Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 05:49
Behavioral task
behavioral1
Sample
22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe
Resource
win7-20240903-en
General
-
Target
22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe
-
Size
5.2MB
-
MD5
095aee431395a47fe1cdcf4684f9d4a0
-
SHA1
86c2c02698b427388e9c775f721df855dff5402d
-
SHA256
22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00d
-
SHA512
68b33b36d841a9df666e693d7a4219ec1e0da51fed2a58a19775ca5dd8bd2071f56f7f8ce270a14cd7afaa7cfaf2bfd84378420f274cea30e0edba28aa3b27a5
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibj56utgpPFotBER/mQ32lUK
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x0007000000012116-6.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d06-12.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d21-19.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d0e-9.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d3a-38.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d42-45.dat cobalt_reflective_dll behavioral1/files/0x00060000000186ea-66.dat cobalt_reflective_dll behavioral1/files/0x00050000000186fd-75.dat cobalt_reflective_dll behavioral1/files/0x000500000001873d-85.dat cobalt_reflective_dll behavioral1/files/0x00050000000187a5-100.dat cobalt_reflective_dll behavioral1/files/0x0006000000019023-105.dat cobalt_reflective_dll behavioral1/files/0x0005000000019282-120.dat cobalt_reflective_dll behavioral1/files/0x0005000000019261-115.dat cobalt_reflective_dll behavioral1/files/0x000500000001925e-110.dat cobalt_reflective_dll behavioral1/files/0x000500000001878f-95.dat cobalt_reflective_dll behavioral1/files/0x0005000000018784-90.dat cobalt_reflective_dll behavioral1/files/0x0005000000018728-80.dat cobalt_reflective_dll behavioral1/files/0x00050000000186ee-70.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d5e-59.dat cobalt_reflective_dll behavioral1/files/0x0009000000016d4a-53.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d31-27.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 39 IoCs
resource yara_rule behavioral1/memory/2552-25-0x000000013FF00000-0x0000000140251000-memory.dmp xmrig behavioral1/memory/1592-33-0x000000013F230000-0x000000013F581000-memory.dmp xmrig behavioral1/memory/2924-35-0x000000013FF20000-0x0000000140271000-memory.dmp xmrig behavioral1/memory/1792-34-0x000000013FF00000-0x0000000140251000-memory.dmp xmrig behavioral1/memory/2580-32-0x000000013FC30000-0x000000013FF81000-memory.dmp xmrig behavioral1/memory/1792-62-0x000000013F220000-0x000000013F571000-memory.dmp xmrig behavioral1/memory/2640-128-0x000000013F6D0000-0x000000013FA21000-memory.dmp xmrig behavioral1/memory/2804-126-0x000000013F410000-0x000000013F761000-memory.dmp xmrig behavioral1/memory/2700-129-0x000000013F1D0000-0x000000013F521000-memory.dmp xmrig behavioral1/memory/3004-131-0x000000013FC70000-0x000000013FFC1000-memory.dmp xmrig behavioral1/memory/2484-133-0x000000013FF00000-0x0000000140251000-memory.dmp xmrig behavioral1/memory/2828-134-0x000000013F430000-0x000000013F781000-memory.dmp xmrig behavioral1/memory/1792-135-0x000000013F220000-0x000000013F571000-memory.dmp xmrig behavioral1/memory/2676-145-0x000000013F310000-0x000000013F661000-memory.dmp xmrig behavioral1/memory/2932-151-0x000000013FE30000-0x0000000140181000-memory.dmp xmrig behavioral1/memory/3048-152-0x000000013F0B0000-0x000000013F401000-memory.dmp xmrig behavioral1/memory/2876-150-0x000000013FA80000-0x000000013FDD1000-memory.dmp xmrig behavioral1/memory/2796-144-0x000000013F0D0000-0x000000013F421000-memory.dmp xmrig behavioral1/memory/2492-143-0x000000013FFA0000-0x00000001402F1000-memory.dmp xmrig behavioral1/memory/2860-142-0x000000013F240000-0x000000013F591000-memory.dmp xmrig