Malware Analysis Report

2024-10-16 03:10

Sample ID 240609-ta4nnscb3x
Target 2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike
SHA256 41c13b1f50c3f339f302ebe3d44ec01dde56b4ce95730f1b6992aa25e616ca40
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41c13b1f50c3f339f302ebe3d44ec01dde56b4ce95730f1b6992aa25e616ca40

Threat Level: Known bad

The file 2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Xmrig family

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 15:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 15:52

Reported

2024-06-09 15:55

Platform

win7-20240508-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qouaAeE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QiILWhM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dORBaEY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dLsfdKO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hLkcpiM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xpgTDll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGTLXts.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OPGGvqH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ulxezRu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sUfzTZf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YraLmst.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iTJKLjH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EneNKbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yCDeRtO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gprOgTA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TSeAxSb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IYydmjq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TdjuLCy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qRHbzHl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mCpuqNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCcQSJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCDeRtO.exe
PID 1688 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCDeRtO.exe
PID 1688 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCDeRtO.exe
PID 1688 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpgTDll.exe
PID 1688 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpgTDll.exe
PID 1688 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpgTDll.exe
PID 1688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRHbzHl.exe
PID 1688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRHbzHl.exe
PID 1688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRHbzHl.exe
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCpuqNl.exe
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCpuqNl.exe
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCpuqNl.exe
PID 1688 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGTLXts.exe
PID 1688 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGTLXts.exe
PID 1688 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGTLXts.exe
PID 1688 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\OPGGvqH.exe
PID 1688 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\OPGGvqH.exe
PID 1688 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\OPGGvqH.exe
PID 1688 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\gprOgTA.exe
PID 1688 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\gprOgTA.exe
PID 1688 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\gprOgTA.exe
PID 1688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCcQSJL.exe
PID 1688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCcQSJL.exe
PID 1688 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCcQSJL.exe
PID 1688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulxezRu.exe
PID 1688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulxezRu.exe
PID 1688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\ulxezRu.exe
PID 1688 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qouaAeE.exe
PID 1688 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qouaAeE.exe
PID 1688 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qouaAeE.exe
PID 1688 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYydmjq.exe
PID 1688 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYydmjq.exe
PID 1688 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYydmjq.exe
PID 1688 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\QiILWhM.exe
PID 1688 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\QiILWhM.exe
PID 1688 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\QiILWhM.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSeAxSb.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSeAxSb.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSeAxSb.exe
PID 1688 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTJKLjH.exe
PID 1688 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTJKLjH.exe
PID 1688 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTJKLjH.exe
PID 1688 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUfzTZf.exe
PID 1688 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUfzTZf.exe
PID 1688 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUfzTZf.exe
PID 1688 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\EneNKbd.exe
PID 1688 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\EneNKbd.exe
PID 1688 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\EneNKbd.exe
PID 1688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\dORBaEY.exe
PID 1688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\dORBaEY.exe
PID 1688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\dORBaEY.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLsfdKO.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLsfdKO.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLsfdKO.exe
PID 1688 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdjuLCy.exe
PID 1688 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdjuLCy.exe
PID 1688 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdjuLCy.exe
PID 1688 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\YraLmst.exe
PID 1688 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\YraLmst.exe
PID 1688 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\YraLmst.exe
PID 1688 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLkcpiM.exe
PID 1688 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLkcpiM.exe
PID 1688 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\hLkcpiM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yCDeRtO.exe

C:\Windows\System\yCDeRtO.exe

C:\Windows\System\xpgTDll.exe

C:\Windows\System\xpgTDll.exe

C:\Windows\System\qRHbzHl.exe

C:\Windows\System\qRHbzHl.exe

C:\Windows\System\mCpuqNl.exe

C:\Windows\System\mCpuqNl.exe

C:\Windows\System\eGTLXts.exe

C:\Windows\System\eGTLXts.exe

C:\Windows\System\OPGGvqH.exe

C:\Windows\System\OPGGvqH.exe

C:\Windows\System\gprOgTA.exe

C:\Windows\System\gprOgTA.exe

C:\Windows\System\oCcQSJL.exe

C:\Windows\System\oCcQSJL.exe

C:\Windows\System\ulxezRu.exe

C:\Windows\System\ulxezRu.exe

C:\Windows\System\qouaAeE.exe

C:\Windows\System\qouaAeE.exe

C:\Windows\System\IYydmjq.exe

C:\Windows\System\IYydmjq.exe

C:\Windows\System\QiILWhM.exe

C:\Windows\System\QiILWhM.exe

C:\Windows\System\TSeAxSb.exe

C:\Windows\System\TSeAxSb.exe

C:\Windows\System\iTJKLjH.exe

C:\Windows\System\iTJKLjH.exe

C:\Windows\System\sUfzTZf.exe

C:\Windows\System\sUfzTZf.exe

C:\Windows\System\EneNKbd.exe

C:\Windows\System\EneNKbd.exe

C:\Windows\System\dORBaEY.exe

C:\Windows\System\dORBaEY.exe

C:\Windows\System\dLsfdKO.exe

C:\Windows\System\dLsfdKO.exe

C:\Windows\System\TdjuLCy.exe

C:\Windows\System\TdjuLCy.exe

C:\Windows\System\YraLmst.exe

C:\Windows\System\YraLmst.exe

C:\Windows\System\hLkcpiM.exe

C:\Windows\System\hLkcpiM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1688-0-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1688-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\yCDeRtO.exe

