Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 23:42
Behavioral task
behavioral1
Sample
25082005ab0826ca73b9d6f25848c59c.exe
Resource
win7-20240903-en
General
-
Target
25082005ab0826ca73b9d6f25848c59c.exe
-
Size
5.9MB
-
MD5
25082005ab0826ca73b9d6f25848c59c
-
SHA1
6f3a706fa2b5d0f1ef92c0983bf55d1bf858a87f
-
SHA256
2c7fce881db51f926faf0c75548799b33a779fc2b53619af019a853f953a86a4
-
SHA512
def5537dd2819757258d9c30e76eb88ae49c7088b6934502713c63cef01d05ca30f5dd5f33cfae10bd50d61f9b44b34145ab99b71bdd26b0e3dec4b631c0ad52
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:T+856utgpPF8u/7b
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000a000000023476-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023484-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023483-12.dat cobalt_reflective_dll behavioral2/files/0x0008000000023480-22.dat cobalt_reflective_dll behavioral2/files/0x0007000000023485-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023486-34.dat cobalt_reflective_dll behavioral2/files/0x0007000000023488-41.dat cobalt_reflective_dll behavioral2/files/0x0007000000023489-45.dat cobalt_reflective_dll behavioral2/files/0x000700000002348a-50.dat cobalt_reflective_dll behavioral2/files/0x000700000002348b-63.dat cobalt_reflective_dll behavioral2/files/0x000700000002348f-82.dat cobalt_reflective_dll behavioral2/files/0x0007000000023492-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023491-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023490-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023493-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023495-126.dat cobalt_reflective_dll behavioral2/files/0x0007000000023496-130.dat cobalt_reflective_dll behavioral2/files/0x0007000000023494-124.dat cobalt_reflective_dll behavioral2/files/0x000700000002348e-93.dat cobalt_reflective_dll behavioral2/files/0x000700000002348d-86.dat cobalt_reflective_dll behavioral2/files/0x000700000002348c-70.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
resource yara_rule behavioral2/memory/3012-0-0x00007FF678650000-0x00007FF6789A4000-memory.dmp xmrig behavioral2/files/0x000a000000023476-5.dat xmrig behavioral2/memory/396-8-0x00007FF7C2030000-0x00007FF7C2384000-memory.dmp xmrig behavioral2/files/0x0007000000023484-11.dat xmrig behavioral2/memory/2516-13-0x00007FF6B9890000-0x00007FF6B9BE4000-memory.dmp xmrig behavioral2/files/0x0007000000023483-12.dat xmrig behavioral2/memory/3536-20-0x00007FF7F6000000-0x00007FF7F6354000-memory.dmp xmrig behavioral2/files/0x0008000000023480-22.dat xmrig behavioral2/memory/2520-25-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp xmrig behavioral2/files/0x0007000000023485-29.dat xmrig behavioral2/memory/440-30-0x00007FF7B6310000-0x00007FF7B6664000-memory.dmp xmrig behavioral2/files/0x0007000000023486-34.dat xmrig behavioral2/files/0x0007000000023488-41.dat xmrig behavioral2/files/0x0007000000023489-45.dat xmrig behavioral2/memory/3436-44-0x00007FF6DDF20000-0x00007FF6DE274000-memory.dmp xmrig behavioral2/memory/4772-37-0x00007FF60AEF0000-0x00007FF60B244000-memory.dmp xmrig behavioral2/files/0x000700000002348a-50.dat xmrig