Analysis Overview
SHA256
5b5b19bc9b27ed124722c514b9d3ec678f16dd3b4c8ef91a3037ec169827734a
Threat Level: Known bad
The file 2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 01:35
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 01:32
Reported
2024-06-10 01:38
Platform
win7-20240419-en
Max time kernel
132s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BGGcmNw.exe | N/A |
| N/A | N/A | C:\Windows\System\RGYTFWg.exe | N/A |
| N/A | N/A | C:\Windows\System\XftqwsA.exe | N/A |
| N/A | N/A | C:\Windows\System\UrvPwGA.exe | N/A |
| N/A | N/A | C:\Windows\System\sZSVjQw.exe | N/A |
| N/A | N/A | C:\Windows\System\CUULIXo.exe | N/A |
| N/A | N/A | C:\Windows\System\IvAvOmz.exe | N/A |
| N/A | N/A | C:\Windows\System\OoqeGHb.exe | N/A |
| N/A | N/A | C:\Windows\System\yiwCWYU.exe | N/A |
| N/A | N/A | C:\Windows\System\kIJOZzw.exe | N/A |
| N/A | N/A | C:\Windows\System\PQeRWuj.exe | N/A |
| N/A | N/A | C:\Windows\System\amatrNn.exe | N/A |
| N/A | N/A | C:\Windows\System\xctniYR.exe | N/A |
| N/A | N/A | C:\Windows\System\YcWEyCt.exe | N/A |
| N/A | N/A | C:\Windows\System\eyHqTAS.exe | N/A |
| N/A | N/A | C:\Windows\System\AUZorGX.exe | N/A |
| N/A | N/A | C:\Windows\System\KaHnOoV.exe | N/A |
| N/A | N/A | C:\Windows\System\TtMPiYE.exe | N/A |
| N/A | N/A | C:\Windows\System\uYsmkoD.exe | N/A |
| N/A | N/A | C:\Windows\System\BFtumeI.exe | N/A |
| N/A | N/A | C:\Windows\System\aLVAZfg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BGGcmNw.exe
C:\Windows\System\BGGcmNw.exe
C:\Windows\System\RGYTFWg.exe
C:\Windows\System\RGYTFWg.exe
C:\Windows\System\XftqwsA.exe
C:\Windows\System\XftqwsA.exe
C:\Windows\System\UrvPwGA.exe
C:\Windows\System\UrvPwGA.exe
C:\Windows\System\sZSVjQw.exe
C:\Windows\System\sZSVjQw.exe
C:\Windows\System\CUULIXo.exe
C:\Windows\System\CUULIXo.exe
C:\Windows\System\IvAvOmz.exe
C:\Windows\System\IvAvOmz.exe
C:\Windows\System\OoqeGHb.exe
C:\Windows\System\OoqeGHb.exe
C:\Windows\System\yiwCWYU.exe
C:\Windows\System\yiwCWYU.exe
C:\Windows\System\kIJOZzw.exe
C:\Windows\System\kIJOZzw.exe
C:\Windows\System\PQeRWuj.exe
C:\Windows\System\PQeRWuj.exe
C:\Windows\System\amatrNn.exe
C:\Windows\System\amatrNn.exe
C:\Windows\System\xctniYR.exe
C:\Windows\System\xctniYR.exe
C:\Windows\System\YcWEyCt.exe
C:\Windows\System\YcWEyCt.exe
C:\Windows\System\eyHqTAS.exe
C:\Windows\System\eyHqTAS.exe
C:\Windows\System\AUZorGX.exe
C:\Windows\System\AUZorGX.exe
C:\Windows\System\KaHnOoV.exe
C:\Windows\System\KaHnOoV.exe
C:\Windows\System\TtMPiYE.exe
C:\Windows\System\TtMPiYE.exe
C:\Windows\System\BFtumeI.exe
C:\Windows\System\BFtumeI.exe
C:\Windows\System\uYsmkoD.exe
C:\Windows\System\uYsmkoD.exe
C:\Windows\System\aLVAZfg.exe
C:\Windows\System\aLVAZfg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2952-0-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\BGGcmNw.exe
| MD5 | 39dd9a091374393fe2ae20e4a576d4d3 |
| SHA1 | df178a0d49aacd3b53bbeece54f74f4ad3c2e318 |
| SHA256 | cfaa56d0571c6b53cbccc9dd9e332f731ef5be45ce586506379694d1043cff68 |
| SHA512 | acf6762062831b8a125aac91ae6f4062934e6764b4954e05e8bc0307cee6cb52a64413f14efe520f0827edaf22442bc47b59c351cc2b82224ae1bbc3b15404a4 |