MD5 f05c3e3579eaefab1efeedc9b56e08cc
SHA1 9722c2551205a9040e752215c8c4f4b35a67a652
SHA256 48a310b91492729e1aa25bb78da6e81147c1ca2dec22949f76ede2bfea3e02a1
SHA512 181f7d4f81d4beac3834111291a4c4eacbf7df83655424f5b83866e2a825f34f3f03556293148468361016c3d495d755f1a319c2aecc98f29ad03ea1d50644ff

C:\Windows\system\qRHbzHl.exe

MD5 f0a4c6e3d02d05c4f764a78fbd82aa9b
SHA1 92adf3865d6b86116a1ebb8b8327931e4c5b33b4
SHA256 b1f59402f49f3ba7daa448d327f48990d43e66460e331479b9c2c264a09e0190
SHA512 6eac23032800098027cd23cabe8ca0f30cb9949a94bba43abc6859d95f91199d701752742cf8ceabd7967329d9d34d15738d8754e16325f211a421dbb69726dc

memory/2616-21-0x000000013FBD0000-0x000000013FF24000-memory.dmp

\Windows\system\eGTLXts.exe

MD5 53fb838e431b817a5ac918f6c8fb3632
SHA1 9700d777726e234cd3641aecf51f373c10b1e3e9
SHA256 a2fe99a4b2b27eaa629e57402cf56262ba0a4ceee3de502b5a144de4ee4f898d
SHA512 bfbbfb8315871dd23e3c96487e87bf5216fe1a6813938ab38bfc3129ddb50ec932a8c5e8754152fb9f969d3af01c53781684e041f063bfc268431f52a30f70b9

memory/1688-26-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\mCpuqNl.exe

MD5 b8cb0f6fdd4385e04865b122d56b8847
SHA1 cf4b5f3f2ac56dfd8083cebd6d7502e88907f03a
SHA256 022e7579b63e40c7fb997d4d2f1e95cd724a568163dbc1fc615377c18225afdb
SHA512 d16a6d3333548fee61e1b454abcd9fdf873298caee0552b4e6ced10c10e083b9ccad04bb5a12bdc7150ebf0e2426a20439722048e73de74fdf5a3a9e07c930dc

\Windows\system\mCpuqNl.exe

MD5 007fbbe519b8a25a7d9c8d86f81af200
SHA1 8caca67be52577a657bbe9605f093b41b609d78f
SHA256 21af0194a7fa89968abeb429bac5fe8152a1f0a83cfb9f2f7580d122e4fd4c8c
SHA512 136201c3a5243b8bfcf80147a2d03a74b0b99a35be184a1835b47808dd31503e129c3d4fbfb7e72d99422c12965af7e18c25d3d07c113b12434d0d8d6e181e57

memory/1688-22-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1872-20-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2028-18-0x000000013F320000-0x000000013F674000-memory.dmp

memory/1688-12-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2668-33-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\OPGGvqH.exe

MD5 41f546b7f0e3fdac4d9524b9a81587fe
SHA1 02c93d56fb62f53204631b89eddbc2493cb4e37d
SHA256 0777c0e4a780b2cf2a026c2e10e682bac19682a068b7886642811bb734b3980c
SHA512 9062de0244ebc5d7923ad9d7db7de51bb0597fa83a3b3f6e00859c31edb9e8dfe0a005fbd787120283f9b2aeca632e5ac66ef596ea346d494e3887fcf7d7712a

memory/1688-42-0x0000000002330000-0x0000000002684000-memory.dmp

memory/1688-40-0x0000000002330000-0x0000000002684000-memory.dmp

\Windows\system\gprOgTA.exe

MD5 19ba58b6626e9ce42f5e0a324b6ade73
SHA1 ca8da14dabb6a03dc48841971144dc583d18e404
SHA256 c5694061f5fa41b2cee55606b3551c29850e74f4c644c1e9ca270f95ce4329d0
SHA512 18ac3e3352f974068022d0fbde1f8174e16e69e5382a723e389442dd89d7fdb20aa7e741f0f415b26756781c412d29f6fb525ffdc7a37d2b0e8650521b17ad5e

memory/2652-44-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/1688-43-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2748-38-0x000000013F760000-0x000000013FAB4000-memory.dmp

C:\Windows\system\xpgTDll.exe

MD5 f265580d3e7271569b1ba835520cd149
SHA1 68db4fae3d7b4863c9c72e9023beb87581fe2a59
SHA256 50da8cceb6b91d5bfca105a8c0609b2609128c1f179ee16bc32094c086c9a666
SHA512 b91cd932804facb8c4340f2278af32df1801dd6bef8dd1aeb43f1c084ad977717ade42129e3e88a1f9058d9b6af6bd363ae4add9b59b7f7a623ba7395bc8faba

