Analysis
-
max time kernel
110s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 13:56
Behavioral task
behavioral1
Sample
9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe
Resource
win7-20240903-en
General
-
Target
9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe
-
Size
5.2MB
-
MD5
a62aadd95b5c7b7dc274d81dd746fde0
-
SHA1
43c9838be06d26639a799ff84dd81091680307d2
-
SHA256
9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8c
-
SHA512
c0388964ec9800a8aa06e526d46ab4b6bbea9e08bd6552c56b39e8cf1688820598fcdaa82df5f5c4765a53e36810b4df88b189f3ef3870389a955926333cf24d
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibd56utgpPFotBER/mQ32lUg
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b81-4.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c6c-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c6d-10.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c69-20.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c70-34.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c71-43.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c72-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c76-67.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c77-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c79-87.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c78-85.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c75-70.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c74-63.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c73-58.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c6f-28.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7a-107.dat cobalt_reflective_dll behavioral2/files/0x0002000000022ab5-123.dat cobalt_reflective_dll behavioral2/files/0x000e000000023b33-131.dat cobalt_reflective_dll behavioral2/files/0x0002000000022ab7-137.dat cobalt_reflective_dll behavioral2/files/0x000e000000023b3a-141.dat cobalt_reflective_dll behavioral2/files/0x000c000000023b39-136.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4952-51-0x00007FF7800C0000-0x00007FF780411000-memory.dmp xmrig behavioral2/memory/4756-80-0x00007FF6F35C0000-0x00007FF6F3911000-memory.dmp xmrig behavioral2/memory/4744-90-0x00007FF7EDA50000-0x00007FF7EDDA1000-memory.dmp xmrig behavioral2/memory/1364-91-0x00007FF7C8090000-0x00007FF7C83E1000-memory.dmp xmrig behavioral2/memory/4380-89-0x00007FF72F7C0000-0x00007FF72FB11000-memory.dmp xmrig behavioral2/memory/4724-84-0x00007FF7E3B40000-0x00007FF7E3E91000-memory.dmp xmrig behavioral2/memory/3136-81-0x00007FF7C8730000-0x00007FF7C8A81000-memory.dmp xmrig behavioral2/memory/4540-95-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp xmrig behavioral2/memory/4808-99-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp xmrig behavioral2/memory/2112-128-0x00007FF6F0DE0000-0x00007FF6F1131000-memory.dmp xmrig behavioral2/memory/4780-104-0x00007FF627030000-0x00007FF627381000-memory.dmp xmrig behavioral2/memory/884-101-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp xmrig behavioral2/memory/1288-97-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp xmrig behavioral2/memory/3964-98-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp xmrig behavioral2/memory/4596-96-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp xmrig behavioral2/memory/4820-94-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp xmrig behavioral2/memory/2912-102-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp xmrig behavioral2/memory/4780-145-0x00007FF627030000-0x00007FF627381000-memory.dmp xmrig behavioral2/memory/4804-156-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp xmrig behavioral2/memory/4832-164-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp xmrig behavioral2/memory/400-165-0x00007FF729650000-0x00007FF7299A1000-memory.dmp xmrig behavioral2/memory/1972-163-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp xmrig behavioral2/memory/1556-166-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp xmrig behavioral2/memory/4780-167-0x00007FF627030000-0x00007FF627381000-memory.dmp xmrig behavioral2/memory/4820-195-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp xmrig behavioral2/memory/4540-197-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp xmrig behavioral2/memory/4596-216-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp xmrig behavioral2/memory/3964-218-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp xmrig behavioral2/memory/1288-221-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp xmrig behavioral2/memory/4952-223-0x00007FF7800C0000-0x00007FF780411000-memory.dmp xmrig behavioral2/memory/4808-224-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp xmrig behavioral2/memory/884-228-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp xmrig