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTEuVUz.exe
PID 1020 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjnmIzj.exe
PID 1020 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjnmIzj.exe
PID 1020 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLkwPoc.exe
PID 1020 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLkwPoc.exe
PID 1020 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\feXqrgt.exe
PID 1020 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\feXqrgt.exe
PID 1020 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYXzbAc.exe
PID 1020 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYXzbAc.exe
PID 1020 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ockHrkR.exe
PID 1020 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ockHrkR.exe
PID 1020 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uiGiUxh.exe
PID 1020 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uiGiUxh.exe
PID 1020 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJrTfZK.exe
PID 1020 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJrTfZK.exe
PID 1020 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANHofLM.exe
PID 1020 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANHofLM.exe
PID 1020 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nPMUIIh.exe
PID 1020 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nPMUIIh.exe
PID 1020 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TZNBWyH.exe
PID 1020 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TZNBWyH.exe
PID 1020 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWQHzhT.exe
PID 1020 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWQHzhT.exe
PID 1020 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsTndpb.exe
PID 1020 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsTndpb.exe
PID 1020 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoqkODq.exe
PID 1020 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoqkODq.exe
PID 1020 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxMwVhj.exe
PID 1020 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxMwVhj.exe
PID 1020 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrAyDHM.exe
PID 1020 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrAyDHM.exe
PID 1020 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\INKZVkb.exe
PID 1020 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\INKZVkb.exe
PID 1020 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FprZOuL.exe
PID 1020 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FprZOuL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LosdpiY.exe

C:\Windows\System\LosdpiY.exe

C:\Windows\System\vmyXzRf.exe

C:\Windows\System\vmyXzRf.exe

C:\Windows\System\rZrJwOZ.exe

C:\Windows\System\rZrJwOZ.exe

C:\Windows\System\OTEuVUz.exe

C:\Windows\System\OTEuVUz.exe

C:\Windows\System\PjnmIzj.exe

C:\Windows\System\PjnmIzj.exe

C:\Windows\System\vLkwPoc.exe

C:\Windows\System\vLkwPoc.exe

C:\Windows\System\feXqrgt.exe

C:\Windows\System\feXqrgt.exe

C:\Windows\System\CYXzbAc.exe

C:\Windows\System\CYXzbAc.exe

C:\Windows\System\ockHrkR.exe

C:\Windows\System\ockHrkR.exe

C:\Windows\System\uiGiUxh.exe

C:\Windows\System\uiGiUxh.exe

C:\Windows\System\xJrTfZK.exe

C:\Windows\System\xJrTfZK.exe

C:\Windows\System\ANHofLM.exe

C:\Windows\System\ANHofLM.exe

C:\Windows\System\nPMUIIh.exe

C:\Windows\System\nPMUIIh.exe

C:\Windows\System\TZNBWyH.exe

C:\Windows\System\TZNBWyH.exe

C:\Windows\System\GWQHzhT.exe

C:\Windows\System\GWQHzhT.exe

C:\Windows\System\NsTndpb.exe

C:\Windows\System\NsTndpb.exe

C:\Windows\System\uoqkODq.exe

C:\Windows\System\uoqkODq.exe

C:\Windows\System\kxMwVhj.exe

C:\Windows\System\kxMwVhj.exe

C:\Windows\System\XrAyDHM.exe

C:\Windows\System\XrAyDHM.exe

C:\Windows\System\INKZVkb.exe

C:\Windows\System\INKZVkb.exe

C:\Windows\System\FprZOuL.exe

C:\Windows\System\FprZOuL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

memory/1020-0-0x00007FF6E18E0000-0x00007FF6E1C34000-memory.dmp

memory/1020-1-0x0000027881FD0000-0x0000027881FE0000-memory.dmp

C:\Windows\System\LosdpiY.exe

MD5 4269671564194ae52627ee0884990d8b
SHA1 56dde78423e7b6b41fc7eb8589341d1013ae006d
SHA256 2cf747115782882e6e42a9bb97a714d04766c6b8b5a7b76a766c71ba588f2e27
SHA512 33cf6bf4528bbfc4c5901b99fcf9fe5b0447c82bd856f592ea4fbeeefd7e75a5c13887dbb3ea69da5df3bf9a021d3293f4618f4416c2c91cdfa4b92e78a31d44

memory/1368-8-0x00007FF617D70000-0x00007FF6180C4000-memory.dmp

C:\Windows\System\vmyXzRf.exe

MD5 9c5d32c4afc1843e52b82ebb7e9649e1
SHA1 47fcde724542a6c741ea1efcba5661220b6f0883
SHA256 eef194d431eb488b5ef87ae1228c290ad61b4a44b76ed0f98790cd14400014d6
SHA512 1fb9d100536ff158fd560cb794f1fe1187acb61e3fb01baa2dcd723cee5ab0ef9b5f83b4897a8566350a5eb80ba13950905e42b825a91fe7b97e294420d091ce