C:\Windows\system\oCcQSJL.exe

MD5 e86c90187ad4a57cf1b3a5c9358ad123
SHA1 ee532b9ab56ab80d28dc6f4c1bd167d267975c4d
SHA256 f5113e894512931289068231c90ad17522619495a62243f03fe4a8d6ddc4bb5c
SHA512 cab337b1841ce5c7548426a9982dbb7e8c7b413512375c38efb9119b05a490702e201516eab286bfb7d9a57369d5e32e3f8f2155a1c12db36312ae89f664b8df

memory/2636-56-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\qouaAeE.exe

MD5 edec9e573ff6af17f405c7f89ece9c75
SHA1 4894e6a78deb59ef9378ece87e7a1b3acf611ad1
SHA256 0438abd88b5f30f621dee9fb6599ee158fcffac3d3efe2670de18bd8abc6e690
SHA512 aee4cfe2e258aebf95df1626e1760b8c91e31782cfbeab2c3883a439f961b064eb8d95b4086ecb2c56dc66320b18eb388061a4a219e202199ce67e5bbc7b604e

memory/2948-69-0x000000013FBB0000-0x000000013FF04000-memory.dmp

\Windows\system\IYydmjq.exe

MD5 eb9aecb34dda9d0ef47b4083674b2156
SHA1 00492bccc45c5ee019fdffbf849f77aacb1608f1
SHA256 785f822bc38a64ee15bf63852491b87eb091a7fe14a632f44273e40489ca6a99
SHA512 d0376560921d291dc01e877a1158ed38655b9725279ac89f409342ff98cf31d93b8fb4dfcb600f14808c2672aab6c260c54ae140f77655a86982976aeb818ff1

memory/1252-78-0x000000013F640000-0x000000013F994000-memory.dmp

memory/1688-77-0x0000000002330000-0x0000000002684000-memory.dmp

memory/1688-76-0x000000013F5D0000-0x000000013F924000-memory.dmp

C:\Windows\system\QiILWhM.exe

MD5 f75564539a83b376903c5ecfa5901e06
SHA1 860909f2131254f5457375c9de8cb6e8e7533a93
SHA256 a25c9e54e4ac4fb130d0aaa541a8a5b2dedfb1d619c1e147022de971b177da82
SHA512 d714b2231a9eda4a9f476c29532e558ef6354d4c3b2a94db233eac1109e70cc17fff62ea890eb23a55dae53b722fad41b241ad0f437f20912c6925b0f568206c

memory/2668-85-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2412-88-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1688-87-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2748-86-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1688-84-0x000000013FBD0000-0x000000013FF24000-memory.dmp

\Windows\system\QiILWhM.exe

MD5 08335df7103abc2469c627c6ab490b75
SHA1 663318a93774d93d6095a04cf5494b48eb7d64be
SHA256 58df3e0732ea3099d265f1cebcc12671ec8cd599b805e002740e15fb8f518f08
SHA512 8f7208f2a7c23589362de25aa76773ad075a6272ad2246f1bcd66d82f26b8b4ae6a99af20bcf359a45f35c2492e458ab92be86502fcd38ae1b4f2c4222058ff7

memory/2540-61-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1688-68-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1688-55-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2760-49-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/1688-111-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\sUfzTZf.exe

MD5 c90d608fd7c1070c4f3c8638c6d954be
SHA1 159205bfd06d6c8f031165fa57addb113562e8d7
SHA256 73e92f22a97bc74dc99692ac6accfc66c1ab29220bfa97f7b49d66991fc6801f
SHA512 3f48b113ae7193dd4271ab3d33f4c6fd28d0d34cbcc851818e6c509eab0a9a64239893a8bf6c5de26b5a3c93229fdc6e6fe5f1be64e6a73b6dbb37e1f7b7e138

\Windows\system\dORBaEY.exe

MD5 0efe2132089d67be19e319bd8ab99dcc
SHA1 99764cb9f025284f205d1b7bdd84340af4a9e736
SHA256 344357a886efa1dfd12e31852ad53c80234701fba86d3c04cabf7c80bcc5eea4
SHA512 d3f35db5f79cb21aa9eed92136d5194226e61d85ce5ce3a43c7de01f8ca5a3a1f843a3b9bfc1a9ad45571fc73d9f11f63855d195b720149c10eaae943330fd2c

memory/2708-104-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1508-100-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\iTJKLjH.exe

MD5 5e2fd070ce2d434f6b165e8ddbea2852
SHA1 0bc86e5f6bd589cdbf40e8c2a5467c2e1874e0aa
SHA256 b45751a385242bdf1e09aaa03f8a342a23dceff7d17d43ecb42330eaa494af6b
SHA512 2c85b93d297501ea5aa15c7ce4eea1113477cc3a906400328069cc1ad1c379c05b2eea314bb7001feb6b9a998618a7d56c6b688bed8f3886e730ec88f1de0d32

memory/1688-110-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\EneNKbd.exe