behavioral1/memory/2976-155-0x000000013F100000-0x000000013F451000-memory.dmp xmrig behavioral1/memory/2028-156-0x000000013FE00000-0x0000000140151000-memory.dmp xmrig behavioral1/memory/3052-154-0x000000013F6B0000-0x000000013FA01000-memory.dmp xmrig behavioral1/memory/2992-153-0x000000013F540000-0x000000013F891000-memory.dmp xmrig behavioral1/memory/1792-157-0x000000013F220000-0x000000013F571000-memory.dmp xmrig behavioral1/memory/2580-215-0x000000013FC30000-0x000000013FF81000-memory.dmp xmrig behavioral1/memory/1592-219-0x000000013F230000-0x000000013F581000-memory.dmp xmrig behavioral1/memory/2552-218-0x000000013FF00000-0x0000000140251000-memory.dmp xmrig behavioral1/memory/2484-221-0x000000013FF00000-0x0000000140251000-memory.dmp xmrig behavioral1/memory/2924-223-0x000000013FF20000-0x0000000140271000-memory.dmp xmrig behavioral1/memory/2828-225-0x000000013F430000-0x000000013F781000-memory.dmp xmrig behavioral1/memory/2860-227-0x000000013F240000-0x000000013F591000-memory.dmp xmrig behavioral1/memory/2796-229-0x000000013F0D0000-0x000000013F421000-memory.dmp xmrig behavioral1/memory/2804-231-0x000000013F410000-0x000000013F761000-memory.dmp xmrig behavioral1/memory/2640-233-0x000000013F6D0000-0x000000013FA21000-memory.dmp xmrig behavioral1/memory/2700-244-0x000000013F1D0000-0x000000013F521000-memory.dmp xmrig behavioral1/memory/3004-246-0x000000013FC70000-0x000000013FFC1000-memory.dmp xmrig behavioral1/memory/2492-255-0x000000013FFA0000-0x00000001402F1000-memory.dmp xmrig behavioral1/memory/2676-257-0x000000013F310000-0x000000013F661000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2580 gpBOqXj.exe 1592 aYvaiKh.exe 2552 JKEhyJY.exe 2924 vSCnqtv.exe 2484 BoEpWTb.exe 2828 YGdtWil.exe 2860 KddNTjs.exe 2492 QyuWqBR.exe 2796 swDguHx.exe 2676 AboIans.exe 2804 ttyYCcg.exe 2640 zuUeqfR.exe 2700 gaNujPE.exe 3004 gmXmDYe.exe 2876 eELeceJ.exe 2932 OrqZmyV.exe 3048 yCGybIk.exe 2992 ShSqpdC.exe 3052 RgDqTPS.exe 2976 UjSaZnd.exe 2028 sHvBzim.exe -
Loads dropped DLL 21 IoCs
pid Process 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe -
resource yara_rule behavioral1/memory/1792-0-0x000000013F220000-0x000000013F571000-memory.dmp upx behavioral1/files/0x0007000000012116-6.dat upx behavioral1/files/0x0008000000016d06-12.dat upx behavioral1/files/0x0008000000016d21-19.dat upx behavioral1/files/0x0008000000016d0e-9.dat upx behavioral1/memory/2552-25-0x000000013FF00000-0x0000000140251000-memory.dmp upx behavioral1/memory/1592-33-0x000000013F230000-0x000000013F581000-memory.dmp upx behavioral1/memory/2924-35-0x000000013FF20000-0x0000000140271000-memory.dmp upx behavioral1/memory/2580-32-0x000000013FC30000-0x000000013FF81000-memory.dmp upx behavioral1/files/0x0007000000016d3a-38.dat upx behavioral1/files/0x0007000000016d42-45.dat upx behavioral1/memory/2860-49-0x000000013F240000-0x000000013F591000-memory.dmp upx behavioral1/memory/2828-41-0x000000013F430000-0x000000013F781000-memory.dmp upx behavioral1/memory/2484-31-0x000000013FF00000-0x0000000140251000-memory.dmp upx behavioral1/memory/1792-62-0x000000013F220000-0x000000013F571000-memory.dmp upx behavioral1/files/0x00060000000186ea-66.dat upx behavioral1/files/0x00050000000186fd-75.dat upx behavioral1/files/0x000500000001873d-85.dat upx behavioral1/files/0x00050000000187a5-100.dat upx behavioral1/files/0x0006000000019023-105.dat upx behavioral1/files/0x0005000000019282-120.dat upx behavioral1/files/0x0005000000019261-115.dat upx behavioral1/files/0x000500000001925e-110.dat upx behavioral1/files/0x000500000001878f-95.dat upx behavioral1/files/0x0005000000018784-90.dat upx behavioral1/files/0x0005000000018728-80.dat upx behavioral1/files/0x00050000000186ee-70.dat upx behavioral1/memory/2492-55-0x000000013FFA0000-0x00000001402F1000-memory.dmp