memory/2952-17-0x000000013F960000-0x000000013FCB4000-memory.dmp
C:\Windows\system\UrvPwGA.exe
| MD5 | ded20fb731680b57de94ecd097b1b15e |
| SHA1 | e0ae701119a0800d52f5f6e6225e387773a822be |
| SHA256 | c17c45f6ccd3a6b6d2c67c53fd10a2b075e235fef455f06a41584bf21fdeb272 |
| SHA512 | a22e9adaac63a8a31c4157794ecce0ad2fbfb7582441e099433e90779f36d63187a3ad8d525eb495dd64c4042b51de410ee710120527e8f23547351481857a55 |
C:\Windows\system\sZSVjQw.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
memory/2608-53-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2428-59-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\PQeRWuj.exe
| MD5 | 484f9bd860840f7d2331986e4199e3d2 |
| SHA1 | eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2 |
| SHA256 | d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41 |
| SHA512 | 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2 |
C:\Windows\system\YcWEyCt.exe
| MD5 | b12f50740eef66714200750b921dca91 |
| SHA1 | 8373966e5ed792f21420a1f96bf3bbb6923ce01a |
| SHA256 | 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59 |
| SHA512 | 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8 |
memory/2952-95-0x000000013FA70000-0x000000013FDC4000-memory.dmp
\Windows\system\aLVAZfg.exe
| MD5 | 93939ce4f0f7aa941ab87b1e2295318a |
| SHA1 | a870e3b604e35465cd5814870217da02f6c1f70a |
| SHA256 | 011e7b1cabb94ad42048925a48c699815c20a038e862ca2f1b43b5352a726642 |
| SHA512 | 33b61a5d8e2daf5ddc75ea2fd527f1b0b2334b4d9a5cc819dd4bd1220af540dab8189f0960a82e20fe7307136c2f829424f56117fb23c7260bd9d130b3cc8006 |
C:\Windows\system\aLVAZfg.exe
| MD5 | 917f08214ec64cdb82fcdb5f69fd86e6 |
| SHA1 | 4f81ba3dc7b31dac080b9fecca1306682ff61ba0 |
| SHA256 | 1d9dacef7ba4eb8be0086c81e945030e4ff40f033c3dee3082f3eb505ccaa17d |
| SHA512 | de22953d77d770c06ce2e7971f51cda1f131f78a6f8ed3c8a9aad8faba50758dab1da1c4b6c3b881936734a596ccb57187c805c1d72e7280ffd30e5369de0c79 |
\Windows\system\BFtumeI.exe
| MD5 | 0964a3ad683f4555a66bf7b4d2e6028c |
| SHA1 | 1db6475c6e1bb01337600c115c0d53081649c406 |
| SHA256 | 6c884441906bfcdb51fa9f15c41c049ee26d08c7e84732f52a14024cfa2ceb0e |
| SHA512 | 245019c4eea298b96d2e308bc646e4c8e5126fb1301c127f3e8c84bcbf4f3bfcdf4db49509b4289a7c20753229c201999690e711a882f5df4b263f7f43cfc530 |
\Windows\system\uYsmkoD.exe
| MD5 | cf1dfa3398fc7a5a3e4aa28a33021420 |
| SHA1 | 92ec7e1793049f05d8929127974c688764686f20 |
| SHA256 | 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4 |
| SHA512 | a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b |
memory/2952-109-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\AUZorGX.exe
| MD5 | 89006a968517b0cbdbc39b74d463a904 |
| SHA1 | 1cbd461bc44d7b6c2637f8e0c4fac5c863af7236 |
| SHA256 | 8ba14bdc980f9d349e23cbcc79daca3b25552743c407ef3d0ac0562ad535af55 |
| SHA512 | 4e04a919347393a7ffee502348bf8f78a3a58cb1eda670a149f7534c733f4a5dfe41b9b820c8e978b97ecb4cf5040858584b77d0158512ee9cd537ffc62f37a4 |