MD5 e3596ba790245ff6536ce113764f2a0e
SHA1 258b30eb9817179eed053ecb59efcde544ebb787
SHA256 b4e2e4a941414489e78eff1755014e7e68ade8bb2b056d581c865122496361c6
SHA512 798106118b0872624521ecda29e50a4883eff782aefe2a4f1cd4af1b85173c79d484748950dbc5f1e617e5b3cee8aaf392391eff7f0e39301e8efe3893d73546

memory/1688-97-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

\Windows\system\TSeAxSb.exe

MD5 847ab44b35baa66ae495daf4f0cc00a5
SHA1 1b672ccb0826201a9a455254ad06eae895c2fe9e
SHA256 6b529fc282b65328c7b037fa98c41299e48b3cc384486b794148e3183bacdbc6
SHA512 fde6bffbb7d14aae20dd39fe8b0bc8de03405e703835ce3846d0a3360da0418b0e8573ad559b3ec3f81bfcdc5e750406ca6eb13dc9d9e73678cc108bdc4bc821

C:\Windows\system\dLsfdKO.exe

MD5 7b72a9a33d81f808dffcb90db9d722de
SHA1 e620e4c24c5f6463144735081b9bf7cde1bdeeb0
SHA256 5c79b833c0ee69bb59477b5960b0482cb584f737679fea7ada893f7a4b8eb74c
SHA512 5f40bf86324f82c47b3e3e3e77779446b9a72ae4e44784cf116b7b3fcd03a0324f1d4a4b846e17cacf03adfe4d7eb3c93ea71ca3c8e667ac7d5839b9fcff3031

C:\Windows\system\hLkcpiM.exe

MD5 7577b6effbc6d17a5a97e756ac2ea7a8
SHA1 f14ea7f89401a2203377068fe6797f642acefd13
SHA256 1b43fef364d745dd7b93c5df9acdd60da10243b58663b7a4e5cf422a855c433f
SHA512 51145969e46d0821371b88992ae25d542ae62a647d80433891f6d02d97c1fb70431ec8c9dedabcb58047f1d32e00747c51d277513a0052d1698e1eba481ff9aa

\Windows\system\TdjuLCy.exe

MD5 8d646e924fd0d1b8f2b6032bf921c68b
SHA1 77143c80f89669f1e640229b6197871994aedd23
SHA256 e35136f6ac4e5d25610db8b767a0f545fd9fe553bb2b7afaf2ded18cac30d498
SHA512 ec7c5a3e370172a6cb8c08d4d14c7c9dfcb67c2875d66b2b75ccefa87b0e450630c685404597ccd6d097f7b105f7bdc76ee9b759b8cea8acda23d945bc5149c3

memory/2760-138-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2636-139-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1688-140-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2540-141-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2948-142-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1688-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2708-145-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1688-144-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1688-147-0x000000013F020000-0x000000013F374000-memory.dmp

memory/1688-146-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1872-149-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2616-150-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2668-151-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2028-148-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2748-152-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2652-153-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2760-154-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2540-155-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2636-156-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2948-157-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1252-158-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2412-159-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1508-160-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2708-161-0x000000013FD10000-0x0000000140064000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 15:52

Reported

2024-06-09 15:55

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QPtLyTH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mvaRACG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qEZVomD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JoxfLbi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uQKEcEU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mjJFoRX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KYUqiUX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MbxCvwh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KnTJhVz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ItmoEBA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eIyAzhW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhGMgsd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DoGYQwU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YiReKQn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HCqdBzv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jKjfNVu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gixRZmW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qYFznZy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vMxbiNO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOjUWRQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CWLDtzs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhGMgsd.exe
PID 4608 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhGMgsd.exe
PID 4608 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\QPtLyTH.exe
PID 4608 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\QPtLyTH.exe
PID 4608 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\gixRZmW.exe
PID 4608 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\gixRZmW.exe
PID 4608 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\mvaRACG.exe
PID 4608 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\mvaRACG.exe
PID 4608 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEZVomD.exe
PID 4608 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEZVomD.exe
PID 4608 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\JoxfLbi.exe
PID 4608 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\JoxfLbi.exe
PID 4608 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbxCvwh.exe
PID 4608 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbxCvwh.exe
PID 4608 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\DoGYQwU.exe
PID 4608 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\DoGYQwU.exe
PID 4608 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYFznZy.exe
PID 4608 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\qYFznZy.exe
PID 4608 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnTJhVz.exe
PID 4608 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnTJhVz.exe
PID 4608 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItmoEBA.exe
PID 4608 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItmoEBA.exe
PID 4608 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\YiReKQn.exe
PID 4608 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\YiReKQn.exe
PID 4608 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCqdBzv.exe
PID 4608 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCqdBzv.exe
PID 4608 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIyAzhW.exe
PID 4608 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIyAzhW.exe
PID 4608 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQKEcEU.exe
PID 4608 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQKEcEU.exe
PID 4608 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\mjJFoRX.exe
PID 4608 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\mjJFoRX.exe
PID 4608 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMxbiNO.exe
PID 4608 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMxbiNO.exe
PID 4608 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\jKjfNVu.exe
PID 4608 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\jKjfNVu.exe
PID 4608 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOjUWRQ.exe
PID 4608 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOjUWRQ.exe
PID 4608 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWLDtzs.exe
PID 4608 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWLDtzs.exe
PID 4608 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYUqiUX.exe
PID 4608 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYUqiUX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rhGMgsd.exe