C:\Windows\System\vLkwPoc.exe

MD5 85c2fe618f37eb8c0cc26c9154dacc96
SHA1 f63dc625b904d4957620c3007544eb241889eca3
SHA256 eaa064bd4f46f781f706f72f4d027294c4eddb9cab80cf4e48203e6ca8992466
SHA512 a7a59831841d42c7627136a08c42b97776ae2e64b0479975cffde387132bc04b01ec108861c8a9ed2cde8507ba21d1fa4fd91b114443e350dec8accffd4cb111

C:\Windows\System\CYXzbAc.exe

MD5 dc0a94eaf1bca21ffb15febc1f15ef55
SHA1 fc4d6c637075d64e386489ce99c052f38e01eb59
SHA256 c3b609e2f24b547f24d9ceceeeb78d4b968180a9e5db097f669bbba4ea0b55af
SHA512 c4f5bb7817fcbb94484621de05cce06c972a530a45f2ea96f7f683cbd4cdc0468bc8ced9ca0b231b2d77d7b77b6b2f798aa4fd4f155da20919d91e20eae91d85

memory/2784-48-0x00007FF7406B0000-0x00007FF740A04000-memory.dmp

memory/1388-54-0x00007FF6E5DC0000-0x00007FF6E6114000-memory.dmp

memory/3736-60-0x00007FF63DC60000-0x00007FF63DFB4000-memory.dmp

C:\Windows\System\uiGiUxh.exe

MD5 8c531b0dcd171ffc991f2e2312f51d2e
SHA1 89f73bd4b3a19a155d825edec277aefa2de336ee
SHA256 ef37e14cdd80db96b4a4fdba3fc1b5d6b2697d2f625b3e0678a2cf62f389fd75
SHA512 b6d9fc197c4b38acd5751380f2452ce77bbfb9fa8e58fe34833ca9468195502658e48344ab19cc9d0d2e214185e9eeb5fb7886ee1f4a49798da87b1173ea37a8

C:\Windows\System\xJrTfZK.exe

MD5 dac460e7570b4e722974a9e9528580b0
SHA1 13d9a0c59ef87874120d9591f7c1583390cbc807
SHA256 b79747208bd7d2ce13d244b83446b5f52bc76bc1fe2ec0ee80fa1c4307931c18
SHA512 015f5a38666b8cd897aa3ec5157860e4d40a08618219b61a0796634ec48e4641b7dc642ff6340234973bbe438f3cf355b939bd86be84ddc318f7ea623fef0002

memory/2560-66-0x00007FF66A660000-0x00007FF66A9B4000-memory.dmp

memory/5100-65-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp

memory/2156-62-0x00007FF77CA40000-0x00007FF77CD94000-memory.dmp

memory/1668-61-0x00007FF6012C0000-0x00007FF601614000-memory.dmp

C:\Windows\System\ockHrkR.exe

MD5 e2b0d46ecc1b6526fa3897e098ff087e
SHA1 f95d71d3510b8115cc2fb1daf289e796d38582a3
SHA256 21bc417b4d29781b0cb421595f360571bbc0b3964ec1343d98f9c36035b22001
SHA512 6fe7448fe051cdffaec1ed37acede9de191b70b9da103ea23a31d33bc9bee0f07f5128b269e0aba036588e08a77766f615f70b83a9cf72c9e53062d0f7a5ee81

C:\Windows\System\feXqrgt.exe

MD5 719013a90d2522d6ad78aa918b0531ba
SHA1 0007555e2e199cc5ea75dfe08992979486a09400
SHA256 6c9b05d1e12e2ebfc4cc81d6638100f4d0c15a5445cda3f637f0138b121c1917
SHA512 d4a4248f150481db28892ce64f90b92dfe548a6b2ec4e2f2b92c88701c3b9ed232ecf1dea06452c0244889474c9f702c844932e1c9cd4695063e74103ffc2555

memory/3232-39-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp

C:\Windows\System\PjnmIzj.exe

MD5 32466adffb1861a1c881bdc9c4dccb24
SHA1 634d0e69e9502ee2d60a1a0df2128780d5b4ec33
SHA256 ad6687e517016abff65051e8a000d39586de101c1860199a39a96c1a76b42406
SHA512 48477f85b7583ce04d4a597caa8fd86ede4be2c98ccae431f5a943e154b270eb52a48fae8ad909237dd25e3303503b67ecfd09fbe54b5a65177101e2fbe3346e