memory/2388-103-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2776-101-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2952-98-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2952-97-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2952-90-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2840-89-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2952-88-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2952-86-0x000000013F410000-0x000000013F764000-memory.dmp
\Windows\system\YcWEyCt.exe
| MD5 | f9bb666c375bafe5bb759561167fb359 |
| SHA1 | 8db0504bfc2103d6012f3daba3c9c3b53485f363 |
| SHA256 | 3cb3ce6b25098e8f80c56c963d9195fc1c3535964d63e5973f7c37284dcb50c6 |
| SHA512 | 448c21a8ecb9cbdc1ac62a52f9c18e59b95ad9c895fdbd3e281dcc94d2026ea104c48d56ae789eb7ac1da59c5d78594ff22d85baa63f338d432285e3f512a734 |
memory/2696-81-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/1776-80-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2432-77-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2520-72-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2616-66-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\kIJOZzw.exe
| MD5 | 88fd740fd0feab261c49fc6e0da4433c |
| SHA1 | fad8f91148f0311257ff5a3ff1cb12d17b64dd1d |
| SHA256 | 151c1e209db6d9f881b9b5746a1c76a55c2a35c02a3f843f2ba8902bfd352101 |
| SHA512 | 94a7a242d12b72d818d17251f4ef64bc7e04934aee79fec3086aebfd3ec7ed5ac8e5c93489c2dfc6b50a01f9c925430d2d5e968bddb2ca274e573b6385642efd |
memory/2120-55-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2916-47-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2284-34-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2952-41-0x000000013F360000-0x000000013F6B4000-memory.dmp
C:\Windows\system\IvAvOmz.exe
| MD5 | 70ff90aa4744113bd0310fc0d9642696 |
| SHA1 | 4f02a897376e5e156044a81d440bc1b6f5e73eda |
| SHA256 | 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5 |
| SHA512 | bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f |
memory/2952-22-0x000000013F540000-0x000000013F894000-memory.dmp
\Windows\system\UrvPwGA.exe
| MD5 | 57c3995ca3c4628d92183ba8539d0091 |
| SHA1 | ad516b609d389143043ab0756c497e020432614b |
| SHA256 | f1791b274e114fce44ac82b6c6e1b3082050ab862f68b0f7bd404aaf81dff570 |
| SHA512 | d92d685ec3382897516d36ff55d494dee48ce659c7baf57a9dfe10febdcf5a8e998f9b872c6f2e6843610174c95135c0f44d23d07ce80074e70a39af3fd01b9d |
memory/2584-19-0x000000013F960000-0x000000013FCB4000-memory.dmp
C:\Windows\system\XftqwsA.exe
| MD5 | 3dd3dcd306f0efc9bbfa800cbd31ae40 |
| SHA1 | d052cb1858658159c0105a89f05e8ea0bb515259 |
| SHA256 | 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304 |
| SHA512 | 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3 |
\Windows\system\XftqwsA.exe
| MD5 | 8501e1b3ec042e7e35c8a420be40052e |
| SHA1 | 9387a8c36b178a4031ee833ba9d467062f0b27bf |
| SHA256 | 586fd82b12dec2e295dad7b24bce29753bf165ba24b0179a447f67e307ffac12 |
| SHA512 | 2feaf4546e56b98718cbacd9b99cd23d02716607d121943151d374b64f8005f9acb6bb2fb4a0e77cd659eeb064ad22db5e63fb4907d0763d44622f3bc9887ac1 |
C:\Windows\system\XftqwsA.exe
| MD5 | 333f3ff58619cd555118abbe0cf30095 |
| SHA1 | 3b5cf06e2cfdb03b6427d5e3cb860051a3d4e3fa |
| SHA256 | 0b49bbb568888605d8fea396434b0bda1b81b9725de32bb5223ed8a1830dee2f |