C:\Windows\System\rhGMgsd.exe

C:\Windows\System\QPtLyTH.exe

C:\Windows\System\QPtLyTH.exe

C:\Windows\System\gixRZmW.exe

C:\Windows\System\gixRZmW.exe

C:\Windows\System\mvaRACG.exe

C:\Windows\System\mvaRACG.exe

C:\Windows\System\qEZVomD.exe

C:\Windows\System\qEZVomD.exe

C:\Windows\System\JoxfLbi.exe

C:\Windows\System\JoxfLbi.exe

C:\Windows\System\MbxCvwh.exe

C:\Windows\System\MbxCvwh.exe

C:\Windows\System\DoGYQwU.exe

C:\Windows\System\DoGYQwU.exe

C:\Windows\System\qYFznZy.exe

C:\Windows\System\qYFznZy.exe

C:\Windows\System\KnTJhVz.exe

C:\Windows\System\KnTJhVz.exe

C:\Windows\System\ItmoEBA.exe

C:\Windows\System\ItmoEBA.exe

C:\Windows\System\YiReKQn.exe

C:\Windows\System\YiReKQn.exe

C:\Windows\System\HCqdBzv.exe

C:\Windows\System\HCqdBzv.exe

C:\Windows\System\eIyAzhW.exe

C:\Windows\System\eIyAzhW.exe

C:\Windows\System\uQKEcEU.exe

C:\Windows\System\uQKEcEU.exe

C:\Windows\System\mjJFoRX.exe

C:\Windows\System\mjJFoRX.exe

C:\Windows\System\vMxbiNO.exe

C:\Windows\System\vMxbiNO.exe

C:\Windows\System\jKjfNVu.exe

C:\Windows\System\jKjfNVu.exe

C:\Windows\System\wOjUWRQ.exe

C:\Windows\System\wOjUWRQ.exe

C:\Windows\System\CWLDtzs.exe

C:\Windows\System\CWLDtzs.exe

C:\Windows\System\KYUqiUX.exe

C:\Windows\System\KYUqiUX.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/4608-0-0x00007FF690C00000-0x00007FF690F54000-memory.dmp

memory/4608-1-0x000002AA85F40000-0x000002AA85F50000-memory.dmp

C:\Windows\System\rhGMgsd.exe

MD5 87475ad902de0e99f2619a314be51c9f
SHA1 64dd0568e587467b35cf984d2749b75223046d7d
SHA256 d7c8d76df5fa4fcc3e98d45b98d65b39e9eb60c1b75e6cbaeb6b6c0e2bfb9f54
SHA512 d13c2320cb6c080d016a1694310fc47a91a00a585688bbe2f1402f833b29ad2b576aff6597eebec5506974c2f18116ea4a970c43ccd8cd71df1eb1535b9d2501

memory/2796-8-0x00007FF799220000-0x00007FF799574000-memory.dmp

C:\Windows\System\QPtLyTH.exe

MD5 197176af98dd8937518663a18bfcf6e2
SHA1 895861a731ad5dc5f14eaafe08fdbb830a837f7a
SHA256 53c963f3dad7110e7628a42a4f995a9c988e7c3b59f79a12e85a394754469755
SHA512 c3e017cc2389c926df08572e1903314d6cc968f04faed609eccd9eeef577056aa931d4baa435796038f8acf615968f5ac6b76fc5e9405ccb29c34879f4000005

C:\Windows\System\gixRZmW.exe

MD5 25e0a244f32fad028b6f8cee4f7289e2
SHA1 4e1f98dff6e41a209d43a26034230717ec902742
SHA256 923fe26d05cc99d83ce9153be38c3f7aa8e7128b9ec27a115c7130560b5c1cd5
SHA512 4468556fc5a3686d26874bc840d11752f9e390b49d00e58d5f3afea89b9d8ebbafd1cfaed559dc4965401cc41133f83fbbf59334f0f2545954b34008e7cdd951

memory/4912-14-0x00007FF6B5480000-0x00007FF6B57D4000-memory.dmp

C:\Windows\System\mvaRACG.exe

MD5 f9a6671976f2eb670616b2c454f62912
SHA1 641883856ce8fa000fa735497de137803b6458ed
SHA256 26a2a8e393ecc374d51adb749dbef1ef2a8583e88cc28f685a06ffc736d1dfdc
SHA512 2cfb1b693e6472a0ac464b7a7e0635cbdba68f37eba431c84012d9d8ad04632b5c5fd6b320396e56cc774bd36ebb141994ab131fe403d4f6da4950234774f259

memory/3636-22-0x00007FF786B50000-0x00007FF786EA4000-memory.dmp

memory/1984-27-0x00007FF68E840000-0x00007FF68EB94000-memory.dmp

C:\Windows\System\qEZVomD.exe

MD5 a7ef7caf104d09ef8a9388f296880c3c
SHA1 5e1b0e7ebecb30cbd4e6ddbebf4101fc23595f3e
SHA256 44f7de4021e2026ce9819b3b44d2e1529c6e736d182c5dc691b66f6a8172abdb
SHA512 fed356230f16a9bd41f8d7d82b87f336d39f0a3d691a5cc70dde54e53abe5f54beac02c4facc15971adbca9bbd52110e108828dde2594bcd580a953a436440d4