C:\Windows\System\rZrJwOZ.exe

MD5 ff5e3f1f47ed732e045ec4845aa67984
SHA1 a87ef7421b17b26b50c98e1c1c14a35b1e03a127
SHA256 ba65667d5bb0c3c619c3cebf8fdda08e915513db94da09997aff91a2eb99fa7e
SHA512 e54cfc6286fb7b703e718113db05a7cc72a3749eca9f9026df1a4afbb1dac0c690dae1010fadf6e5ccc919e0c798a2073ecc94fd2ac0540d1aa6a9e2467d786b

memory/1484-29-0x00007FF6CC890000-0x00007FF6CCBE4000-memory.dmp

memory/4344-23-0x00007FF63C120000-0x00007FF63C474000-memory.dmp

C:\Windows\System\OTEuVUz.exe

MD5 93601547a84534600b3005f8985281a5
SHA1 3acd3c8cf38e0614fd4c69579e1bcf8f4522b8db
SHA256 e6d879a078fb7608f948817667060f20c1d4c0155f343cd98ae6d02dd34acda4
SHA512 75963bf81952a33478ef6f6fa39057e0f6da644c3a235bd426f8a16953381d0691ce5f27e09aa11c4fd86252a314c93d98b2b3a1f1365e7b714f28607d4ceadf

C:\Windows\System\ANHofLM.exe

MD5 764a81c5dc9a890dfbf1dca4dc603729
SHA1 5022f5f67a089f6c0fd9ffd0816e3f412f71f80b
SHA256 53d942ea337fef3d832c2cf10915323fee4ce5bdbb0e4ddfb93733a542294349
SHA512 396fd14a6afb1fd4767238e6903abbd9e002abc45eb2c12d4b6345a24e86a19f6b263e86b9d446cb6bda55d88c5bbb2611242a44ae7d6768bbff4818f7d53a9c

memory/4092-74-0x00007FF6748D0000-0x00007FF674C24000-memory.dmp

C:\Windows\System\nPMUIIh.exe

MD5 6af5ce0049c5a0226b3d792cc6653354
SHA1 cfb0d8133dfd0f938aa7f16e860f467f989e81b0
SHA256 5e82da46d4ba995c6a79111579d809400d0655e3c08f0286835564ce82487a17
SHA512 14b29b6101bc9a6a3c4c1d36d45d3d799b43799fb35254bf10178d65c647ecc0ba39ef5c6aee3b6afba6d55b8f36a0ec803c5b315193c377e7d47bcf430b1999

C:\Windows\System\TZNBWyH.exe

MD5 eb090510d87cda9f5a1579175d8c80b9
SHA1 ea6ad65017d223b5e030d6ab8c777b997378f0ea
SHA256 8f08027c2b7f6137a444fae9ae20ebd8088c086a67febeb9da30aeecaba0ddc3
SHA512 860dc651e18c4a8b743f609b7414c562bf7cdcf2da5a986b37a3ea7176737b16065f345d7f0361668a6f89933927122840f9eb3f7fe167173e777c860745fcc0

C:\Windows\System\GWQHzhT.exe

MD5 83ebeb2c7ddee8c6b46597c6cd4df1fc
SHA1 345e338dbcabcf31fd23d51abd81a838bd7a6a14
SHA256 d4dfe76cb67512257720bc257cef10d435fadd23bd6e0472084305d2675138b2
SHA512 0a7e7ebc7334972725b5852b628414ea2c236e598fe59dcc2bda881a64195472153043483f36270bb6a58927865e28bc0994294855bd7151071b6b0e7fe9d6a7

memory/1676-87-0x00007FF793790000-0x00007FF793AE4000-memory.dmp

memory/3624-80-0x00007FF6A7090000-0x00007FF6A73E4000-memory.dmp

memory/4932-92-0x00007FF693110000-0x00007FF693464000-memory.dmp

C:\Windows\System\NsTndpb.exe

MD5 6d36d68da44d9c2d3f0c5f716e8cd6f9
SHA1 22f58ffc8fa540630ba4293ca27abbf4c6627198
SHA256 ccab98ca5391dd5318f3e67f1158c5eea07d8d1ea1a174e65607e142db4ac20d
SHA512 0c72e698142cced620d312f2c95116f2f80f8c6b95f2064314869affd4f27cd24425dcd3861b82bcb7cca7ea24c20c60827139cfde5d07a100e4efff94dc0ea2

