Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:51
Behavioral task
behavioral1
Sample
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe
Resource
win7-20240705-en
General
-
Target
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe
-
Size
5.2MB
-
MD5
6c5862dd6742b207080c3bf04987ed32
-
SHA1
28cefb613aac4959f44677a2348391cae9e89e6b
-
SHA256
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
-
SHA512
9582818d8a419bb34e979980b259fdbbd9c92c1c42f695fc3e490080d14fbe7822304d7a0c196a4fedd03541ee874bfe5d3dd0dafdb39d50410da17cf7e901e0
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUt
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000234c0-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cc-9.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cb-20.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cf-29.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d1-40.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d4-60.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d6-72.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d7-79.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d8-90.dat cobalt_reflective_dll behavioral2/files/0x000a0000000234c6-101.dat cobalt_reflective_dll behavioral2/files/0x00070000000234da-109.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dc-115.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dd-118.dat cobalt_reflective_dll behavioral2/files/0x00070000000234db-113.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d9-92.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d5-83.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d3-74.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d2-69.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ce-52.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d0-51.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cd-34.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4964-125-0x00007FF690980000-0x00007FF690CD1000-memory.dmp xmrig behavioral2/memory/2392-127-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp xmrig behavioral2/memory/4612-126-0x00007FF634860000-0x00007FF634BB1000-memory.dmp xmrig behavioral2/memory/1340-124-0x00007FF71CE20000-0x00007FF71D171000-memory.dmp xmrig behavioral2/memory/1432-121-0x00007FF6FD100000-0x00007FF6FD451000-memory.dmp xmrig behavioral2/memory/2344-117-0x00007FF62DBC0000-0x00007FF62DF11000-memory.dmp xmrig behavioral2/memory/1932-112-0x00007FF7D79E0000-0x00007FF7D7D31000-memory.dmp xmrig behavioral2/memory/3468-111-0x00007FF741890000-0x00007FF741BE1000-memory.dmp xmrig behavioral2/memory/2916-107-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp xmrig behavioral2/memory/5072-128-0x00007FF650780000-0x00007FF650AD1000-memory.dmp xmrig behavioral2/memory/5072-129-0x00007FF650780000-0x00007FF650AD1000-memory.dmp xmrig behavioral2/memory/4556-131-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp xmrig behavioral2/memory/4112-130-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp xmrig behavioral2/memory/184-143-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp xmrig behavioral2/memory/2912-141-0x00007FF696A30000-0x00007FF696D81000-memory.dmp xmrig behavioral2/memory/4476-140-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp xmrig behavioral2/memory/2676-149-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp xmrig behavioral2/memory/4756-138-0x00007FF675370000-0x00007FF6756C1000-memory.dmp xmrig behavioral2/memory/320-136-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp xmrig behavioral2/memory/2464-139-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp xmrig behavioral2/memory/3696-137-0x00007FF79B330000-0x00007FF79B681000-memory.dmp xmrig behavioral2/memory/1916-135-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp xmrig behavioral2/memory/3940-134-0x00007FF628FB0000-0x00007FF629301000-memory.dmp xmrig behavioral2/memory/5072-153-0x00007FF650780000-0x00007FF650AD1000-memory.dmp xmrig behavioral2/memory/4112-209-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp xmrig behavioral2/memory/4556-211-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp xmrig behavioral2/memory/3940-213-0x00007FF628FB0000-0x00007FF629301000-memory.dmp xmrig behavioral2/memory/1916-215-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp xmrig behavioral2/memory/3696-228-0x00007FF79B330000-0x00007FF79B681000-memory.dmp xmrig behavioral2/memory/2916-236-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp xmrig behavioral2/memory/2464-235-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp xmrig behavioral2/memory/4476-238-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp xmrig behavioral2/memory/320-233-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp xmrig behavioral2/memory/4756-231-0x00007FF675370000-0x00007FF6756C1000-memory.dmp xmrig behavioral2/memory/2912-251-0x00007FF696A30000-0x00007FF696D81000-memory.dmp xmrig behavioral2/memory/2344-252-0x00007FF62DBC0000-0x00007FF62DF11000-memory.dmp xmrig behavioral2/memory/1432-256-0x00007FF6FD100000-0x00007FF6FD451000-memory.dmp xmrig behavioral2/memory/1340-254-0x00007FF71CE20000-0x00007FF71D171000-memory.dmp xmrig behavioral2/memory/2392-258-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp xmrig behavioral2/memory/4964-247-0x00007FF690980000-0x00007FF690CD1000-memory.dmp xmrig behavioral2/memory/3468-242-0x00007FF741890000-0x00007FF741BE1000-memory.dmp xmrig behavioral2/memory/1932-241-0x00007FF7D79E0000-0x00007FF7D7D31000-memory.dmp xmrig behavioral2/memory/184-249-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp xmrig behavioral2/memory/4612-245-0x00007FF634860000-0x00007FF634BB1000-memory.dmp xmrig behavioral2/memory/2676-260-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4112 syGzeJX.exe 4556 cyQJUgl.exe 3940 PTTVOXo.exe 1916 PkoPHWu.exe 3696 VcAJkRz.exe 4756 jjXCTXi.exe 320 voROaav.exe 2464 GmevZhw.exe 4476 TZucjTU.exe 2912 nCmMzXw.exe 2916 vEYtLWr.exe 184 myCPWkZ.exe 4964 NUtHBNQ.exe 4612 BMtVVOj.exe 3468 jZfQyus.exe 1932 kqLKiMk.exe 2344 LonmFaS.exe 2676 FFIYHLw.exe 1432 onWtCAC.exe 1340 fSiLWIC.exe 2392 HXqaKKt.exe -
resource yara_rule behavioral2/memory/5072-0-0x00007FF650780000-0x00007FF650AD1000-memory.dmp upx behavioral2/files/0x00090000000234c0-4.dat upx behavioral2/files/0x00070000000234cc-9.dat upx behavioral2/memory/4112-10-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp upx behavioral2/files/0x00070000000234cb-20.dat upx behavioral2/files/0x00070000000234cf-29.dat upx behavioral2/files/0x00070000000234d1-40.dat upx behavioral2/files/0x00070000000234d4-60.dat upx behavioral2/files/0x00070000000234d6-72.dat upx behavioral2/files/0x00070000000234d7-79.dat upx behavioral2/files/0x00070000000234d8-90.dat upx behavioral2/files/0x000a0000000234c6-101.dat upx behavioral2/files/0x00070000000234da-109.dat upx behavioral2/files/0x00070000000234dc-115.dat upx behavioral2/memory/4964-125-0x00007FF690980000-0x00007FF690CD1000-memory.dmp upx behavioral2/memory/2392-127-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp upx behavioral2/memory/4612-126-0x00007FF634860000-0x00007FF634BB1000-memory.dmp upx behavioral2/memory/1340-124-0x00007FF71CE20000-0x00007FF71D171000-memory.dmp upx behavioral2/memory/1432-121-0x00007FF6FD100000-0x00007FF6FD451000-memory.dmp upx behavioral2/memory/2676-120-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp upx behavioral2/files/0x00070000000234dd-118.dat upx behavioral2/memory/2344-117-0x00007FF62DBC0000-0x00007FF62DF11000-memory.dmp upx behavioral2/files/0x00070000000234db-113.dat upx behavioral2/memory/1932-112-0x00007FF7D79E0000-0x00007FF7D7D31000-memory.dmp upx behavioral2/memory/3468-111-0x00007FF741890000-0x00007FF741BE1000-memory.dmp upx behavioral2/memory/2916-107-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp upx behavioral2/files/0x00070000000234d9-92.dat upx behavioral2/files/0x00070000000234d5-83.dat upx behavioral2/memory/2912-77-0x00007FF696A30000-0x00007FF696D81000-memory.dmp upx behavioral2/files/0x00070000000234d3-74.dat upx behavioral2/files/0x00070000000234d2-69.dat upx behavioral2/memory/184-68-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp upx behavioral2/memory/4476-57-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp upx behavioral2/memory/4756-55-0x00007FF675370000-0x00007FF6756C1000-memory.dmp upx behavioral2/files/0x00070000000234ce-52.dat upx behavioral2/files/0x00070000000234d0-51.dat upx behavioral2/memory/2464-48-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp upx behavioral2/memory/320-41-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp upx behavioral2/memory/3696-35-0x00007FF79B330000-0x00007FF79B681000-memory.dmp upx behavioral2/files/0x00070000000234cd-34.dat upx behavioral2/memory/1916-31-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp upx behavioral2/memory/3940-25-0x00007FF628FB0000-0x00007FF629301000-memory.dmp upx behavioral2/memory/4556-24-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp upx behavioral2/memory/5072-128-0x00007FF650780000-0x00007FF650AD1000-memory.dmp upx behavioral2/memory/5072-129-0x00007FF650780000-0x00007FF650AD1000-memory.dmp upx behavioral2/memory/4556-131-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp upx behavioral2/memory/4112-130-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp upx behavioral2/memory/184-143-0x00007FF6EA000000-0x00007FF6EA351000-memory.dmp upx behavioral2/memory/2912-141-0x00007FF696A30000-0x00007FF696D81000-memory.dmp upx behavioral2/memory/4476-140-0x00007FF7B89F0000-0x00007FF7B8D41000-memory.dmp upx behavioral2/memory/2676-149-0x00007FF77E160000-0x00007FF77E4B1000-memory.dmp upx behavioral2/memory/4756-138-0x00007FF675370000-0x00007FF6756C1000-memory.dmp upx behavioral2/memory/320-136-0x00007FF72E0B0000-0x00007FF72E401000-memory.dmp upx behavioral2/memory/2464-139-0x00007FF74BEC0000-0x00007FF74C211000-memory.dmp upx behavioral2/memory/3696-137-0x00007FF79B330000-0x00007FF79B681000-memory.dmp upx behavioral2/memory/1916-135-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp upx behavioral2/memory/3940-134-0x00007FF628FB0000-0x00007FF629301000-memory.dmp upx behavioral2/memory/5072-153-0x00007FF650780000-0x00007FF650AD1000-memory.dmp upx behavioral2/memory/4112-209-0x00007FF7F3FB0000-0x00007FF7F4301000-memory.dmp upx behavioral2/memory/4556-211-0x00007FF7FD0B0000-0x00007FF7FD401000-memory.dmp upx behavioral2/memory/3940-213-0x00007FF628FB0000-0x00007FF629301000-memory.dmp upx behavioral2/memory/1916-215-0x00007FF7CAFC0000-0x00007FF7CB311000-memory.dmp upx behavioral2/memory/3696-228-0x00007FF79B330000-0x00007FF79B681000-memory.dmp upx behavioral2/memory/2916-236-0x00007FF790C70000-0x00007FF790FC1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\cyQJUgl.