C:\Windows\System\JoxfLbi.exe

MD5 22d607cb9c24bd7a46aec5a736724aa7
SHA1 619dff0f32fe51860c9b27ff1d1093665a2fc8b3
SHA256 c577ea3a3078284c8b6c6fac505a22a125a3da7607762c84391468eb333fcc7f
SHA512 676af6d233a04f6b235755478d3f30fc89ff22802ead6eee3905fc8b6d9cf4e88ce632edc7596244e3ccf6cda4291a508f23b88ab5eefeb45c717e6165b4e9e4

memory/2132-30-0x00007FF62DC40000-0x00007FF62DF94000-memory.dmp

C:\Windows\System\MbxCvwh.exe

MD5 7a9ee83296db6e1ea58bede6be4cc0ae
SHA1 90cd2515ad0e17216c7600e8cab3a353fa8ecc6f
SHA256 2f2256565f2e8bb27dd87a7b2790d270970405445af27009ad409b394560e174
SHA512 9c832b2ab22bc138b566ffb19d581bb827726b3e4be021e04de78b11d827c46850e54f1f602c8fb0a73bd71d9bcd65ff1f79d6ae526e10f9c72e60e237546583

memory/640-36-0x00007FF7B7660000-0x00007FF7B79B4000-memory.dmp

memory/1940-44-0x00007FF6D1760000-0x00007FF6D1AB4000-memory.dmp

C:\Windows\System\DoGYQwU.exe

MD5 6bf286b9f20408b51f61b35f7d8d56a3
SHA1 512c7b5c93b54301e31f7aa375460591a1231d34
SHA256 497ab3e70c99c59683f0f305140f19d4e0203143a1f39f0150609d75a7f63bd5
SHA512 5bebd1e2b1f2db65a3cb9bd3b227dc9d8fd385c0527742ee6d7f80f7cc99cdab6be07e4efcc3e4cb5d39d88e6c0b3507c72fdf6b134ae28901e4fa756c96d2ef

memory/1380-51-0x00007FF660100000-0x00007FF660454000-memory.dmp

C:\Windows\System\qYFznZy.exe

MD5 a4b4fd208732cfdfd172a43dd8f92e12
SHA1 ecc167afec791ae567429430b4b3b2d419d94263
SHA256 21cffe1b63a16e62fafb33bff95da164065d3f9ac7ece4c88977a9b4b68e53cc
SHA512 4ca04bd73735433193352d69242bc18c73ffe759f441dcd196e07999b10ccded598f8421220dd81016ac8354314936bf3fc6ec6097a2c92b60d521887fa5e4ce

C:\Windows\System\qYFznZy.exe

MD5 87c493a6b81be5902fc5875fa2aecb98
SHA1 c44601c11508ea710b6ae8245ac85c15be95866b
SHA256 318e626f8e62df9cb49323a5029878aeb2413985d792fae91b8f2a8ec630b505
SHA512 a1bda353e94f6fc19d86c9495a4e3f5b6139076fc038036bf380359c32c58a90d8e4c5d0407b6cbda1be3074c8c3e9da69d4d82253bc46d491e40493aa27d270

memory/2472-56-0x00007FF7A88D0000-0x00007FF7A8C24000-memory.dmp

memory/2420-69-0x00007FF6AD270000-0x00007FF6AD5C4000-memory.dmp

C:\Windows\System\YiReKQn.exe

MD5 08335df7103abc2469c627c6ab490b75
SHA1 663318a93774d93d6095a04cf5494b48eb7d64be
SHA256 58df3e0732ea3099d265f1cebcc12671ec8cd599b805e002740e15fb8f518f08
SHA512 8f7208f2a7c23589362de25aa76773ad075a6272ad2246f1bcd66d82f26b8b4ae6a99af20bcf359a45f35c2492e458ab92be86502fcd38ae1b4f2c4222058ff7

C:\Windows\System\YiReKQn.exe

MD5 bd78e538b4df43d0f413c82bce32c2fc
SHA1 2f03d24540cc14d701b461630c502121437b6f9e
SHA256 d7237ed1f488fc3dc5d925d8921100e1c9e0e6ba7aeea1f13cbc0d2542ca5acb
SHA512 901b6d5e826619fa0245d80cb786904a536cb27fd58edc5b4df618e4c83ec2bfc3adee2576e5a94ecb1b1760bd7de5ecd52513c83d3afe76c5c8a32127f03e24