C:\Windows\System\uoqkODq.exe

MD5 cffff41f4fd9442c233323e29a5e38f3
SHA1 dc464c418e1ffed6e83d036651882852d417d046
SHA256 3cb687c81d6a6af806fa887069a862f3ddb9637024beb35e4ebeb838881c45eb
SHA512 313810560aa3da4e478ff53b25c46b81a79077d1ce89cb2f6a14041e600a6bd490b75cc0687e524551a59d6a450bf3f4351438bd1898afd3853e17cf8b4b8c76

C:\Windows\System\kxMwVhj.exe

MD5 a973bd1746a972b361368f4bde6b6dca
SHA1 f64a3847b02d53594f2a664e3b2e1d22663ff4d5
SHA256 d8c6b3116b1dfbabc790304ae2000eff1d74ec658b9f0c26338cd757768bb919
SHA512 a0713774bc5f6afe8cdb6749d796bb02d4043b27791e956cf61286c54145c427ac3a3ee284feee53ee86d02dfd1913459ea335d1fb99a082f8df42af93aedcb9

memory/3232-116-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp

C:\Windows\System\XrAyDHM.exe

MD5 95aa19f6dbdf29e2f55f139ce18cdfca
SHA1 2769ac0b4adaff43efdbcc2c6f53f034bbd0a2d1
SHA256 6fc53f3a64bbe634348cf83d5b431e04c131ac10c86643b7c723fa442ed826c9
SHA512 a9debd3c32019da7f553bcfd600bff666ac7d24d42cf7ae419abec5514da45a669aa05ddde0743995c6632ace7fd0e885a41592abbbe4bf5c0a065ad1fbfe98b

C:\Windows\System\FprZOuL.exe

MD5 e0362e3daa9efbeea66ca6a3c8234186
SHA1 42631daa95f24113db2b8a045857679e8b923397
SHA256 8f0bbf8ef3dd57d070a103d18247374d09c75640fb06f2a30308a667c6fe3eaf
SHA512 a6ecf93b81a5da63060eaeab44d7a7af922cf009ea7408bb9b72a00cebdac4c8a5a1a29f50f03fd77c0868e8c66dde4513d21b765c659cdcab095517b6dd085b

C:\Windows\System\INKZVkb.exe

MD5 3081eb1f5fa8d417003a3d839bcf1f7f
SHA1 7d46fd4e1296e1ad234e2bac225903b5fa2d4506
SHA256 1de95474feb63fbc5cfaadf591307fd0eee9cde0ae673b693a3ea6f60bae9e71
SHA512 7d84e6b9c49bfd09006089eb63bca84d9999dd8e91ac930afd3dbb955f0b19c461c02ef320b918a1180cbe5aa202b64666ec273a96ad563ed3392cc723ab9ea6