behavioral2/files/0x000700000002348b-63.dat xmrig behavioral2/memory/2516-68-0x00007FF6B9890000-0x00007FF6B9BE4000-memory.dmp xmrig behavioral2/files/0x000700000002348f-82.dat xmrig behavioral2/memory/740-91-0x00007FF7E66D0000-0x00007FF7E6A24000-memory.dmp xmrig behavioral2/memory/3200-107-0x00007FF68F560000-0x00007FF68F8B4000-memory.dmp xmrig behavioral2/files/0x0007000000023492-105.dat xmrig behavioral2/memory/2920-104-0x00007FF7F5250000-0x00007FF7F55A4000-memory.dmp xmrig behavioral2/files/0x0007000000023491-102.dat xmrig behavioral2/files/0x0007000000023490-100.dat xmrig behavioral2/memory/3972-96-0x00007FF7A4F30000-0x00007FF7A5284000-memory.dmp xmrig behavioral2/files/0x0007000000023493-114.dat xmrig behavioral2/files/0x0007000000023495-126.dat xmrig behavioral2/memory/2504-132-0x00007FF65AB50000-0x00007FF65AEA4000-memory.dmp xmrig behavioral2/files/0x0007000000023496-130.dat xmrig behavioral2/memory/440-129-0x00007FF7B6310000-0x00007FF7B6664000-memory.dmp xmrig behavioral2/memory/2096-128-0x00007FF6B88C0000-0x00007FF6B8C14000-memory.dmp xmrig behavioral2/files/0x0007000000023494-124.dat xmrig behavioral2/memory/4788-121-0x00007FF6E7FD0000-0x00007FF6E8324000-memory.dmp xmrig behavioral2/memory/1640-119-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp xmrig behavioral2/memory/2520-118-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp xmrig behavioral2/memory/4232-95-0x00007FF7C9D90000-0x00007FF7CA0E4000-memory.dmp xmrig behavioral2/files/0x000700000002348e-93.dat xmrig behavioral2/files/0x000700000002348d-86.dat xmrig behavioral2/memory/4664-84-0x00007FF7CE360000-0x00007FF7CE6B4000-memory.dmp xmrig behavioral2/files/0x000700000002348c-70.dat xmrig behavioral2/memory/4228-69-0x00007FF7F1F40000-0x00007FF7F2294000-memory.dmp xmrig behavioral2/memory/212-62-0x00007FF6BA6A0000-0x00007FF6BA9F4000-memory.dmp xmrig behavioral2/memory/396-61-0x00007FF7C2030000-0x00007FF7C2384000-memory.dmp xmrig behavioral2/memory/700-57-0x00007FF73E190000-0x00007FF73E4E4000-memory.dmp xmrig behavioral2/memory/3012-52-0x00007FF678650000-0x00007FF6789A4000-memory.dmp xmrig behavioral2/memory/2556-46-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp xmrig behavioral2/memory/4772-133-0x00007FF60AEF0000-0x00007FF60B244000-memory.dmp xmrig behavioral2/memory/3436-134-0x00007FF6DDF20000-0x00007FF6DE274000-memory.dmp xmrig behavioral2/memory/2556-135-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp xmrig behavioral2/memory/700-136-0x00007FF73E190000-0x00007FF73E4E4000-memory.dmp xmrig behavioral2/memory/212-137-0x00007FF6BA6A0000-0x00007FF6BA9F4000-memory.dmp xmrig behavioral2/memory/4228-138-0x00007FF7F1F40000-0x00007FF7F2294000-memory.dmp xmrig behavioral2/memory/4664-139-0x00007FF7CE360000-0x00007FF7CE6B4000-memory.dmp xmrig behavioral2/memory/4232-140-0x00007FF7C9D90000-0x00007FF7CA0E4000-memory.dmp xmrig behavioral2/memory/740-141-0x00007FF7E66D0000-0x00007FF7E6A24000-memory.dmp xmrig behavioral2/memory/3972-142-0x00007FF7A4F30000-0x00007FF7A5284000-memory.dmp xmrig behavioral2/memory/3200-143-0x00007FF68F560000-0x00007FF68F8B4000-memory.dmp xmrig