memory/3040-73-0x00007FF612060000-0x00007FF6123B4000-memory.dmp

C:\Windows\System\ItmoEBA.exe

MD5 b471ccaa37742c86c61ebdd2499b82d5
SHA1 21cd2f3129a154f879c7d6e86c9bf9ed02261545
SHA256 738c3d2a60b74bd2a7507e1e2237709679c496849c3b536533117ffccde95fa3
SHA512 a8ae7999e196da99dd00e4be6efde21d9a750ae3507b13bd183451d36bb50aa242c183e0a8d718680ccbcd9bb33ebbea4fdbaf1fe6a830c02b9788a22aba22a5

memory/4488-63-0x00007FF65FE40000-0x00007FF660194000-memory.dmp

memory/4608-62-0x00007FF690C00000-0x00007FF690F54000-memory.dmp

C:\Windows\System\KnTJhVz.exe

MD5 9e455e7102bb84e783afe18c42b50505
SHA1 a54be3eb91d39f751babfe971835c1b15d411c95
SHA256 d75a63d72e14b094d475e79bade403a3dae13ca7b635f6b88530364317b9fb59
SHA512 42c3b6c1a6ca5054a75a7c30f5ab2bf883b419dd307e839f73e514faa5697104779df6aedb3cdaa603b4871de4f90996bdb9c6e6cb30c97138bd515f2fd3fff1

C:\Windows\System\KnTJhVz.exe

MD5 83eda0227bfdf9548f649e964affc14b
SHA1 d3c2152e494e8256c82bd97106ccb9bd81e6a05b
SHA256 20953582709f779d8a6bdc1b67d78f8ab91fe4901b96f4cb0e5b710f5c76ffbf
SHA512 fe457f45e9eabe660dd62a9f2753fde3e1f0cd31fe659ae583e0141c64598f9938b6eb32a04d6c486f39d33871a796a6b476db70476a4af83218cfdbda070a9c

C:\Windows\System\HCqdBzv.exe

MD5 72a24ffcf585f314bf31bb25abce05b5
SHA1 777a71e1b2e482764d7730bc0a2eb8b5d4971ba3
SHA256 4bb1824dcb07f00123c3c3dd13a344763ce8c30fc271cf43922e52666a71bafc
SHA512 a2e097cf09664f82b2fa0f51f896ad7b862db997ee1a00b4634dc9bf08bdb0e95cc4935ba6f0e642a1e331aa01bef1897377238495ce238ac8b216e117db830c

memory/2132-93-0x00007FF62DC40000-0x00007FF62DF94000-memory.dmp

memory/640-99-0x00007FF7B7660000-0x00007FF7B79B4000-memory.dmp

C:\Windows\System\mjJFoRX.exe

MD5 58057327a3ad0ac8d515a2b6b6bb4c8c
SHA1 1210833e3ff916f462f30c2d1a18101a07cc0be6
SHA256 cc5f87af5675ae74db6ffb8fbc490679396fae1243b4d0b5f2ed2c7ddfa65f9d
SHA512 c538792483adccaf3052ce0ec9839580f6b5fcc91776667a302efb27645a5eeb13697f3368bd7b70cf3077aa13de1f4e64b7c08bd1d32b37cf74ac8e72c14296

C:\Windows\System\jKjfNVu.exe

MD5 fce36e7a127a9c45d54e1b8d90fdd7dd
SHA1 8542d25e949a7392da2a93826107eaa40ecc4cc5
SHA256 b444293ba0ec99638690f826a0742a8768937b49529c8a6756d6366ed24a602f
SHA512 305798c3491a2a73389f1d7751402c6a23f5215075ba486c290c2f789dc31a38e03eddcf5f70014163a4339376b4bec87bf7595b275ac3d6efe0ee4cac2b7a79

C:\Windows\System\wOjUWRQ.exe

MD5 b8cb0f6fdd4385e04865b122d56b8847
SHA1 cf4b5f3f2ac56dfd8083cebd6d7502e88907f03a
SHA256 022e7579b63e40c7fb997d4d2f1e95cd724a568163dbc1fc615377c18225afdb
SHA512 d16a6d3333548fee61e1b454abcd9fdf873298caee0552b4e6ced10c10e083b9ccad04bb5a12bdc7150ebf0e2426a20439722048e73de74fdf5a3a9e07c930dc

C:\Windows\System\CWLDtzs.exe

MD5 129f3d64cbeca05a53ef528b3290734c
SHA1 71740da16ce0c6c904ccb37e278a6ad593c1a480
SHA256 8bff8690eaf4a5e3f573418a963622e185f8d501862caf038cd51f7fb5a2debe
SHA512 678c5888d6fd5cfe6ce1594083820c6bdb4991f848b7bf64517b2c7aae2761350709aee9fa7ba71fac788e0eaf0979bc249996e90211dac6917778ab1bc5ebbe

memory/4332-121-0x00007FF64DE60000-0x00007FF64E1B4000-memory.dmp

C:\Windows\System\wOjUWRQ.exe

MD5 f643883f259de01dd5329353aba9e3bc
SHA1 8a0c9acc560b2a903e1249b54de084c27f2f7330
SHA256 885d32479d3d931762c4646bd89041e2dc323a00afc74c5ce659e0439525e486
SHA512 4fbee57fc43773ceb767e4aa78bc2879a54950d29e94d06ab5acf504f8c6e1b3a52cc3f816f267cfbe746c86e79bc3431149abbf38cd824127a0e4b7532c9af9