| SHA512 | af3b7f6a9079e0106cd7ff3ce699f5acc9e96602f8d93757e1d7008395d4ff277c484aff3304ccc36311b7845a2c4029e299b6711d6491e994dabaed3dc23413 |
\Windows\system\RGYTFWg.exe
| MD5 | ac8bc860b5a7212c112d44b35b0dda82 |
| SHA1 | 08ba22910be31dd3241b2fbabdc05694b3432d91 |
| SHA256 | 878936601faa0a628fa09e6778b4b310d70625681a81796ecc989d20f6b5a0db |
| SHA512 | 48c6c914fcbac673d99937455bf4481601445bda9fbb07b57a14dbefab9bb18f59f9a795ffc8c7b93010077e1fc4d6745583ff416b15f3761841064b83925e78 |
\Windows\system\BGGcmNw.exe
| MD5 | a8f0fa13e61bbd3f9e95e42e0a23b16b |
| SHA1 | d6500a11c562575dbe32a10db497e559d9021ec4 |
| SHA256 | 560257467b5a2af9de18ba9c8ceb15720b25e5eaccf341a869496e4022b7056a |
| SHA512 | 44c43576455afc371d94b87e0707c3f996d897d31464d8ec0a43091cc4ced76674280d6127e181eae43286481e2984a50d635c9cf39f1f68b58b8d28ddcd5ba2 |
memory/2952-1-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2952-131-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2952-132-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2432-135-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2520-134-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2616-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2952-136-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2952-137-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2952-138-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2284-141-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2428-147-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2840-146-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2616-148-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2388-151-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2776-152-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2432-150-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2520-149-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2120-145-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2608-144-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2916-143-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2696-142-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/1776-140-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2584-139-0x000000013F960000-0x000000013FCB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 01:32
Reported
2024-06-10 01:39
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
149s
Command Line
Signatures
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vQYeGHm.exe | N/A |
| N/A | N/A | C:\Windows\System\MAlzjIi.exe | N/A |
| N/A | N/A | C:\Windows\System\MLGIwzI.exe | N/A |
| N/A | N/A | C:\Windows\System\RVMmNuu.exe | N/A |
| N/A | N/A | C:\Windows\System\ajEuOWN.exe | N/A |
| N/A | N/A | C:\Windows\System\GzgFcJL.exe | N/A |
| N/A | N/A | C:\Windows\System\jpwKzJk.exe | N/A |
| N/A | N/A | C:\Windows\System\XYPxxyL.exe | N/A |
| N/A | N/A | C:\Windows\System\DiPfdMX.exe | N/A |
| N/A | N/A | C:\Windows\System\yxSKhOk.exe | N/A |
| N/A | N/A | C:\Windows\System\fGKMcgI.exe | N/A |
| N/A | N/A | C:\Windows\System\BQKjLtb.exe | N/A |
| N/A | N/A | C:\Windows\System\ThrEkNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nnDKvGj.exe | N/A |