behavioral2/memory/1640-144-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp xmrig behavioral2/memory/4788-145-0x00007FF6E7FD0000-0x00007FF6E8324000-memory.dmp xmrig behavioral2/memory/2096-146-0x00007FF6B88C0000-0x00007FF6B8C14000-memory.dmp xmrig behavioral2/memory/396-147-0x00007FF7C2030000-0x00007FF7C2384000-memory.dmp xmrig behavioral2/memory/2516-148-0x00007FF6B9890000-0x00007FF6B9BE4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 396 oBVPisz.exe 2516 UAmNpvh.exe 3536 xgKhsuH.exe 2520 pSvPKQk.exe 440 ZkIdTXz.exe 4772 WpevRII.exe 3436 OtSwqVw.exe 2556 noHvaGV.exe 700 mkfqxNd.exe 212 JocZGnT.exe 4228 awUbBQf.exe 4664 rzyFJUt.exe 2920 uUOLPGf.exe 740 jSPkAjG.exe 4232 alOHYjg.exe 3972 flzNFjn.exe 3200 gGWqYrr.exe 1640 SesEaCr.exe 4788 OFTXeeY.exe 2096 TImtMYD.exe 2504 kpKwDyo.exe -
resource yara_rule behavioral2/memory/3012-0-0x00007FF678650000-0x00007FF6789A4000-memory.dmp upx behavioral2/files/0x000a000000023476-5.dat upx behavioral2/memory/396-8-0x00007FF7C2030000-0x00007FF7C2384000-memory.dmp upx behavioral2/files/0x0007000000023484-11.dat upx behavioral2/memory/2516-13-0x00007FF6B9890000-0x00007FF6B9BE4000-memory.dmp upx behavioral2/files/0x0007000000023483-12.dat upx behavioral2/memory/3536-20-0x00007FF7F6000000-0x00007FF7F6354000-memory.dmp upx behavioral2/files/0x0008000000023480-22.dat upx behavioral2/memory/2520-25-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp upx behavioral2/files/0x0007000000023485-29.dat upx behavioral2/memory/440-30-0x00007FF7B6310000-0x00007FF7B6664000-memory.dmp upx behavioral2/files/0x0007000000023486-34.dat upx behavioral2/files/0x0007000000023488-41.dat upx behavioral2/files/0x0007000000023489-45.dat upx behavioral2/memory/3436-44-0x00007FF6DDF20000-0x00007FF6DE274000-memory.dmp upx behavioral2/memory/4772-37-0x00007FF60AEF0000-0x00007FF60B244000-memory.dmp upx behavioral2/files/0x000700000002348a-50.dat upx behavioral2/files/0x000700000002348b-63.dat upx behavioral2/memory/2516-68-0x00007FF6B9890000-0x00007FF6B9BE4000-memory.dmp upx behavioral2/files/0x000700000002348f-82.dat upx behavioral2/memory/740-91-0x00007FF7E66D0000-0x00007FF7E6A24000-memory.dmp upx behavioral2/memory/3200-107-0x00007FF68F560000-0x00007FF68F8B4000-memory.dmp upx behavioral2/files/0x0007000000023492-105.dat upx behavioral2/memory/2920-104-0x00007FF7F5250000-0x00007FF7F55A4000-memory.dmp upx behavioral2/files/0x0007000000023491-102.dat upx behavioral2/files/0x0007000000023490-100.dat upx behavioral2/memory/3972-96-0x00007FF7A4F30000-0x00007FF7A5284000-memory.dmp upx behavioral2/files/0x0007000000023493-114.dat upx behavioral2/files/0x0007000000023495-126.dat upx behavioral2/memory/2504-132-0x00007FF65AB50000-0x00007FF65AEA4000-memory.dmp upx behavioral2/files/0x0007000000023496-130.dat upx behavioral2/memory/440-129-0x00007FF7B6310000-0x00007FF7B6664000-memory.dmp upx behavioral2/memory/2096-128-0x00007FF6B88C0000-0x00007FF6B8C14000-memory.dmp upx behavioral2/files/0x0007000000023494-124.dat upx behavioral2/memory/4788-121-0x00007FF6E7FD0000-0x00007FF6E8324000-memory.dmp upx behavioral2/memory/1640-119-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp upx