memory/1484-113-0x00007FF6CC890000-0x00007FF6CCBE4000-memory.dmp

memory/3684-111-0x00007FF7931F0000-0x00007FF793544000-memory.dmp

memory/1020-104-0x00007FF6E18E0000-0x00007FF6E1C34000-memory.dmp

memory/1848-99-0x00007FF690860000-0x00007FF690BB4000-memory.dmp

memory/4968-127-0x00007FF685BD0000-0x00007FF685F24000-memory.dmp

memory/4168-129-0x00007FF6F76E0000-0x00007FF6F7A34000-memory.dmp

memory/4620-130-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp

memory/1576-128-0x00007FF6DD490000-0x00007FF6DD7E4000-memory.dmp

memory/2560-131-0x00007FF66A660000-0x00007FF66A9B4000-memory.dmp

memory/3624-132-0x00007FF6A7090000-0x00007FF6A73E4000-memory.dmp

memory/1848-133-0x00007FF690860000-0x00007FF690BB4000-memory.dmp

memory/3684-134-0x00007FF7931F0000-0x00007FF793544000-memory.dmp

memory/1368-135-0x00007FF617D70000-0x00007FF6180C4000-memory.dmp

memory/4344-136-0x00007FF63C120000-0x00007FF63C474000-memory.dmp

memory/2784-137-0x00007FF7406B0000-0x00007FF740A04000-memory.dmp

memory/1484-138-0x00007FF6CC890000-0x00007FF6CCBE4000-memory.dmp

memory/3232-139-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp

memory/1388-140-0x00007FF6E5DC0000-0x00007FF6E6114000-memory.dmp

memory/3736-141-0x00007FF63DC60000-0x00007FF63DFB4000-memory.dmp

memory/2560-142-0x00007FF66A660000-0x00007FF66A9B4000-memory.dmp

memory/2156-144-0x00007FF77CA40000-0x00007FF77CD94000-memory.dmp

memory/1668-143-0x00007FF6012C0000-0x00007FF601614000-memory.dmp

memory/5100-145-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp

memory/4092-146-0x00007FF6748D0000-0x00007FF674C24000-memory.dmp

memory/3624-147-0x00007FF6A7090000-0x00007FF6A73E4000-memory.dmp

memory/1676-148-0x00007FF793790000-0x00007FF793AE4000-memory.dmp

memory/4932-149-0x00007FF693110000-0x00007FF693464000-memory.dmp

memory/1848-150-0x00007FF690860000-0x00007FF690BB4000-memory.dmp

memory/3684-151-0x00007FF7931F0000-0x00007FF793544000-memory.dmp

memory/4968-153-0x00007FF685BD0000-0x00007FF685F24000-memory.dmp

memory/4168-154-0x00007FF6F76E0000-0x00007FF6F7A34000-memory.dmp

memory/4620-152-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp

memory/1576-155-0x00007FF6DD490000-0x00007FF6DD7E4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 12:36

Reported

2024-06-08 12:39

Platform

win7-20240221-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vmyXzRf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OTEuVUz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vLkwPoc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CYXzbAc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kxMwVhj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FprZOuL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GWQHzhT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XrAyDHM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NsTndpb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uoqkODq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LosdpiY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rZrJwOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PjnmIzj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\feXqrgt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ockHrkR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ANHofLM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uiGiUxh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xJrTfZK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nPMUIIh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TZNBWyH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\INKZVkb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LosdpiY.exe
PID 1984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LosdpiY.exe
PID 1984 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LosdpiY.exe
PID 1984 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmyXzRf.exe
PID 1984 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmyXzRf.exe
PID 1984 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmyXzRf.exe
PID 1984 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZrJwOZ.exe
PID 1984 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZrJwOZ.exe
PID 1984 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZrJwOZ.exe
PID 1984 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTEuVUz.exe
PID 1984 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTEuVUz.exe
PID 1984 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OTEuVUz.exe
PID 1984 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjnmIzj.exe
PID 1984 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjnmIzj.exe
PID 1984 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PjnmIzj.exe
PID 1984 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLkwPoc.exe
PID 1984 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLkwPoc.exe
PID 1984 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLkwPoc.exe
PID 1984 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\feXqrgt.exe
PID 1984 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\feXqrgt.exe
PID 1984 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\feXqrgt.exe
PID 1984 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYXzbAc.exe
PID 1984 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYXzbAc.exe
PID 1984 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CYXzbAc.exe
PID 1984 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ockHrkR.exe
PID 1984 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ockHrkR.exe
PID 1984 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ockHrkR.exe
PID 1984 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uiGiUxh.exe
PID 1984 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uiGiUxh.exe
PID 1984 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uiGiUxh.exe
PID 1984 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJrTfZK.exe
PID 1984 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJrTfZK.exe
PID 1984 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJrTfZK.exe
PID 1984 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANHofLM.exe
PID 1984 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANHofLM.exe
PID 1984 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANHofLM.exe
PID 1984 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nPMUIIh.exe
PID 1984 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nPMUIIh.exe
PID 1984 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nPMUIIh.exe
PID 1984 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TZNBWyH.exe
PID 1984 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TZNBWyH.exe
PID 1984 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TZNBWyH.exe
PID 1984 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWQHzhT.exe
PID 1984 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWQHzhT.exe
PID 1984 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GWQHzhT.exe
PID 1984 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsTndpb.exe
PID 1984 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsTndpb.exe
PID 1984 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsTndpb.exe
PID 1984 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoqkODq.exe
PID 1984 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoqkODq.exe
PID 1984 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoqkODq.exe
PID 1984 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxMwVhj.exe
PID 1984 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxMwVhj.exe
PID 1984 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kxMwVhj.exe
PID 1984 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrAyDHM.exe
PID 1984 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrAyDHM.exe
PID 1984 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XrAyDHM.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\INKZVkb.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\INKZVkb.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\INKZVkb.exe
PID 1984 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FprZOuL.exe
PID 1984 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FprZOuL.exe
PID 1984 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FprZOuL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9e022ed75a8f2fa53f6c988e98fe6ad1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LosdpiY.exe