upx behavioral1/memory/2796-61-0x000000013F0D0000-0x000000013F421000-memory.dmp upx behavioral1/files/0x0008000000016d5e-59.dat upx behavioral1/files/0x0009000000016d4a-53.dat upx behavioral1/files/0x0007000000016d31-27.dat upx behavioral1/memory/2640-128-0x000000013F6D0000-0x000000013FA21000-memory.dmp upx behavioral1/memory/2676-122-0x000000013F310000-0x000000013F661000-memory.dmp upx behavioral1/memory/2804-126-0x000000013F410000-0x000000013F761000-memory.dmp upx behavioral1/memory/2700-129-0x000000013F1D0000-0x000000013F521000-memory.dmp upx behavioral1/memory/3004-131-0x000000013FC70000-0x000000013FFC1000-memory.dmp upx behavioral1/memory/2484-133-0x000000013FF00000-0x0000000140251000-memory.dmp upx behavioral1/memory/2828-134-0x000000013F430000-0x000000013F781000-memory.dmp upx behavioral1/memory/1792-135-0x000000013F220000-0x000000013F571000-memory.dmp upx behavioral1/memory/2676-145-0x000000013F310000-0x000000013F661000-memory.dmp upx behavioral1/memory/2932-151-0x000000013FE30000-0x0000000140181000-memory.dmp upx behavioral1/memory/3048-152-0x000000013F0B0000-0x000000013F401000-memory.dmp upx behavioral1/memory/2876-150-0x000000013FA80000-0x000000013FDD1000-memory.dmp upx behavioral1/memory/2796-144-0x000000013F0D0000-0x000000013F421000-memory.dmp upx behavioral1/memory/2492-143-0x000000013FFA0000-0x00000001402F1000-memory.dmp upx behavioral1/memory/2860-142-0x000000013F240000-0x000000013F591000-memory.dmp upx behavioral1/memory/2976-155-0x000000013F100000-0x000000013F451000-memory.dmp upx behavioral1/memory/2028-156-0x000000013FE00000-0x0000000140151000-memory.dmp upx behavioral1/memory/3052-154-0x000000013F6B0000-0x000000013FA01000-memory.dmp upx behavioral1/memory/2992-153-0x000000013F540000-0x000000013F891000-memory.dmp upx behavioral1/memory/1792-157-0x000000013F220000-0x000000013F571000-memory.dmp upx behavioral1/memory/2580-215-0x000000013FC30000-0x000000013FF81000-memory.dmp upx behavioral1/memory/1592-219-0x000000013F230000-0x000000013F581000-memory.dmp upx behavioral1/memory/2552-218-0x000000013FF00000-0x0000000140251000-memory.dmp upx behavioral1/memory/2484-221-0x000000013FF00000-0x0000000140251000-memory.dmp upx behavioral1/memory/2924-223-0x000000013FF20000-0x0000000140271000-memory.dmp upx behavioral1/memory/2828-225-0x000000013F430000-0x000000013F781000-memory.dmp upx behavioral1/memory/2860-227-0x000000013F240000-0x000000013F591000-memory.dmp upx behavioral1/memory/2796-229-0x000000013F0D0000-0x000000013F421000-memory.dmp upx behavioral1/memory/2804-231-0x000000013F410000-0x000000013F761000-memory.dmp upx behavioral1/memory/2640-233-0x000000013F6D0000-0x000000013FA21000-memory.dmp upx behavioral1/memory/2700-244-0x000000013F1D0000-0x000000013F521000-memory.dmp upx behavioral1/memory/3004-246-0x000000013FC70000-0x000000013FFC1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\aYvaiKh.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\KddNTjs.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\QyuWqBR.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\ttyYCcg.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\zuUeqfR.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\OrqZmyV.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\ShSqpdC.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\sHvBzim.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\AboIans.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\eELeceJ.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\RgDqTPS.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\gpBOqXj.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\vSCnqtv.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\BoEpWTb.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\UjSaZnd.