behavioral2/memory/2520-118-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp upx behavioral2/memory/4232-95-0x00007FF7C9D90000-0x00007FF7CA0E4000-memory.dmp upx behavioral2/files/0x000700000002348e-93.dat upx behavioral2/files/0x000700000002348d-86.dat upx behavioral2/memory/4664-84-0x00007FF7CE360000-0x00007FF7CE6B4000-memory.dmp upx behavioral2/files/0x000700000002348c-70.dat upx behavioral2/memory/4228-69-0x00007FF7F1F40000-0x00007FF7F2294000-memory.dmp upx behavioral2/memory/212-62-0x00007FF6BA6A0000-0x00007FF6BA9F4000-memory.dmp upx behavioral2/memory/396-61-0x00007FF7C2030000-0x00007FF7C2384000-memory.dmp upx behavioral2/memory/700-57-0x00007FF73E190000-0x00007FF73E4E4000-memory.dmp upx behavioral2/memory/3012-52-0x00007FF678650000-0x00007FF6789A4000-memory.dmp upx behavioral2/memory/2556-46-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp upx behavioral2/memory/4772-133-0x00007FF60AEF0000-0x00007FF60B244000-memory.dmp upx behavioral2/memory/3436-134-0x00007FF6DDF20000-0x00007FF6DE274000-memory.dmp upx behavioral2/memory/2556-135-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp upx behavioral2/memory/700-136-0x00007FF73E190000-0x00007FF73E4E4000-memory.dmp upx behavioral2/memory/212-137-0x00007FF6BA6A0000-0x00007FF6BA9F4000-memory.dmp upx behavioral2/memory/4228-138-0x00007FF7F1F40000-0x00007FF7F2294000-memory.dmp upx behavioral2/memory/4664-139-0x00007FF7CE360000-0x00007FF7CE6B4000-memory.dmp upx behavioral2/memory/4232-140-0x00007FF7C9D90000-0x00007FF7CA0E4000-memory.dmp upx behavioral2/memory/740-141-0x00007FF7E66D0000-0x00007FF7E6A24000-memory.dmp upx behavioral2/memory/3972-142-0x00007FF7A4F30000-0x00007FF7A5284000-memory.dmp upx behavioral2/memory/3200-143-0x00007FF68F560000-0x00007FF68F8B4000-memory.dmp upx behavioral2/memory/1640-144-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp upx behavioral2/memory/4788-145-0x00007FF6E7FD0000-0x00007FF6E8324000-memory.dmp upx behavioral2/memory/2096-146-0x00007FF6B88C0000-0x00007FF6B8C14000-memory.dmp upx behavioral2/memory/396-147-0x00007FF7C2030000-0x00007FF7C2384000-memory.dmp upx behavioral2/memory/2516-148-0x00007FF6B9890000-0x00007FF6B9BE4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\rzyFJUt.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\jSPkAjG.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\flzNFjn.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\OFTXeeY.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\TImtMYD.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\ZkIdTXz.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\awUbBQf.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\alOHYjg.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\SesEaCr.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\kpKwDyo.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\oBVPisz.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\pSvPKQk.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\mkfqxNd.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\uUOLPGf.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\JocZGnT.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\gGWqYrr.