C:\Windows\System\LosdpiY.exe

C:\Windows\System\vmyXzRf.exe

C:\Windows\System\vmyXzRf.exe

C:\Windows\System\rZrJwOZ.exe

C:\Windows\System\rZrJwOZ.exe

C:\Windows\System\OTEuVUz.exe

C:\Windows\System\OTEuVUz.exe

C:\Windows\System\PjnmIzj.exe

C:\Windows\System\PjnmIzj.exe

C:\Windows\System\vLkwPoc.exe

C:\Windows\System\vLkwPoc.exe

C:\Windows\System\feXqrgt.exe

C:\Windows\System\feXqrgt.exe

C:\Windows\System\CYXzbAc.exe

C:\Windows\System\CYXzbAc.exe

C:\Windows\System\ockHrkR.exe

C:\Windows\System\ockHrkR.exe

C:\Windows\System\uiGiUxh.exe

C:\Windows\System\uiGiUxh.exe

C:\Windows\System\xJrTfZK.exe

C:\Windows\System\xJrTfZK.exe

C:\Windows\System\ANHofLM.exe

C:\Windows\System\ANHofLM.exe

C:\Windows\System\nPMUIIh.exe

C:\Windows\System\nPMUIIh.exe

C:\Windows\System\TZNBWyH.exe

C:\Windows\System\TZNBWyH.exe

C:\Windows\System\GWQHzhT.exe

C:\Windows\System\GWQHzhT.exe

C:\Windows\System\NsTndpb.exe

C:\Windows\System\NsTndpb.exe

C:\Windows\System\uoqkODq.exe

C:\Windows\System\uoqkODq.exe

C:\Windows\System\kxMwVhj.exe

C:\Windows\System\kxMwVhj.exe

C:\Windows\System\XrAyDHM.exe

C:\Windows\System\XrAyDHM.exe

C:\Windows\System\INKZVkb.exe

C:\Windows\System\INKZVkb.exe

C:\Windows\System\FprZOuL.exe

C:\Windows\System\FprZOuL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1984-0-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1984-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\vmyXzRf.exe

MD5 9c5d32c4afc1843e52b82ebb7e9649e1
SHA1 47fcde724542a6c741ea1efcba5661220b6f0883
SHA256 eef194d431eb488b5ef87ae1228c290ad61b4a44b76ed0f98790cd14400014d6
SHA512 1fb9d100536ff158fd560cb794f1fe1187acb61e3fb01baa2dcd723cee5ab0ef9b5f83b4897a8566350a5eb80ba13950905e42b825a91fe7b97e294420d091ce

C:\Windows\system\OTEuVUz.exe

MD5 93601547a84534600b3005f8985281a5
SHA1 3acd3c8cf38e0614fd4c69579e1bcf8f4522b8db
SHA256 e6d879a078fb7608f948817667060f20c1d4c0155f343cd98ae6d02dd34acda4
SHA512 75963bf81952a33478ef6f6fa39057e0f6da644c3a235bd426f8a16953381d0691ce5f27e09aa11c4fd86252a314c93d98b2b3a1f1365e7b714f28607d4ceadf

C:\Windows\system\PjnmIzj.exe

MD5 32466adffb1861a1c881bdc9c4dccb24
SHA1 634d0e69e9502ee2d60a1a0df2128780d5b4ec33
SHA256 ad6687e517016abff65051e8a000d39586de101c1860199a39a96c1a76b42406
SHA512 48477f85b7583ce04d4a597caa8fd86ede4be2c98ccae431f5a943e154b270eb52a48fae8ad909237dd25e3303503b67ecfd09fbe54b5a65177101e2fbe3346e

C:\Windows\system\vLkwPoc.exe

MD5 85c2fe618f37eb8c0cc26c9154dacc96
SHA1 f63dc625b904d4957620c3007544eb241889eca3
SHA256 eaa064bd4f46f781f706f72f4d027294c4eddb9cab80cf4e48203e6ca8992466
SHA512 a7a59831841d42c7627136a08c42b97776ae2e64b0479975cffde387132bc04b01ec108861c8a9ed2cde8507ba21d1fa4fd91b114443e350dec8accffd4cb111

memory/2620-36-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2912-25-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\feXqrgt.exe

MD5 719013a90d2522d6ad78aa918b0531ba
SHA1 0007555e2e199cc5ea75dfe08992979486a09400
SHA256 6c9b05d1e12e2ebfc4cc81d6638100f4d0c15a5445cda3f637f0138b121c1917
SHA512 d4a4248f150481db28892ce64f90b92dfe548a6b2ec4e2f2b92c88701c3b9ed232ecf1dea06452c0244889474c9f702c844932e1c9cd4695063e74103ffc2555

memory/2348-56-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\ockHrkR.exe

MD5 e2b0d46ecc1b6526fa3897e098ff087e
SHA1 f95d71d3510b8115cc2fb1daf289e796d38582a3
SHA256 21bc417b4d29781b0cb421595f360571bbc0b3964ec1343d98f9c36035b22001
SHA512 6fe7448fe051cdffaec1ed37acede9de191b70b9da103ea23a31d33bc9bee0f07f5128b269e0aba036588e08a77766f615f70b83a9cf72c9e53062d0f7a5ee81

memory/2820-72-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/640-79-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2516-98-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\GWQHzhT.exe