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\JKEhyJY.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\YGdtWil.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\swDguHx.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\gaNujPE.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\gmXmDYe.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe File created C:\Windows\System\yCGybIk.exe 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe Token: SeLockMemoryPrivilege 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2580 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 31 PID 1792 wrote to memory of 2580 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 31 PID 1792 wrote to memory of 2580 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 31 PID 1792 wrote to memory of 1592 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 32 PID 1792 wrote to memory of 1592 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 32 PID 1792 wrote to memory of 1592 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 32 PID 1792 wrote to memory of 2552 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 33 PID 1792 wrote to memory of 2552 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 33 PID 1792 wrote to memory of 2552 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 33 PID 1792 wrote to memory of 2924 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 34 PID 1792 wrote to memory of 2924 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 34 PID 1792 wrote to memory of 2924 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 34 PID 1792 wrote to memory of 2484 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 35 PID 1792 wrote to memory of 2484 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 35 PID 1792 wrote to memory of 2484 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 35 PID 1792 wrote to memory of 2828 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 36 PID 1792 wrote to memory of 2828 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 36 PID 1792 wrote to memory of 2828 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 36 PID 1792 wrote to memory of 2860 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 37 PID 1792 wrote to memory of 2860 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 37 PID 1792 wrote to memory of 2860 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 37 PID 1792 wrote to memory of 2492 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 38 PID 1792 wrote to memory of 2492 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 38 PID 1792 wrote to memory of 2492 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 38 PID 1792 wrote to memory of 2796 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 39 PID 1792 wrote to memory of 2796 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 39 PID 1792 wrote to memory of 2796 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 39 PID 1792 wrote to memory of 2676 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 40 PID 1792 wrote to memory of 2676 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 40 PID 1792 wrote to memory of 2676 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 40 PID 1792 wrote to memory of 2804 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 41 PID 1792 wrote to memory of 2804 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 41 PID 1792 wrote to memory of 2804 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 41 PID 1792 wrote to memory of 2640 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 42 PID 1792 wrote to memory of 2640 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 42 PID 1792 wrote to memory of 