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\UAmNpvh.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\xgKhsuH.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\WpevRII.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\OtSwqVw.exe 25082005ab0826ca73b9d6f25848c59c.exe File created C:\Windows\System\noHvaGV.exe 25082005ab0826ca73b9d6f25848c59c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3012 25082005ab0826ca73b9d6f25848c59c.exe Token: SeLockMemoryPrivilege 3012 25082005ab0826ca73b9d6f25848c59c.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3012 wrote to memory of 396 3012 25082005ab0826ca73b9d6f25848c59c.exe 83 PID 3012 wrote to memory of 396 3012 25082005ab0826ca73b9d6f25848c59c.exe 83 PID 3012 wrote to memory of 2516 3012 25082005ab0826ca73b9d6f25848c59c.exe 84 PID 3012 wrote to memory of 2516 3012 25082005ab0826ca73b9d6f25848c59c.exe 84 PID 3012 wrote to memory of 3536 3012 25082005ab0826ca73b9d6f25848c59c.exe 85 PID 3012 wrote to memory of 3536 3012 25082005ab0826ca73b9d6f25848c59c.exe 85 PID 3012 wrote to memory of 2520 3012 25082005ab0826ca73b9d6f25848c59c.exe 86 PID 3012 wrote to memory of 2520 3012 25082005ab0826ca73b9d6f25848c59c.exe 86 PID 3012 wrote to memory of 440 3012 25082005ab0826ca73b9d6f25848c59c.exe 87 PID 3012 wrote to memory of 440 3012 25082005ab0826ca73b9d6f25848c59c.exe 87 PID 3012 wrote to memory of 4772 3012 25082005ab0826ca73b9d6f25848c59c.exe 88 PID 3012 wrote to memory of 4772 3012 25082005ab0826ca73b9d6f25848c59c.exe 88 PID 3012 wrote to memory of 3436 3012 25082005ab0826ca73b9d6f25848c59c.exe 89 PID 3012 wrote to memory of 3436 3012 25082005ab0826ca73b9d6f25848c59c.exe 89 PID 3012 wrote to memory of 2556 3012 25082005ab0826ca73b9d6f25848c59c.exe 90 PID 3012 wrote to memory of 2556 3012 25082005ab0826ca73b9d6f25848c59c.exe 90 PID 3012 wrote to memory of 700 3012 25082005ab0826ca73b9d6f25848c59c.exe 91 PID 3012 wrote to memory of 700 3012 25082005ab0826ca73b9d6f25848c59c.exe 91 PID 3012 wrote to memory of 212 3012 25082005ab0826ca73b9d6f25848c59c.exe 92 PID 3012 wrote to memory of 212 3012 25082005ab0826ca73b9d6f25848c59c.exe 92 PID 3012 wrote to memory of 4228 3012 25082005ab0826ca73b9d6f25848c59c.exe 93 PID 3012 wrote to memory of 4228 3012 25082005ab0826ca73b9d6f25848c59c.exe 93 PID 3012 wrote to memory of 4664 3012 25082005ab0826ca73b9d6f25848c59c.exe 94 PID 3012 wrote to memory of 4664 3012 25082005ab0826ca73b9d6f25848c59c.exe 94 PID 3012 wrote to memory of 2920 3012 25082005ab0826ca73b9d6f25848c59c.exe 95 PID 3012 wrote to memory of 2920 3012 25082005ab0826ca73b9d6f25848c59c.exe 95 PID 3012 wrote to memory of 740 3012 25082005ab0826ca73b9d6f25848c59c.exe 96 PID 3012 wrote to memory of 740 3012 25082005ab0826ca73b9d6f25848c59c.exe 96 PID 3012 wrote to memory of 4232 3012 25082005ab0826ca73b9d6f25848c59c.exe 97 PID 3012 wrote to memory of 4232 3012 25082005ab0826ca73b9d6f25848c59c.exe 97 PID 3012 wrote to memory of 3972 3012 25082005ab0826ca73b9d6f25848c59c.exe 98 PID 3012 wrote to memory of 3972 3012 25082005ab0826ca73b9d6f25848c59c.exe 98 PID 3012 wrote to memory of 3200 3012 25082005ab0826ca73b9d6f25848c59c.exe 99 