| N/A | N/A | C:\Windows\System\rdflAQx.exe | N/A |
| N/A | N/A | C:\Windows\System\ejfKdAW.exe | N/A |
| N/A | N/A | C:\Windows\System\bIXFoyG.exe | N/A |
| N/A | N/A | C:\Windows\System\ELvlIcL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLXQyoc.exe | N/A |
| N/A | N/A | C:\Windows\System\hBGgHyD.exe | N/A |
| N/A | N/A | C:\Windows\System\WhSOpFn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0f5ac4798ee10c590a7c4336292361c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vQYeGHm.exe
C:\Windows\System\vQYeGHm.exe
C:\Windows\System\MAlzjIi.exe
C:\Windows\System\MAlzjIi.exe
C:\Windows\System\MLGIwzI.exe
C:\Windows\System\MLGIwzI.exe
C:\Windows\System\RVMmNuu.exe
C:\Windows\System\RVMmNuu.exe
C:\Windows\System\ajEuOWN.exe
C:\Windows\System\ajEuOWN.exe
C:\Windows\System\GzgFcJL.exe
C:\Windows\System\GzgFcJL.exe
C:\Windows\System\jpwKzJk.exe
C:\Windows\System\jpwKzJk.exe
C:\Windows\System\XYPxxyL.exe
C:\Windows\System\XYPxxyL.exe
C:\Windows\System\DiPfdMX.exe
C:\Windows\System\DiPfdMX.exe
C:\Windows\System\yxSKhOk.exe
C:\Windows\System\yxSKhOk.exe
C:\Windows\System\fGKMcgI.exe
C:\Windows\System\fGKMcgI.exe
C:\Windows\System\BQKjLtb.exe
C:\Windows\System\BQKjLtb.exe
C:\Windows\System\ThrEkNQ.exe
C:\Windows\System\ThrEkNQ.exe
C:\Windows\System\nnDKvGj.exe
C:\Windows\System\nnDKvGj.exe
C:\Windows\System\rdflAQx.exe
C:\Windows\System\rdflAQx.exe
C:\Windows\System\ejfKdAW.exe
C:\Windows\System\ejfKdAW.exe
C:\Windows\System\bIXFoyG.exe
C:\Windows\System\bIXFoyG.exe
C:\Windows\System\ELvlIcL.exe
C:\Windows\System\ELvlIcL.exe
C:\Windows\System\ZLXQyoc.exe
C:\Windows\System\ZLXQyoc.exe
C:\Windows\System\hBGgHyD.exe
C:\Windows\System\hBGgHyD.exe
C:\Windows\System\WhSOpFn.exe
C:\Windows\System\WhSOpFn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1408-0-0x00007FF7F62B0000-0x00007FF7F6604000-memory.dmp
memory/1408-1-0x0000025A288C0000-0x0000025A288D0000-memory.dmp
C:\Windows\System\vQYeGHm.exe
| MD5 | 73a986c9493930f4cd8a8093981caf97 |
| SHA1 | d56e4ec277c46c1f501f0380990a8cb52fc97921 |
| SHA256 | 79658989fc6265b27479193101b06b4d07a3afc14a90cac7cd0c2fd5a470fdb1 |
| SHA512 | df908858efce8052aba32afa73708ab41a555ed2fb2054faebcbf306cccde59229ad974697075f78113c385920705044fa084d6313ac5116bfcc6a59748d37e7 |
C:\Windows\System\MAlzjIi.exe
| MD5 | 460a560d9343614b4f5d3d4dba3f4ee8 |
| SHA1 | b7e4e11f7bd5df3f2363cf6c1fa4d5ae53e0122e |
| SHA256 | fd744e6808c52535a94243828181a8d013638b8f8817cf398b9172e0ee7b110d |
| SHA512 | 1f115a8993e51d1f37533d08960597baad579468fd9fc33ed73870d8dbecffbacf74c482d28ec7d6893e63aba21811f0abf2dfee545d005b933bc73799ad2c80 |
C:\Windows\System\ajEuOWN.exe
| MD5 | cf1dfa3398fc7a5a3e4aa28a33021420 |
| SHA1 | 92ec7e1793049f05d8929127974c688764686f20 |
| SHA256 | 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4 |
| SHA512 | a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b |
C:\Windows\System\GzgFcJL.exe
| MD5 | 586c9547493a88de16fd09ad19df758b |
| SHA1 | 8a50178682c692f204a45b7798c63d3f6375432b |
| SHA256 | 991f4d210c6e659974dd43deb7cc93077b9ed3c337c5951172529c0bae179e02 |
| SHA512 | 63d13596bcc59b486c85cd55cf9779d952b67ccbfc54495f389035c1d68fd043ac79c180dc1fc0d479811fe4e468b78c5250d0acdb5b23ce7e1ec600b69b0629 |