2640 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 42 PID 1792 wrote to memory of 2700 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 43 PID 1792 wrote to memory of 2700 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 43 PID 1792 wrote to memory of 2700 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 43 PID 1792 wrote to memory of 3004 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 44 PID 1792 wrote to memory of 3004 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 44 PID 1792 wrote to memory of 3004 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 44 PID 1792 wrote to memory of 2876 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 45 PID 1792 wrote to memory of 2876 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 45 PID 1792 wrote to memory of 2876 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 45 PID 1792 wrote to memory of 2932 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 46 PID 1792 wrote to memory of 2932 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 46 PID 1792 wrote to memory of 2932 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 46 PID 1792 wrote to memory of 3048 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 47 PID 1792 wrote to memory of 3048 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 47 PID 1792 wrote to memory of 3048 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 47 PID 1792 wrote to memory of 2992 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 48 PID 1792 wrote to memory of 2992 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 48 PID 1792 wrote to memory of 2992 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 48 PID 1792 wrote to memory of 3052 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 49 PID 1792 wrote to memory of 3052 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 49 PID 1792 wrote to memory of 3052 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 49 PID 1792 wrote to memory of 2976 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 50 PID 1792 wrote to memory of 2976 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 50 PID 1792 wrote to memory of 2976 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 50 PID 1792 wrote to memory of 2028 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 51 PID 1792 wrote to memory of 2028 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 51 PID 1792 wrote to memory of 2028 1792 22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe"C:\Users\Admin\AppData\Local\Temp\22b53d790e1437a30f75afa62876d9f208ce6c76430a582df7fa0c222d74e00dN.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\System\gpBOqXj.exeC:\Windows\System\gpBOqXj.exe2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\System\aYvaiKh.exeC:\Windows\System\aYvaiKh.exe2⤵
- Executes dropped EXE
PID:1592
-
-
C:\Windows\System\JKEhyJY.exeC:\Windows\System\JKEhyJY.exe2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\System\vSCnqtv.exeC:\Windows\System\vSCnqtv.exe2⤵
- Executes dropped EXE
PID:2924
-
-
C:\Windows\System\BoEpWTb.exeC:\Windows\System\BoEpWTb.exe2⤵
- Executes dropped EXE
PID:2484
-
-
C:\Windows\System\YGdtWil.exeC:\Windows\System\YGdtWil.exe2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\System\KddNTjs.exeC:\Windows\System\KddNTjs.exe2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\System\QyuWqBR.exeC:\Windows\System\QyuWqBR.exe2⤵
- Executes dropped EXE
PID:2492
-
-