PID 3012 wrote to memory of 3200 3012 25082005ab0826ca73b9d6f25848c59c.exe 99 PID 3012 wrote to memory of 1640 3012 25082005ab0826ca73b9d6f25848c59c.exe 100 PID 3012 wrote to memory of 1640 3012 25082005ab0826ca73b9d6f25848c59c.exe 100 PID 3012 wrote to memory of 4788 3012 25082005ab0826ca73b9d6f25848c59c.exe 101 PID 3012 wrote to memory of 4788 3012 25082005ab0826ca73b9d6f25848c59c.exe 101 PID 3012 wrote to memory of 2096 3012 25082005ab0826ca73b9d6f25848c59c.exe 102 PID 3012 wrote to memory of 2096 3012 25082005ab0826ca73b9d6f25848c59c.exe 102 PID 3012 wrote to memory of 2504 3012 25082005ab0826ca73b9d6f25848c59c.exe 103 PID 3012 wrote to memory of 2504 3012 25082005ab0826ca73b9d6f25848c59c.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\25082005ab0826ca73b9d6f25848c59c.exe"C:\Users\Admin\AppData\Local\Temp\25082005ab0826ca73b9d6f25848c59c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System\oBVPisz.exeC:\Windows\System\oBVPisz.exe2⤵
- Executes dropped EXE
PID:396
-
-
C:\Windows\System\UAmNpvh.exeC:\Windows\System\UAmNpvh.exe2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\System\xgKhsuH.exeC:\Windows\System\xgKhsuH.exe2⤵
- Executes dropped EXE
PID:3536
-
-
C:\Windows\System\pSvPKQk.exeC:\Windows\System\pSvPKQk.exe2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\System\ZkIdTXz.exeC:\Windows\System\ZkIdTXz.exe2⤵
- Executes dropped EXE
PID:440
-
-
C:\Windows\System\WpevRII.exeC:\Windows\System\WpevRII.exe2⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\System\OtSwqVw.exeC:\Windows\System\OtSwqVw.exe2⤵
- Executes dropped EXE
PID:3436
-
-
C:\Windows\System\noHvaGV.exeC:\Windows\System\noHvaGV.exe2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Windows\System\mkfqxNd.exeC:\Windows\System\mkfqxNd.exe2⤵
- Executes dropped EXE
PID:700
-
-
C:\Windows\System\JocZGnT.exeC:\Windows\System\JocZGnT.exe2⤵
- Executes dropped EXE
PID:212
-
-
C:\Windows\System\awUbBQf.exeC:\Windows\System\awUbBQf.exe2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Windows\System\rzyFJUt.exeC:\Windows\System\rzyFJUt.exe2⤵
- Executes dropped EXE
PID:4664
-
-
C:\Windows\System\uUOLPGf.exeC:\Windows\System\uUOLPGf.exe2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\System\jSPkAjG.exeC:\Windows\System\jSPkAjG.exe2⤵
- Executes dropped EXE
PID:740
-
-
C:\Windows\System\alOHYjg.exeC:\Windows\System\alOHYjg.exe2⤵
- Executes dropped EXE
PID:4232
-
-
C:\Windows\System\flzNFjn.exeC:\Windows\System\flzNFjn.exe2⤵
- Executes dropped EXE
PID:3972
-
-
C:\Windows\System\gGWqYrr.exeC:\Windows\System\gGWqYrr.exe2⤵
- Executes dropped EXE
PID:3200
-
-
C:\Windows\System\SesEaCr.exeC:\Windows\System\SesEaCr.exe2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Windows\System\OFTXeeY.exeC:\Windows\System\OFTXeeY.exe2⤵
- Executes dropped EXE
PID:4788
-
-
C:\Windows\System\TImtMYD.exeC:\Windows\System\TImtMYD.exe2⤵
- Executes dropped EXE
PID:2096
-
-
C:\Windows\System\kpKwDyo.exeC:\Windows\System\kpKwDyo.exe2⤵
- Executes dropped EXE
PID:2504
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD59c8be9807bbd39515a86eec80918f3ab
SHA176e8c18f9acdbbfbdd6927972823b397cffc4b21