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\PTTVOXo.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\vEYtLWr.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\myCPWkZ.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\fSiLWIC.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\HXqaKKt.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\PkoPHWu.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\VcAJkRz.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\jjXCTXi.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\kqLKiMk.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\LonmFaS.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\FFIYHLw.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\voROaav.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\TZucjTU.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\nCmMzXw.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\NUtHBNQ.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\onWtCAC.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\syGzeJX.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\GmevZhw.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\BMtVVOj.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe File created C:\Windows\System\jZfQyus.exe e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe Token: SeLockMemoryPrivilege 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4112 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 85 PID 5072 wrote to memory of 4112 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 85 PID 5072 wrote to memory of 4556 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 86 PID 5072 wrote to memory of 4556 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 86 PID 5072 wrote to memory of 3940 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 87 PID 5072 wrote to memory of 3940 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 87 PID 5072 wrote to memory of 1916 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 88 PID 5072 wrote to memory of 1916 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 88 PID 5072 wrote to memory of 320 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 89 PID 5072 wrote to memory of 320 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 89 PID 5072 wrote to memory of 3696 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 90 PID 5072 wrote to memory of 3696 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 90 PID 5072 wrote to memory of 4756 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 91 PID 5072 wrote to memory of 4756 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 91 PID 5072 wrote to memory of 2464 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 92 PID 5072 wrote to memory of 2464 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 92 PID 5072 wrote to memory of 4476 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 93 PID 5072 wrote to memory of 4476 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 93 PID 5072 wrote to memory of 2912 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 94 PID 5072 wrote to memory of 2912 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 94 PID 5072 wrote to memory of 2916 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 