MD5 83ebeb2c7ddee8c6b46597c6cd4df1fc
SHA1 345e338dbcabcf31fd23d51abd81a838bd7a6a14
SHA256 d4dfe76cb67512257720bc257cef10d435fadd23bd6e0472084305d2675138b2
SHA512 0a7e7ebc7334972725b5852b628414ea2c236e598fe59dcc2bda881a64195472153043483f36270bb6a58927865e28bc0994294855bd7151071b6b0e7fe9d6a7

C:\Windows\system\INKZVkb.exe

MD5 3081eb1f5fa8d417003a3d839bcf1f7f
SHA1 7d46fd4e1296e1ad234e2bac225903b5fa2d4506
SHA256 1de95474feb63fbc5cfaadf591307fd0eee9cde0ae673b693a3ea6f60bae9e71
SHA512 7d84e6b9c49bfd09006089eb63bca84d9999dd8e91ac930afd3dbb955f0b19c461c02ef320b918a1180cbe5aa202b64666ec273a96ad563ed3392cc723ab9ea6

C:\Windows\system\XrAyDHM.exe

MD5 95aa19f6dbdf29e2f55f139ce18cdfca
SHA1 2769ac0b4adaff43efdbcc2c6f53f034bbd0a2d1
SHA256 6fc53f3a64bbe634348cf83d5b431e04c131ac10c86643b7c723fa442ed826c9
SHA512 a9debd3c32019da7f553bcfd600bff666ac7d24d42cf7ae419abec5514da45a669aa05ddde0743995c6632ace7fd0e885a41592abbbe4bf5c0a065ad1fbfe98b

\Windows\system\FprZOuL.exe

MD5 e0362e3daa9efbeea66ca6a3c8234186
SHA1 42631daa95f24113db2b8a045857679e8b923397
SHA256 8f0bbf8ef3dd57d070a103d18247374d09c75640fb06f2a30308a667c6fe3eaf
SHA512 a6ecf93b81a5da63060eaeab44d7a7af922cf009ea7408bb9b72a00cebdac4c8a5a1a29f50f03fd77c0868e8c66dde4513d21b765c659cdcab095517b6dd085b

C:\Windows\system\kxMwVhj.exe

MD5 a973bd1746a972b361368f4bde6b6dca
SHA1 f64a3847b02d53594f2a664e3b2e1d22663ff4d5
SHA256 d8c6b3116b1dfbabc790304ae2000eff1d74ec658b9f0c26338cd757768bb919
SHA512 a0713774bc5f6afe8cdb6749d796bb02d4043b27791e956cf61286c54145c427ac3a3ee284feee53ee86d02dfd1913459ea335d1fb99a082f8df42af93aedcb9

C:\Windows\system\uoqkODq.exe

MD5 cffff41f4fd9442c233323e29a5e38f3
SHA1 dc464c418e1ffed6e83d036651882852d417d046
SHA256 3cb687c81d6a6af806fa887069a862f3ddb9637024beb35e4ebeb838881c45eb
SHA512 313810560aa3da4e478ff53b25c46b81a79077d1ce89cb2f6a14041e600a6bd490b75cc0687e524551a59d6a450bf3f4351438bd1898afd3853e17cf8b4b8c76

C:\Windows\system\NsTndpb.exe

MD5 6d36d68da44d9c2d3f0c5f716e8cd6f9
SHA1 22f58ffc8fa540630ba4293ca27abbf4c6627198
SHA256 ccab98ca5391dd5318f3e67f1158c5eea07d8d1ea1a174e65607e142db4ac20d
SHA512 0c72e698142cced620d312f2c95116f2f80f8c6b95f2064314869affd4f27cd24425dcd3861b82bcb7cca7ea24c20c60827139cfde5d07a100e4efff94dc0ea2

memory/1984-107-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2692-100-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2584-99-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2664-93-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1984-92-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\nPMUIIh.exe

MD5 6af5ce0049c5a0226b3d792cc6653354
SHA1 cfb0d8133dfd0f938aa7f16e860f467f989e81b0
SHA256 5e82da46d4ba995c6a79111579d809400d0655e3c08f0286835564ce82487a17
SHA512 14b29b6101bc9a6a3c4c1d36d45d3d799b43799fb35254bf10178d65c647ecc0ba39ef5c6aee3b6afba6d55b8f36a0ec803c5b315193c377e7d47bcf430b1999