SHA2566f9ed41e8e81cacfb42aaa1bbf03b0aca9e42ea7803eee73360a086d407216ab
SHA512cda439022d32efdb423793f656562699fe5f7c3ca9dd7c16c91fbec390062b63b7cdb003c3877643f0a314c288fdf12cc7675ec04ebc88c1e99af2ea02783051
-
Filesize
5.9MB
MD54420f0ff7b4b695445bc3cd8728047c6
SHA1742e7590f27ae0ff35bd95311765b23feccfda8d
SHA256de24660d41eb72c3d43e188c30e0f57486e706629295e2a7686307d7c947dc93
SHA5122a8b5dc518fcfb7b36ac4a8a87962685142e2b5d7d8cc152e40974c0d30c14eeae22bb37001cc388241488d684e677687c0f29a85b744a1bac3ac72d22ce7433
-
Filesize
5.9MB
MD55783e24f6b394d927d986256bca9d041
SHA16630e47f18b61e8b77f4d00c866c8331198f9cc8
SHA256fa86ca5a0d406dc2a3c4fac61ab9fd8cd7f452b0b70c3f7b6f67e0ec1add08af
SHA512743d3949573f81a402f1d61933184224a794ef32b79b8b95d58e76fd2d9476806ab016534296e9d5502af29f5d282a753e4fd10cd7c7395d2a15c41d48691ca1
-
Filesize
5.9MB
MD5f2eaf15d736f299c743f3207a5a2919a
SHA10a49c1ccd71f6cca5bcb9d04fc2d75b5fe9cc1f1
SHA256dccd894e00cd5bf5d5d4c0c9aa078f4a95de4ec930b332b91197f39021b92696
SHA512e868a6be22f7e6ede8ed1288c8e1c0d2876fdcade0fadae3c7e7eeb10a3e0250d83f77b93f93f969382abe4b80ce207cc17e27b1347f2bd8e2ecdfa4fe7a1b3c
-
Filesize
5.9MB
MD54f4fc9af3f4d425f917288ed5d46b986
SHA18afb9fdddb5e13125c92089b9b82817919fbfb8c
SHA2562e0f682f5e8a15d5bfb93f6836fc6427defd9f1ff74c396c83657f1aa74acf2f
SHA512d4ad02d44f1adddd83c8082ec1b815ec6f50e15d997d04c309496e27692e3f9f4b503f98fc82793c90b1fc8d9093ae6b26eb4ec7fd19b052a44a7bcb134ce094
-
Filesize
5.9MB
MD5789c8c305ebe3128bbf65b3c3429b345
SHA1b7fee6ddbd4b9478959ee59d6484e246e4d91477
SHA2565dfa9ca94fa23c91ce8da9c2b4cdbe6a9f3813557813960fbd1ef5a4fda45915
SHA51240d10655e8627e26716dc69e4f28b8b3f583a3708bd7bc4ccfdac4f9227863c198bc92ddfe13c8a9ba02bec3a1e6488f587e7952e1e62db95d15bd32739eb379
-
Filesize
5.9MB
MD58c25e1d5a8ab3d7bd1320c62455a3390
SHA166f6e853ea99f2714897ed1730e01c98b6ad6a5d
SHA256b376c1afbebd0f750e2ffb0d98a8462a5807f1da6225392846f7643868012231
SHA5123af42a7421f5453e9eee50339e3317d162c41d5601626c19d54b4daa3c58d6b88dc248415b28abc7f0c3aaf05f61d4e8ef10d3b711a8b706dc7869d669c1e9c7
-
Filesize
5.9MB
MD5e2af900991ceec3c471a5c8d287f88ab
SHA1dc33d3974e1c52201a99cdb269a64f8e4a90fb63
SHA25628f585e58bd1dd9ce07931fdeaf7ea3b36600b6559be5fae48380b14236b70bc
SHA512e8363ffc6a743a10fd7b7d0d169d26235d4f6dbd0ab3dcdc8006ad68e1991679682fe7f8cf29bd38bc313b1742df73207f70cb31e393feaf8f36fc2734f6cb12
-
Filesize
5.9MB
MD5d58399c52901d7ae3b5708ca80cd9c5c
SHA1694dc5ac2544fb46cc93e3f04feb176341673be5
SHA256cec6f653a5030cd9bac4d9a4d3de3630630ca7c07550259bda4781818b7e3ad1
SHA512a6ccbcb66d6e0dd72f2c6b4c059859888cc7d7cb53e79f928138c54b10af1ce8c24f3f9cc4c063dc8262104d76c3db5a984551e2a81a11f682cc9c927edc5a9e
-
Filesize
5.9MB
MD5f184af72c77f27131d14a72302e3f5ad
SHA1fb9cfc16ef7118f883e5e9619351f009c80b0b56
SHA2564238a833cb40f4aedbd1a1250344ef42aa7eae9cc76816f68989cd366c154847
SHA5127a9faf0b68eed861c7a4cf608c27fc65579405928ca5cc974d6b3ce41ae38ed5882d0a327b88534fe0580050d5c9f4ac69b74489dd6f6889cd423d962604e826
-
Filesize
5.9MB
MD5200dbc5764d3aea8ea5926b65e086d03
SHA1150a326f2798bdf4e50a178cd4794b4810e306df
SHA256d030612b45c417017fc9f29c3f0ffa64d2198fd7b65ec6e6140507cc2bbf0aae