memory/4048-38-0x00007FF6FFC30000-0x00007FF6FFF84000-memory.dmp
C:\Windows\System\XYPxxyL.exe
| MD5 | 9b577ffff6c1f5ffff7f64441d883431 |
| SHA1 | 10ba0bbbec3c90794664c7d383f12f8e5eb6c74b |
| SHA256 | 91f3e82906a538100a99ed926f9fc65724c6b25f34a3a65f82125b966c8582db |
| SHA512 | f8bb3727a9f20749433ece4d83348bcfd5e5e28efa7ccba238d5a6d724481df6d5f37b94f4ffcea847376be6b1b47a9ca7c6e243f6823afe20547eef85d0ed8f |
C:\Windows\System\yxSKhOk.exe
| MD5 | b12f50740eef66714200750b921dca91 |
| SHA1 | 8373966e5ed792f21420a1f96bf3bbb6923ce01a |
| SHA256 | 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59 |
| SHA512 | 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8 |
memory/3640-73-0x00007FF798D90000-0x00007FF7990E4000-memory.dmp
memory/4932-108-0x00007FF6C60C0000-0x00007FF6C6414000-memory.dmp
memory/2308-117-0x00007FF7B4010000-0x00007FF7B4364000-memory.dmp
C:\Windows\System\WhSOpFn.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
memory/5012-131-0x00007FF659580000-0x00007FF6598D4000-memory.dmp
memory/4228-133-0x00007FF6661E0000-0x00007FF666534000-memory.dmp
memory/3828-132-0x00007FF7E5790000-0x00007FF7E5AE4000-memory.dmp
memory/5068-127-0x00007FF6C1000000-0x00007FF6C1354000-memory.dmp
memory/4680-115-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp
C:\Windows\System\ELvlIcL.exe
| MD5 | 8501e1b3ec042e7e35c8a420be40052e |
| SHA1 | 9387a8c36b178a4031ee833ba9d467062f0b27bf |
| SHA256 | 586fd82b12dec2e295dad7b24bce29753bf165ba24b0179a447f67e307ffac12 |
| SHA512 | 2feaf4546e56b98718cbacd9b99cd23d02716607d121943151d374b64f8005f9acb6bb2fb4a0e77cd659eeb064ad22db5e63fb4907d0763d44622f3bc9887ac1 |
memory/3480-111-0x00007FF7C3AE0000-0x00007FF7C3E34000-memory.dmp
C:\Windows\System\bIXFoyG.exe
| MD5 | 0e2fd2a522d2418bc7dbaf689ef76673 |
| SHA1 | 5f1c27d705b7b859dfc3a6c555a6c8b3ab244763 |
| SHA256 | 40742f91cd985eb524bd3891d1dd35d24592ad177108d69ed9cd6d4b18b99360 |
| SHA512 | 64301bc0310c56dee53197109af15147dcdc7fc2e4ce1b977cb7e6dcd2f13af6e165bd17c6af06ed25d21fbd4c9cf4f3e78ae062fc175d24eb2fa93590a4ee28 |
memory/1564-100-0x00007FF6CC570000-0x00007FF6CC8C4000-memory.dmp
memory/4028-97-0x00007FF643140000-0x00007FF643494000-memory.dmp
memory/4796-90-0x00007FF6D7D00000-0x00007FF6D8054000-memory.dmp
memory/3372-86-0x00007FF619CD0000-0x00007FF61A024000-memory.dmp
C:\Windows\System\nnDKvGj.exe
| MD5 | 0b4145c2cc110331e4da5e560102704d |
| SHA1 | c566b9a6ceb44b7f1c214b316c08f6bec9d9b2b1 |
| SHA256 | 45685ced1acb15c50a2e82577fa387cda30481d8f7a525239c32c5f5bf6e48b4 |
| SHA512 | abf913119d63f487a6aab21c7aef0828fd1abea0d0c9a3b66bf2a375882b42bf9f76fd9b59dbd74e92020f35616ebd4ca75dc1ea4b5b55a7e8ed17cc28d58dc6 |
memory/4244-81-0x00007FF603320000-0x00007FF603674000-memory.dmp
memory/4600-80-0x00007FF70F8D0000-0x00007FF70FC24000-memory.dmp
C:\Windows\System\ThrEkNQ.exe
| MD5 | a1df3420cf46306b933f609aa091bde6 |
| SHA1 | 03ce76e9fe6f2cdeb3378102ed49d48485ec7843 |
| SHA256 | bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6 |
| SHA512 | 3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2 |
C:\Windows\System\fGKMcgI.exe