95 PID 5072 wrote to memory of 2916 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 95 PID 5072 wrote to memory of 184 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 96 PID 5072 wrote to memory of 184 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 96 PID 5072 wrote to memory of 4964 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 97 PID 5072 wrote to memory of 4964 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 97 PID 5072 wrote to memory of 4612 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 98 PID 5072 wrote to memory of 4612 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 98 PID 5072 wrote to memory of 3468 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 99 PID 5072 wrote to memory of 3468 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 99 PID 5072 wrote to memory of 1932 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 100 PID 5072 wrote to memory of 1932 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 100 PID 5072 wrote to memory of 2344 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 101 PID 5072 wrote to memory of 2344 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 101 PID 5072 wrote to memory of 2676 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 102 PID 5072 wrote to memory of 2676 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 102 PID 5072 wrote to memory of 1432 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 103 PID 5072 wrote to memory of 1432 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 103 PID 5072 wrote to memory of 1340 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 104 PID 5072 wrote to memory of 1340 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 104 PID 5072 wrote to memory of 2392 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 105 PID 5072 wrote to memory of 2392 5072 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"C:\Users\Admin\AppData\Local\Temp\e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System\syGzeJX.exeC:\Windows\System\syGzeJX.exe2⤵
- Executes dropped EXE
PID:4112
-
-
C:\Windows\System\cyQJUgl.exeC:\Windows\System\cyQJUgl.exe2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Windows\System\PTTVOXo.exeC:\Windows\System\PTTVOXo.exe2⤵
- Executes dropped EXE
PID:3940
-
-
C:\Windows\System\PkoPHWu.exeC:\Windows\System\PkoPHWu.exe2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\System\voROaav.exeC:\Windows\System\voROaav.exe2⤵
- Executes dropped EXE
PID:320
-
-
C:\Windows\System\VcAJkRz.exeC:\Windows\System\VcAJkRz.exe2⤵
- Executes dropped EXE
PID:3696
-
-
C:\Windows\System\jjXCTXi.exeC:\Windows\System\jjXCTXi.exe2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Windows\System\GmevZhw.exeC:\Windows\System\GmevZhw.exe2⤵
- Executes dropped EXE
PID:2464
-
-
C:\Windows\System\TZucjTU.exeC:\Windows\System\TZucjTU.exe2⤵
- Executes dropped EXE
PID:4476
-
-
C:\Windows\System\nCmMzXw.exeC:\Windows\System\nCmMzXw.exe2⤵
- Executes dropped EXE
PID:2912
-
-
C:\Windows\System\vEYtLWr.exeC:\Windows\System\vEYtLWr.exe2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\System\myCPWkZ.exeC:\Windows\System\myCPWkZ.exe2⤵
- Executes dropped EXE
PID:184
-
-
C:\Windows\System\NUtHBNQ.exeC:\Windows\System\NUtHBNQ.exe2⤵
- Executes dropped EXE
PID:4964
-
-
C:\Windows\System\BMtVVOj.exeC:\Windows\System\BMtVVOj.exe2⤵
- Executes dropped EXE
PID:4612
-
-
C:\Windows\System\jZfQyus.exeC:\Windows\System\jZfQyus.exe2⤵
- Executes dropped EXE
PID:3468
-
-