SHA5126d411eb8c6d4d7235d160e528832e5b1de2afba3bbb23e28a90727848d2b877ca74643bc0dc8955f40ef9ab810f853f21038454320964839827a441bba988a48
-
Filesize
5.9MB
MD5f920e12db996b2dcfbfb424bfe5c28c9
SHA14db9b98254a885c076c403e638507da6b0d4b3b2
SHA25651fdfa48a5c5ec450300be1b510939a217bf4e036ff875b286112f661e920657
SHA512f9fd10414bb3a72275f1d3fe021b482bb68e17e112cbe0f708ad1accd5e16bc85d5d3fcdc549aec98b3a48e5fcfb0de922089304188fc736b866d23c99d98cda
-
Filesize
5.9MB
MD5c2c04f057c1772e0a18e995acdedf549
SHA13b3386df2b26ab5723a3e42b062ac8d50a3a165f
SHA25657e979671ded4497c4522917ff58309dd54383576f73f17bacac38634b04e932
SHA512181e25fe7f179bc1742e9b77324d78dee145f8dba3c9fd462e17a7c8f7a5f00a12a3cf9db812b6710cea4703cc4363634f9ea32832c7dca7e2d0c803864b94d9
-
Filesize
5.9MB
MD5c8cac3cba550f2fd8dd7e1ca0e8f3223
SHA107f7eac18656622ef86d20ff8e2a6297284ae0ab
SHA256d2ebd1e5dd00875b6dc604408dfb9d6c030ccc0882ed42002c3af0a41d39fcbd
SHA512a0efee189d70b1420af967e8fa64fb1dc771c1c47ce3d9dffde5be8289b6e390dab8157ee32c06b38dc5e6edecfac5b9beec36220b248de8b584e860d324e811
-
Filesize
5.9MB
MD5704af55f8a3e8575902f51f8e9b1614b
SHA1a367e288f9abbb3a6069222f4bd04f915d1d3d39
SHA2568361e0405a77035f2322523e458b973f2c50f0548143aca9b44b4689e4320b4b
SHA512cab089a088f2f26211baac2a1e7b00e9877e6125a3cce371a22478ad7a071d5ce3be27de4bd2ad74e4a67ccddaaf58b19c0efab985eeca1e8ddfe26127dda4a7
-
Filesize
5.9MB
MD5b1be6622eebcdafc5dcea8fc7a570593
SHA18454daeaefbfad54065c8e727392107ae460a1d7
SHA25633e2f5e5ddb6b2203616504e9b792d866e5ecde0c98e2691d24448a16106e7e8
SHA512be57c607f8320d432ff6c7222d0d0a148338aab50a85cdf9dacf6473cea76aa6595689ec9653462bfbbb9f2251d2b882b04baef7acbd6fbce1077e85f3494da7
-
Filesize
5.9MB
MD500e32a91da9fec6e9cbd36bd556fc8f2
SHA177017ca3f822d4ece9b031cd628ffeb30bb41100
SHA256cbc4bfab0a17a5eadddf9d4f1f01c3073399100d118c0a5e15733c99ecfffc61
SHA512e4c18c39e92b7867f38686fe24f57d941806b3b36cdb9fb1f0a2b0e4731f676895b7c300150adefd2b065c74d8db9bf34349afcef1e75952999e2394f80f077e
-
Filesize
5.9MB
MD5d0ea7685ccba16820123de97eb744857
SHA1677ae1dcd1f004a5dac986d95f04c7e23d9e2a6c
SHA2561d00a318c1e470b8b27d7b33f4e930fbbd01653fbae0a2911188da1e6ff1dd3b
SHA51227b6bae0aed04a19832fa67352280c70c3d30cb18bbf2dc38e2ab14c9e7a8c5d1d5e6456e5b005564076e92d5ce936bbe4e31f61320e720e210b957cef443737
-
Filesize
5.9MB
MD5b207c9070985b898176546f17a0712ab
SHA1d93c57a0b16d5c36f65d7bddd0f1f0e93614e3dc
SHA2566f1127e97c5511c56734be24a9b05740b2ecb3a43449fb26af22d18ea58fa1bc
SHA512ebdd1ee2461ddbb785d4ea0e7bc5f02cb9d30b17bd92a41653e9745ca74fe54c20bb6fd6cfb7159bd98fc4576ce533a86ed8b614c760c7a6b4245d48212f8cc8
-
Filesize
5.9MB
MD56b5004150d981353c3ae209cf3f9e34f
SHA1b6c159b5d0ccc4b37b684e05a2523cb853f58d11
SHA25656907e71694783818e7a8fc16ff6cc4e4f2724ae8d34ab9ddadf6b06b23fff0d
SHA512e7eee568aadffb1219f11563670ab34246f5b7a5c901f22c88ff8d80bde239ef6cdff377d083b4c4008f3cbfd07ed6d3a353aeb6e8bdc9af9dbfd78fe58c501a
-
Filesize
5.9MB
MD5e7336464c62e53a73e0d776cd4ca29c4
SHA1a0ac033f7d03de9c5a022495b97eaef2859a1e2c
SHA2567e36f56452d288ec8e4465c7f983bbc0e3574fbba440eac32f1b3bd70ac864ac
SHA512522f4215939e018fc20861d3b911b67f35d21157dce209c417139a34110b1b643a33bd929556a20d72e8441b48a5e806debaacaff0aec71356cd47b0dd357f08