C:\Windows\System\swDguHx.exeC:\Windows\System\swDguHx.exe2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Windows\System\AboIans.exeC:\Windows\System\AboIans.exe2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\System\ttyYCcg.exeC:\Windows\System\ttyYCcg.exe2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Windows\System\zuUeqfR.exeC:\Windows\System\zuUeqfR.exe2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\System\gaNujPE.exeC:\Windows\System\gaNujPE.exe2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\System\gmXmDYe.exeC:\Windows\System\gmXmDYe.exe2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Windows\System\eELeceJ.exeC:\Windows\System\eELeceJ.exe2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\System\OrqZmyV.exeC:\Windows\System\OrqZmyV.exe2⤵
- Executes dropped EXE
PID:2932
-
-
C:\Windows\System\yCGybIk.exeC:\Windows\System\yCGybIk.exe2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\System\ShSqpdC.exeC:\Windows\System\ShSqpdC.exe2⤵
- Executes dropped EXE
PID:2992
-
-
C:\Windows\System\RgDqTPS.exeC:\Windows\System\RgDqTPS.exe2⤵
- Executes dropped EXE
PID:3052
-
-
C:\Windows\System\UjSaZnd.exeC:\Windows\System\UjSaZnd.exe2⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\System\sHvBzim.exeC:\Windows\System\sHvBzim.exe2⤵
- Executes dropped EXE
PID:2028
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5f63cfeba17b8c63b357e3cfdc7f59b29
SHA1161cd7a6a58910c2471786a7b72815d79d051ca9
SHA2564a5e8855e64b60ea59f6a8fa13c595cc2b84492d912c5ae4371a667021d12341
SHA51269f6c55548e26b0b3a7eaa7ba7b8905b37478f9016ae6ee410b3565a508f7ae92136bc36c9659e0ecceedf555f59407618919cd93856cf1a20f905c693a8bba0
-
Filesize
5.2MB
MD5476fe75aeb864631e7408ddd5063bfc8
SHA17f0192b0d5ac9aeea7f1a6d84b05fa931e83130d
SHA256799afea6518d95012e73fc188102b6b3c9f1b6446b00dafd92479dc0c659811a
SHA5128f52ba0322902b8fae7c9524f18fb9a6b973b788757b49a39e264cb5c736800ef4d52792ae7989a30d8f45a8c8adebadd2dedc3f0fa3dfbe9de4271d62ea42b9
-
Filesize
5.2MB
MD52da4eb69e678f7e10a04004fc9dc64c5
SHA1c1da2fee44423e8d76cf8e4f3da78d1f39662a06
SHA25623e928c8a6661dacb9a541d1d3f11b8bec5f80d6273bc95de14c1682311bf0b3
SHA5126a051278193f72e96910db79e6e818dcc7ff9057eda4eac589a26bd6770db729e8e7c031072ad01a950e478b3786dbe4ba9fb648769f5478ea47da17dcd70081
-
Filesize
5.2MB
MD5b20ddd22a4e7e3dd1f1d54f6042ddbe3
SHA101d037ff341cbd5c93b68a7a14e16972a5b1831c
SHA256e4c3de575ba672b8a64f1db17832a74e84eafa58441964ddfa27e4cfdff7f2b2
SHA512ee14d7ae16948cf7a3397fda5428a06b903cb880262106926e2f1ed1270cc5c9e062b1e5f6cf075c315a0565dd571dffce46f3a88d21ca7ae080716bcaa948e6
-
Filesize
5.2MB
MD52642f851ae47037533590ac0cf12e6d7
SHA17b42269880769258a0c73816d6f13c78165d8218
SHA256cbb12b48e4f4d0349c09c9766d5f19a7fd2fba8d6662883882b7ff74a1668efd
SHA512953f8b68e622d4e4bf4a1ce228083dfe91aa2974deab4eb80d9153f68b83679cfe93183c1145f0321bbceb5757d8e0a078af5ddef53dcf711ca3103f6a88eabd
-
Filesize
5.2MB
MD55637c45321c17a8a10ad9cf1a9a8a9f8
SHA18eff520db51efba737dc10e8a1cb109191215d01
SHA256eb800e65d1a162279a61ff0dde2e06c8697e71af8f05c35a267d06ad62f084ac
SHA512829ebbd5aa8e5adf9dfa154fb9b289ebabfa7b3149eee5ff939270e7d42b02ea2b8298b0e93ba31ee4cb0e770cd74753756bf3c32001b4209931ae7639d88620
-
Filesize
5.2MB
MD553495e3970324f0d0bb5d41ab8e6bc7c
SHA130ea23a6ff86d6f9c0b6a8b7920c861c387cb52c
SHA256aca65932dbc42e7b931e3ade1e176e639d6de22c891da5cd31ae569138c1bc5b
SHA512dd381381756c6bd9943fe4670ac2d09169317707c64310e0a18069d09334be7ea8ef902635af0ade9bd0401c985c7efe2bca79a6dc5b6655c834bd77437db51c
-
Filesize
5.2MB
MD5b14238f96ee93d5a8adc73bf65691518
SHA13a3524cc06e92c5f06105344c9adc2cdbd4b8d66
SHA256508bd2f0194eed6913729b64dfeb8248e67c7f780a5f7fed4c1fc65c9d196fce
SHA51216031ff8d0d76830fa467e560eadac54a1ea438502830d9a93acb55dea2441774971fcf730c20c7ae6b83141b1598ed8291015ac68f412dfb239a2e8a5fe5687
-
Filesize
5.2MB
MD51d5c0e8443e2c030481169772ff53930
SHA18441dca1df0f49b81780ab74ba54fc6b63945535
SHA2567a833bd3231c577c389588a46920ef4cde1db996bdd98ab526794395baeefa64