C:\Windows\System\kqLKiMk.exeC:\Windows\System\kqLKiMk.exe2⤵
- Executes dropped EXE
PID:1932
-
-
C:\Windows\System\LonmFaS.exeC:\Windows\System\LonmFaS.exe2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\System\FFIYHLw.exeC:\Windows\System\FFIYHLw.exe2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\System\onWtCAC.exeC:\Windows\System\onWtCAC.exe2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\System\fSiLWIC.exeC:\Windows\System\fSiLWIC.exe2⤵
- Executes dropped EXE
PID:1340
-
-
C:\Windows\System\HXqaKKt.exeC:\Windows\System\HXqaKKt.exe2⤵
- Executes dropped EXE
PID:2392
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD54b211459992ab69688558f1cf3857ce5
SHA1c977e5f547e087716d1730b0b7b9e98dac17cb3d
SHA25655cbac2cef77a5dbb273d84ab8034491cc9c728f5efe29a0cc2bb077f0516e1f
SHA5121827a027eb0b154d0302c621fde0806ea5a1035297a644e3feedb58eb0a072c6a5a023ea721e111b3cea2cc0b500d371b32a469a53fc978ad20cfc6f93ce093c
-
Filesize
5.2MB
MD5fe3b7f12b0aef90d675b57bdbeb4d501
SHA1f6806d66a380b4124d5e23a24e1a81a254d40f3d
SHA256c5a53f9113e50cbcb08fb69db66f0993c93e1440f2baaa2254aaf4456650fafa
SHA5128759345c812646644f160b3c3b0e4cfff01cb998a5efd4473968fa6e777f92978e5e443d37d1632324989bcc1b571f101bcd30f3477b363c68b04f1b4032f25c
-
Filesize
5.2MB
MD5bfaebe19879cd49e595d3b53d68e0064
SHA1aa720f5106590802ac297aeca7a3aaa7215c077b
SHA256cb76bc14b15941b8f6d044b4ceb0f97cf9c1f85354dfb210cba763f5085b2b9d
SHA5122e43e0daf491c81413bd5e04a0f7cf1dc8ec88ec2f90058b67e39e382ff96e3dbf8441fefa49a2becbc1f8e6874f892a335f807e1723015358bf9cb887686987
-
Filesize
5.2MB
MD554a61ddb5df63404226a4a6848eb92e1
SHA185610db14d86e6cade7e78b4c985560e09bbf251
SHA256b7781a5d2db922da9d03fa98133190d6929640bc497175803a00a22ab4ec927f
SHA51260ba2b301277d3afe313da31b31a30fe143377f948345a941396756438e2360a3f2b612b26b11a082cb791de829e7f1ec679591c1280c2405d371a8471689473
-
Filesize
5.2MB
MD5787dba466af6da8d01d36c35607be92f
SHA133494afecc642002eabbc0f424111b2c2656c726
SHA256a2c52d820bd2ec0404bc4e8c9f6236e01f475f8b20f037a5e0b29297eea104f0
SHA5123e38d2a116c1f86877561d80f98c3917684193c50aa509306195af10b69044c63a6d05f98533f0852f5772212c3b38a3db8a4efb850894447ebc29ee8b7d39f9
-
Filesize
5.2MB
MD5d2875043b32e7b011ebeec2c373d59ce
SHA1e492a48f9e4ba76639dd3955693056004b7e9619
SHA2568159f17f4e2999477f43ad5ac795be2539f1133063f5eb81fb5a0faf685ad3f7
SHA5129b9a193d58e5359eabd1e8ccccd769afa909b37d27a5798477d728ae0485f4635c9f026e90408b81a431d5884b156acc41e07140ff0f9dac0e83d108d3601d11
-
Filesize
5.2MB
MD50c952a955f80f81da2c54e8eb4cec37a
SHA1f65706554411135c3a2f04d535fb16e65f8d449d
SHA2568c5d864fbf08460f45698d1ca01c98df2a0e475455bf04db5cb73b83006f07be
SHA512a3022e2935941bbd7458084b94e3881c0104071f13826dd464ddf4b34468934bbe92a74621d5d4c140ddf3ab373ab322b4fc3f42baabaf149406948a34a00902
-
Filesize
5.2MB
MD524890541ae2a9fd034e3355d029d2081
SHA1d05bc30c2c7c28d5283b8a77aaf7d174e8baa1d7
SHA256e84bbb94b9bb99089a9521adee8dd75bee58a71d21f21197422ae6a0f7f83ab7
SHA5126023969a33d0a3bf24766d3c31541b27c0ba12e61e8ad593b9027264e40092011e2cac6e7621f2b1e85b5ae4f7beb2209333817268f528956c57a3c8e77df1c8
-
Filesize
5.2MB
MD59be6b54bc207c56abc68f4132b781756
SHA1d4a6f24b9dc2f3303acbc36c870d8ce0111805db
SHA256173c79a4be2d3271f6264dbe396c552c41a11fe14a792bca63d8789221ffcffa
SHA51220987397a6d861ecc3003ba42c92587021ba8433ffe84f69d6fb03ac34df418b97dc6172569633fc37617097bb6a587dc1f1d6b149dbdf772404141edb2733e0
-
Filesize
5.2MB
MD54253c58ec62da2cdf8ac3afab89be42b
SHA1fe9757268590a6718afdc3cde1b7d84942716fc2
SHA2563e8e8856f3708200bb8c0113a8336578fdff64b98828f7d288a97f3d10111d91