| MD5 | bbf23c91072b235dccbb03719d0f1c51 |
| SHA1 | cc1894496de64a877d577c6d924f720bc062b1c4 |
| SHA256 | f2b14f12a3322e4999332550f1eeb7bf5516e56163046f53ef3f2aeaf0704a68 |
| SHA512 | 2d4c36aa5b1abb32c021916d658051e6c37b0399e5b756d786d221806a8e81a3fc61b8802989413cc0d9cd8af4a3f29fd73f375ace04515a21c8f6e3dfd0473f |
memory/4228-67-0x00007FF6661E0000-0x00007FF666534000-memory.dmp
memory/2124-63-0x00007FF6D37E0000-0x00007FF6D3B34000-memory.dmp
memory/1408-62-0x00007FF7F62B0000-0x00007FF7F6604000-memory.dmp
memory/2308-56-0x00007FF7B4010000-0x00007FF7B4364000-memory.dmp
memory/3480-50-0x00007FF7C3AE0000-0x00007FF7C3E34000-memory.dmp
C:\Windows\System\XYPxxyL.exe
| MD5 | 6f79929539cf65dcb1e405ed0a538ec1 |
| SHA1 | 46963681601be609a978fb70a544460fdecbb830 |
| SHA256 | 8292e8db4cea39d46d950b64cc55f87ab625ecdebcbe27f469743b8d918b78e8 |
| SHA512 | e991eb3fcf3d9e8bf2f4b7d6bc5ccb92f66bf173e56c3693b2cbd12083aeda0fcdb439b0c82e3da3f8abfa3d37b16394bcf458c3b338809e1ffa376eff9aa3d0 |
memory/2424-44-0x00007FF716990000-0x00007FF716CE4000-memory.dmp
memory/2884-32-0x00007FF722040000-0x00007FF722394000-memory.dmp
memory/3640-134-0x00007FF798D90000-0x00007FF7990E4000-memory.dmp
memory/3372-26-0x00007FF619CD0000-0x00007FF61A024000-memory.dmp
memory/4600-20-0x00007FF70F8D0000-0x00007FF70FC24000-memory.dmp
memory/1368-14-0x00007FF7992D0000-0x00007FF799624000-memory.dmp
memory/4660-8-0x00007FF714E00000-0x00007FF715154000-memory.dmp
memory/4244-135-0x00007FF603320000-0x00007FF603674000-memory.dmp
memory/4796-136-0x00007FF6D7D00000-0x00007FF6D8054000-memory.dmp
memory/1564-137-0x00007FF6CC570000-0x00007FF6CC8C4000-memory.dmp
memory/4680-138-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp
memory/5068-139-0x00007FF6C1000000-0x00007FF6C1354000-memory.dmp
memory/4660-140-0x00007FF714E00000-0x00007FF715154000-memory.dmp
memory/1368-141-0x00007FF7992D0000-0x00007FF799624000-memory.dmp
memory/4600-142-0x00007FF70F8D0000-0x00007FF70FC24000-memory.dmp
memory/3372-143-0x00007FF619CD0000-0x00007FF61A024000-memory.dmp
memory/2884-144-0x00007FF722040000-0x00007FF722394000-memory.dmp
memory/4048-145-0x00007FF6FFC30000-0x00007FF6FFF84000-memory.dmp
memory/2424-146-0x00007FF716990000-0x00007FF716CE4000-memory.dmp
memory/3480-147-0x00007FF7C3AE0000-0x00007FF7C3E34000-memory.dmp
memory/2308-148-0x00007FF7B4010000-0x00007FF7B4364000-memory.dmp
memory/2124-149-0x00007FF6D37E0000-0x00007FF6D3B34000-memory.dmp
memory/4244-152-0x00007FF603320000-0x00007FF603674000-memory.dmp
memory/4796-153-0x00007FF6D7D00000-0x00007FF6D8054000-memory.dmp
memory/4028-154-0x00007FF643140000-0x00007FF643494000-memory.dmp
memory/4932-156-0x00007FF6C60C0000-0x00007FF6C6414000-memory.dmp
memory/1564-155-0x00007FF6CC570000-0x00007FF6CC8C4000-memory.dmp
memory/4680-158-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp
memory/3828-160-0x00007FF7E5790000-0x00007FF7E5AE4000-memory.dmp
memory/5012-159-0x00007FF659580000-0x00007FF6598D4000-memory.dmp
memory/5068-157-0x00007FF6C1000000-0x00007FF6C1354000-memory.dmp
memory/3640-151-0x00007FF798D90000-0x00007FF7990E4000-memory.dmp
memory/4228-150-0x00007FF6661E0000-0x00007FF666534000-memory.dmp