C:\Windows\system\TZNBWyH.exe

MD5 eb090510d87cda9f5a1579175d8c80b9
SHA1 ea6ad65017d223b5e030d6ab8c777b997378f0ea
SHA256 8f08027c2b7f6137a444fae9ae20ebd8088c086a67febeb9da30aeecaba0ddc3
SHA512 860dc651e18c4a8b743f609b7414c562bf7cdcf2da5a986b37a3ea7176737b16065f345d7f0361668a6f89933927122840f9eb3f7fe167173e777c860745fcc0

memory/1984-95-0x0000000002440000-0x0000000002794000-memory.dmp

memory/1984-78-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2912-77-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\xJrTfZK.exe

MD5 dac460e7570b4e722974a9e9528580b0
SHA1 13d9a0c59ef87874120d9591f7c1583390cbc807
SHA256 b79747208bd7d2ce13d244b83446b5f52bc76bc1fe2ec0ee80fa1c4307931c18
SHA512 015f5a38666b8cd897aa3ec5157860e4d40a08618219b61a0796634ec48e4641b7dc642ff6340234973bbe438f3cf355b939bd86be84ddc318f7ea623fef0002

memory/1356-84-0x000000013FC40000-0x000000013FF94000-memory.dmp

C:\Windows\system\ANHofLM.exe

MD5 764a81c5dc9a890dfbf1dca4dc603729
SHA1 5022f5f67a089f6c0fd9ffd0816e3f412f71f80b
SHA256 53d942ea337fef3d832c2cf10915323fee4ce5bdbb0e4ddfb93733a542294349
SHA512 396fd14a6afb1fd4767238e6903abbd9e002abc45eb2c12d4b6345a24e86a19f6b263e86b9d446cb6bda55d88c5bbb2611242a44ae7d6768bbff4818f7d53a9c

memory/1984-71-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\uiGiUxh.exe

MD5 8c531b0dcd171ffc991f2e2312f51d2e
SHA1 89f73bd4b3a19a155d825edec277aefa2de336ee
SHA256 ef37e14cdd80db96b4a4fdba3fc1b5d6b2697d2f625b3e0678a2cf62f389fd75
SHA512 b6d9fc197c4b38acd5751380f2452ce77bbfb9fa8e58fe34833ca9468195502658e48344ab19cc9d0d2e214185e9eeb5fb7886ee1f4a49798da87b1173ea37a8

memory/2428-65-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/1984-64-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1984-63-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2524-51-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\CYXzbAc.exe

MD5 dc0a94eaf1bca21ffb15febc1f15ef55
SHA1 fc4d6c637075d64e386489ce99c052f38e01eb59
SHA256 c3b609e2f24b547f24d9ceceeeb78d4b968180a9e5db097f669bbba4ea0b55af
SHA512 c4f5bb7817fcbb94484621de05cce06c972a530a45f2ea96f7f683cbd4cdc0468bc8ced9ca0b231b2d77d7b77b6b2f798aa4fd4f155da20919d91e20eae91d85

memory/1984-47-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/1984-24-0x0000000002440000-0x0000000002794000-memory.dmp

memory/1984-20-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2584-42-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2516-41-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2588-34-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/1984-30-0x0000000002440000-0x0000000002794000-memory.dmp

C:\Windows\system\rZrJwOZ.exe

MD5 ff5e3f1f47ed732e045ec4845aa67984
SHA1 a87ef7421b17b26b50c98e1c1c14a35b1e03a127
SHA256 ba65667d5bb0c3c619c3cebf8fdda08e915513db94da09997aff91a2eb99fa7e
SHA512 e54cfc6286fb7b703e718113db05a7cc72a3749eca9f9026df1a4afbb1dac0c690dae1010fadf6e5ccc919e0c798a2073ecc94fd2ac0540d1aa6a9e2467d786b

memory/1984-28-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1984-27-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/3044-15-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1984-11-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2348-138-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\LosdpiY.exe

MD5 4269671564194ae52627ee0884990d8b
SHA1 56dde78423e7b6b41fc7eb8589341d1013ae006d
SHA256 2cf747115782882e6e42a9bb97a714d04766c6b8b5a7b76a766c71ba588f2e27
SHA512 33cf6bf4528bbfc4c5901b99fcf9fe5b0447c82bd856f592ea4fbeeefd7e75a5c13887dbb3ea69da5df3bf9a021d3293f4618f4416c2c91cdfa4b92e78a31d44

memory/1984-139-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/1984-140-0x0000000002440000-0x0000000002794000-memory.dmp

memory/640-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1356-142-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2692-143-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/3044-144-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2588-145-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2912-146-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2620-147-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2516-148-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2584-149-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2524-150-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2348-151-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2428-152-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2820-153-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/640-155-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1356-154-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2664-156-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2692-157-0x000000013F930000-0x000000013FC84000-memory.dmp