SHA512b811db860dda6a9621ecbc21c8668373d9a971595ec3444f66f58044647cd6530b7b5603e55703c17e392a28891a9cfc1ae451b5897a2253404f69254768360e
-
Filesize
5.2MB
MD52bb2f3143a6af41659e8fed8be77b1a9
SHA108a407ed1f8e22b792779eace13b13444d9da098
SHA2567a2f8b0fc287f8d3b6dde5694a2c5a0c69775f1063d23bea0f14f6c0a8158c41
SHA512693b74d7086e9bb28d6c7f9061a8351abae76bb86844802adfb5b833814350b6c9803d7d2724ebc513630435369de96cb5f0184931f9e3a5bc8df2f912029e9f
-
Filesize
5.2MB
MD5b2871d1432db2027f51b7305eb8eba30
SHA1d9561a0c9bc37d7458660107ecc87b0063f3c74d
SHA25637d18f692fc5f911d9c6b56a4125f848c63e78abd848d1267d00a2553784bd50
SHA51275ebe87e914bb9bb2f160cd68f963c566ab6377241c288e20323b31b3ace095d530c2444909890763fe19ae9f50515c0975421f02b9244a631f619b303b781f4
-
Filesize
5.2MB
MD58007febfc9b4af57ea4ef33644a9a880
SHA14da87b6827d209c1d0480c577b5f902961e2a8d4
SHA256483976cf592d4b6db8c12d08057e3dd40ccf93932721dc01f755482944fb5ef2
SHA512864a79b0a0f523bb883a90750e1f692e2a1b5c171e5d225f3bf81d069539181b732d89015ebab28685b449d586806302fc442323586047e0b96812d5d04663c9
-
Filesize
5.2MB
MD50579e8e3db7a68b72c34063d24d6365b
SHA193d3d1f4f8b237c51808f7f834dedfbd597a6294
SHA256498db4d5f07a247da4956b5b3ccf1f32484e0409c96e4a9c3b743ade185f6a41
SHA512fb940755b7fe8ecf97b74a3a637702d0c0d951fbe7df688076b8af2255d3eb9bb4e3a723554b7367eee803ee275e5e13d7a71a58718d026327a519f92102473d
-
Filesize
5.2MB
MD53ad61adcfb43d0bc91f3fd6209a1e5d6
SHA101ec34769c5d62f2f04c556290c7ff7618274b0f
SHA2568abe6c31df0f8fa60018d4fde8fa857354c570f785ab9ae0ddd8d59f42a1dab4
SHA51237a5ac79490371dc4c916153b1c641af6e74b0ab0fb952aea5265a60e2243df62d91d072d88d9f82dfa1866d15e9a2cc69e3b17638734e07dffd1d56a5f22909
-
Filesize
5.2MB
MD55322e71ef83de1999aa6a485e686778b
SHA1f22bf425383d49d3b108ed831976eba3065bc13e
SHA256f5b4bc13fe0a54d8574efefeb69dac0456182d9e12e077af99f189ab5390a1be
SHA5128889895ceb64328033a5e56f5917888a3623e096b84d362a5da934103765b07cfb0ccee782ead8cd4eb10de26a92cb57b25be77d83ddd86800fb62f52c76ad29
-
Filesize
5.2MB
MD5cf3033f0935d4fc5d226546a2e3a4293
SHA16d6576f67662e5609ffbf30afaa581e3803912cd
SHA2562a040b6b0c1f8e9e548e5192e7eb2c909fa184580cde18b16991a59ad7c2a78d
SHA512af46448d94c0867235a750d7b464830554f0e9455a0973cfdf080f04bfc1cf55d00e247609e6f1f695462b8fab71dfaa9047a923e4c47d95dc050c2824b8e114
-
Filesize
5.2MB
MD52538eca90d2699e0d7d901d0ca090cbf
SHA190006b7fd625b73b5952ca77aa30bda444c937c6
SHA2560db0c60f79b8f256382b561a5c330de225d31f05505e4d9b76ee3189b7d8e753
SHA51217709c746cd8362d1597e46f18f951ef6dddf8d0eb85f3b39d1f81c973c24eef19e3ae9579fdc6bbdbc55c25cce8d033079e757f8ec6b9d0095b9c553350036b
-
Filesize
5.2MB
MD5d05e332c616ba3749f913d1e908df4e4
SHA1c97f23d64fd9e897a97222cf998ec0706c151c74
SHA25686b8aed94b72a645b79193a4e0178e1a3e58cfaa4e73253313e9a1c0388f3711
SHA51270f4a47ce1fc8e7ca10c18be9c83b1e3442f26cdb1570397d8aadaa94e9922841e255022f2dac56970ebd9e11554f912b3fd4c9b2569358068bf6977344cb744
-
Filesize
5.2MB
MD572362f2e4570f8958083847b6018a7c1
SHA1a858206575461a5a7e05f612402029a02e2325f5
SHA25658d6af6706a939dabd0b94398121459a40f1b6dbbf2c36c14d3538142d1bc643
SHA5128a2098e57701fc10949d1ab6ceb3c694364e4978e1cb908480a9a0b04311e27ab8c8f4dc5b73643a3fdfb884ca4909867ca041fe7f6581af4b5af828b83c7035
-
Filesize
5.2MB
MD5fce1cd158471c04438eb1998e1f723d6
SHA136d44a4680745fc92f2ea4282593a9afcf7b21be
SHA25678e167936ffb2d2c18afb9431881dc3cb802f9a5d25575579ec7107af655fbf9
SHA512cf098685c9a0f88d2852a087ad700f600bb2f581c1edcf5f551257450100b7d552087fe7762a204534bfdaf64f957c8125148ba6eb1ff5983d45ca98490dd124