memory/2156-113-0x00007FF73E4A0000-0x00007FF73E7F4000-memory.dmp

memory/2164-107-0x00007FF70C270000-0x00007FF70C5C4000-memory.dmp

memory/4076-104-0x00007FF70BD00000-0x00007FF70C054000-memory.dmp

C:\Windows\System\vMxbiNO.exe

MD5 0b7f76370362199fe11563e221d6b826
SHA1 43b9f8ccbd2066026fc2e9b45b99a59cc419c0d6
SHA256 c0ffb66d02f8e09cd92a0fd5ae1ab36d134547958f4356f989d98d1cd2541934
SHA512 8145dfc8736c3c25155856277c6af89da1b7b7d3306f4d7b41743d0ae6bc257a01dc4367eb8618e0542181fb1bebebea2f2c5300983cd807346c03dbb2f3022f

memory/5108-96-0x00007FF607730000-0x00007FF607A84000-memory.dmp

C:\Windows\System\mjJFoRX.exe

MD5 f75564539a83b376903c5ecfa5901e06
SHA1 860909f2131254f5457375c9de8cb6e8e7533a93
SHA256 a25c9e54e4ac4fb130d0aaa541a8a5b2dedfb1d619c1e147022de971b177da82
SHA512 d714b2231a9eda4a9f476c29532e558ef6354d4c3b2a94db233eac1109e70cc17fff62ea890eb23a55dae53b722fad41b241ad0f437f20912c6925b0f568206c

C:\Windows\System\uQKEcEU.exe

MD5 e5582ab7e7031da39f15ac28537b46e7
SHA1 b57ab29bc87adca1d5b4da78bf670588e56f713a
SHA256 5fd118f73dfda42f66717026359ba16aef0e9002f9fca31396b04751f9d7e57d
SHA512 3ce9781a48453cfe78fb84b497a606e3a6b078f7a7bcc21d8250dc3b9b2f8ad4e202d80f43a91086de444c537a5c1ca91fe331d41f536a9268af2053510ebd7f

memory/444-87-0x00007FF7DD5E0000-0x00007FF7DD934000-memory.dmp

memory/3508-81-0x00007FF7C68B0000-0x00007FF7C6C04000-memory.dmp

memory/1548-129-0x00007FF64D750000-0x00007FF64DAA4000-memory.dmp

memory/3288-130-0x00007FF7B8600000-0x00007FF7B8954000-memory.dmp

memory/3040-131-0x00007FF612060000-0x00007FF6123B4000-memory.dmp

memory/4076-132-0x00007FF70BD00000-0x00007FF70C054000-memory.dmp

memory/2156-133-0x00007FF73E4A0000-0x00007FF73E7F4000-memory.dmp

memory/1548-135-0x00007FF64D750000-0x00007FF64DAA4000-memory.dmp

memory/4332-134-0x00007FF64DE60000-0x00007FF64E1B4000-memory.dmp

memory/2796-136-0x00007FF799220000-0x00007FF799574000-memory.dmp

memory/4912-137-0x00007FF6B5480000-0x00007FF6B57D4000-memory.dmp

memory/3636-138-0x00007FF786B50000-0x00007FF786EA4000-memory.dmp

memory/1984-139-0x00007FF68E840000-0x00007FF68EB94000-memory.dmp

memory/2132-140-0x00007FF62DC40000-0x00007FF62DF94000-memory.dmp

memory/1940-142-0x00007FF6D1760000-0x00007FF6D1AB4000-memory.dmp

memory/640-141-0x00007FF7B7660000-0x00007FF7B79B4000-memory.dmp

memory/1380-143-0x00007FF660100000-0x00007FF660454000-memory.dmp

memory/2472-144-0x00007FF7A88D0000-0x00007FF7A8C24000-memory.dmp

memory/4488-145-0x00007FF65FE40000-0x00007FF660194000-memory.dmp

memory/2420-146-0x00007FF6AD270000-0x00007FF6AD5C4000-memory.dmp

memory/3040-147-0x00007FF612060000-0x00007FF6123B4000-memory.dmp

memory/3508-148-0x00007FF7C68B0000-0x00007FF7C6C04000-memory.dmp

memory/444-149-0x00007FF7DD5E0000-0x00007FF7DD934000-memory.dmp

memory/5108-150-0x00007FF607730000-0x00007FF607A84000-memory.dmp

memory/2164-151-0x00007FF70C270000-0x00007FF70C5C4000-memory.dmp

memory/4076-152-0x00007FF70BD00000-0x00007FF70C054000-memory.dmp

memory/2156-153-0x00007FF73E4A0000-0x00007FF73E7F4000-memory.dmp

memory/3288-156-0x00007FF7B8600000-0x00007FF7B8954000-memory.dmp

memory/4332-155-0x00007FF64DE60000-0x00007FF64E1B4000-memory.dmp

memory/1548-154-0x00007FF64D750000-0x00007FF64DAA4000-memory.dmp