SHA5121a99d277aa73de9c9c4d793544eff802dbdcfd22f29680757a7967916f444f8dd26e996ee33ac7d7688c6d76f5bea9ba94452fcfd34458cd0180c9c398eb9168
-
Filesize
5.2MB
MD550686e46b3e5af71ef40527a00a6466e
SHA16d39fd6a47a987bbe360496cceb17d9997e370e4
SHA256ea19fc3f32afc39a98fd976c2cb63d445047f7c3b91b144b24e3af29840da9a5
SHA51254271138b1f7fe7c5a031208acb36c665ffd89a57ab2c944cf6a50c22943d79c662bf7adced43dbc56aa2bd30395d352041aefb83aadd3d817bbee2ed5a20338
-
Filesize
5.2MB
MD517f6ff1b594ae83619c031b698e2525d
SHA13ba7a409a980b653a60eb2448579e0ca57760bc0
SHA25687f70ce1c7062f8d9bd7a6259e50b4c207967a19cf8ab47e36cd75cdc956b1d9
SHA512b5984a0c0b62cdb6359d7cf0359fe863c1b5b37a1a2fedab59244f4d9cb909c815269d6c2614bda0a1d5fe14ca3df7086a20dfa09de39ac386ddd97859a3cb7d
-
Filesize
5.2MB
MD544d53dba15b2f5512e4369d534475dd8
SHA13663dd70586a3b2f0982930ffe82bb14ba398f97
SHA256cbdf9fdcb4cf4b4a4280526e4be648cdc209fa2838c78dac12e30a2fd211660a
SHA512bfd2e1e1f1a3a26bc20a99a8f22373b39eab9f2b58e3c00ef83250d8e4877ddd3ec961b6d841036c09001a43432dbd580de02cc539c729b5db99f49be5c62b4c
-
Filesize
5.2MB
MD5b5df41979c06c595cde7642406dd2c2c
SHA1e6377fe137d961bdc406d02843de74ec6521a1b0
SHA256e240fdeafb1003dc5bfa2b8134af1c3fe58d3c2a556fb14c7c47507a8cddd7c4
SHA51222d5d3f97ff689dd16771dd7901439eef0b1184cbdcbf3244ae4ec7e7bd530a6a98508e402af68ec5af54a79687aed58c46c01f0b0ac4c77d5cbecbd3b155169
-
Filesize
5.2MB
MD5aa13a340be1d72a42a2ad79bcfcb6866
SHA1ef29ec09b3ed7af9fc8661566edb27bb909a8631
SHA2565a5622683d3eb417c690fa4b6a4e73d9ec7dca0e1416b37684b90357254fa21e
SHA512e18712c396fdd75954dd652ef07937dcbd9bdc18cd6bc24f5c2eb9e0bf7e000efa18b81b2618c0c5549cd739d3d2484fc6d24895b9c15a302417d70407bd00e7
-
Filesize
5.2MB
MD5c2587712b448402cc6b2b24a2c1fc992
SHA1e074d198cbdd938ee7c1616616e36b77f891f17c
SHA256a671aaf5e307ad0b3b0f94748af9fcc8b1760699402b7b12b57a726646cfba2a
SHA512d247e62b601c4b463a603bf2262b1dd48619d52d55a3108e4723346632c335d03f02a398332d71c79f6cd3cb5b174bc1e45adce06b644ae1af0d7a8116196eb9
-
Filesize
5.2MB
MD59d3c0e34ea0e461ac03724e1f3ea2288
SHA1776b8ed431956d519b756043da2fce67b34f72ee
SHA25626077616af50c09dabd7f64faf57c635496d425ce3aaef0b8fd06eb3346ae3b2
SHA5123dd58d83611a0be4b6e01c7ab13e61aa4ba076a0aca9d3d12e27153058130a4c6280ab5c90ad6ffd0f0c2bc6373df29127aad1a6b7fa474897395ef4bc679a5d
-
Filesize
5.2MB
MD5a1bda6f70ed9fb38ad80aaad33df43cc
SHA19d894679c4020ce585476b17784312f1a57ed237
SHA256d3e3878ad0cf914469367e0e5f81b381f6371290d1a555691445f8b111e108f2
SHA512385a391892a9fb00afb9d1da09922b47681aea86f2b9913e057cc2d44c218e902abc1cd71bc417244e2b4941782a6bb1100cca0fb3e25c6fd7c48b479e2060f5
-
Filesize
5.2MB
MD5a0857046d87ab40b75fa7508a2306621
SHA15418c5ef2ecb0e475bc7d26582ac65e1525e34f4
SHA256eca6cef656483c511477d427d55c19c8aaee88bdd596914a7a0bb5c03b25fcf9
SHA5127ac6880538e27a48adc3a580c85d4b7be1092248c86e86de90ad83467f9ff6c8335a57c4375e898805663459e8d6cb616412bf687e38e7fdf68f0b34c841c9f8
-
Filesize
5.2MB
MD500cd45d24da1fe29c4fa724ca915ac5f
SHA1ef7686f415e9866cabc7244bf4e5a8f54246cfda
SHA25680ed674b9f2154c7117757175e1eca7000383e3bcd2aacdbb889afc0bd558372
SHA512f367034180574c138688a7c32fdc12484a8f966d5569992e6691baa9314bf0da0f33905c4817f1326ea02ca9edead67c7776bca752bef7b3dedcef16009c5366
-
Filesize
5.2MB
MD58dd4f8711fb50c7e0c275a88ed58eaf4
SHA107dad11c997ff7ced440925ea4ba87599949173f
SHA2562e2fb78ebfb1d4e27322155d50ce9607216fc6adab7d8c939f6227aebe0c3f75
SHA512f63e310ac61c468fb66c8be969edd96bd36430c35d9bd2be092ed51a0013edfe20f655820a283b547993135b87c4332d874098f5262ac97dd7fac668fbecc462
-
Filesize
5.2MB
MD53fe0e1322a101923911870a43ef9132a
SHA15a73b67d8f53b924aad79632b838a57f842ead90
SHA25687a54266a1b4408eab4b978279df348dc3171682e9737159347229449c969aed
SHA51297fb48eaea4cbfa7737b024a75a24dd90f50e706f31c79c39146e6059fb785d0f00f2965caafbf2f4a3ea3b699e2647699d4e7d11a558f49807e169c055c32bf