behavioral2/memory/2912-227-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp xmrig behavioral2/memory/4756-239-0x00007FF6F35C0000-0x00007FF6F3911000-memory.dmp xmrig behavioral2/memory/4744-240-0x00007FF7EDA50000-0x00007FF7EDDA1000-memory.dmp xmrig behavioral2/memory/3136-237-0x00007FF7C8730000-0x00007FF7C8A81000-memory.dmp xmrig behavioral2/memory/4724-235-0x00007FF7E3B40000-0x00007FF7E3E91000-memory.dmp xmrig behavioral2/memory/4380-231-0x00007FF72F7C0000-0x00007FF72FB11000-memory.dmp xmrig behavioral2/memory/1364-233-0x00007FF7C8090000-0x00007FF7C83E1000-memory.dmp xmrig behavioral2/memory/4804-249-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp xmrig behavioral2/memory/2112-251-0x00007FF6F0DE0000-0x00007FF6F1131000-memory.dmp xmrig behavioral2/memory/4832-253-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp xmrig behavioral2/memory/400-255-0x00007FF729650000-0x00007FF7299A1000-memory.dmp xmrig behavioral2/memory/1556-257-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp xmrig behavioral2/memory/1972-259-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4820 ekHvoAq.exe 4540 vRlKGQa.exe 4596 SvUqiuH.exe 1288 gMzxFMe.exe 3964 fsmBMci.exe 4808 ugmHIqA.exe 4952 RlajyXG.exe 884 xbomhsA.exe 2912 NpJwVuI.exe 4744 RYYwpDW.exe 4756 vTmMOyh.exe 3136 PzdjiVL.exe 4724 YcLbGIU.exe 1364 NEIuxZa.exe 4380 sZzTnVY.exe 4804 sFccLeD.exe 2112 eXwZCsN.exe 400 IzFfcPQ.exe 1972 qOEzeDd.exe 4832 wounOUU.exe 1556 bWPMcmV.exe -
resource yara_rule behavioral2/memory/4780-0-0x00007FF627030000-0x00007FF627381000-memory.dmp upx behavioral2/files/0x000c000000023b81-4.dat upx behavioral2/memory/4820-8-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp upx behavioral2/files/0x0007000000023c6c-11.dat upx behavioral2/memory/4540-12-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp upx behavioral2/files/0x0007000000023c6d-10.dat upx behavioral2/files/0x0008000000023c69-20.dat upx behavioral2/memory/4596-21-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp upx behavioral2/files/0x0007000000023c70-34.dat upx behavioral2/files/0x0007000000023c71-43.dat upx behavioral2/files/0x0007000000023c72-46.dat upx behavioral2/memory/4952-51-0x00007FF7800C0000-0x00007FF780411000-memory.dmp upx behavioral2/files/0x0007000000023c76-67.dat upx behavioral2/files/0x0007000000023c77-72.dat upx behavioral2/memory/4756-80-0x00007FF6F35C0000-0x00007FF6F3911000-memory.dmp upx behavioral2/files/0x0007000000023c79-87.dat upx behavioral2/memory/4744-90-0x00007FF7EDA50000-0x00007FF7EDDA1000-memory.dmp upx behavioral2/memory/1364-91-0x00007FF7C8090000-0x00007FF7C83E1000-memory.dmp upx behavioral2/memory/4380-89-0x00007FF72F7C0000-0x00007FF72FB11000-memory.dmp upx behavioral2/files/0x0007000000023c78-85.dat upx behavioral2/memory/4724-84-0x00007FF7E3B40000-0x00007FF7E3E91000-memory.dmp upx behavioral2/memory/3136-81-0x00007FF7C8730000-0x00007FF7C8A81000-memory.dmp upx behavioral2/files/0x0007000000023c75-70.dat upx behavioral2/files/0x0007000000023c74-63.dat upx behavioral2/files/0x0007000000023c73-58.dat upx behavioral2/memory/2912-55-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp upx behavioral2/memory/884-48-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp upx behavioral2/memory/4808-42-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp upx behavioral2/memory/3964-29-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp upx behavioral2/files/0x0007000000023c6f-28.dat upx behavioral2/memory/1288-24-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp upx behavioral2/memory/4540-95-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp upx behavioral2/memory/4808-99-0x00007FF6CF900000-0x00007FF6CFC51000-memory.dmp upx behavioral2/files/0x0007000000023c7a-107.dat upx behavioral2/files/0x0002000000022ab5-123.dat upx behavioral2/files/0x000e000000023b33-131.dat upx behavioral2/memory/400-133-0x00007FF729650000-0x00007FF7299A1000-memory.dmp upx behavioral2/files/0x0002000000022ab7-137.dat upx behavioral2/files/0x000e000000023b3a-141.dat upx behavioral2/memory/1556-138-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp upx behavioral2/files/0x000c000000023b39-136.dat upx behavioral2/memory/4832-135-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp upx behavioral2/memory/1972-134-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp upx behavioral2/memory/2112-128-0x00007FF6F0DE0000-0x00007FF6F1131000-memory.dmp upx behavioral2/memory/4804-110-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp upx behavioral2/memory/4780-104-0x00007FF627030000-0x00007FF627381000-memory.dmp upx behavioral2/memory/884-101-0x00007FF69B380000-0x00007FF69B6D1000-memory.dmp upx behavioral2/memory/1288-97-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp upx behavioral2/memory/3964-98-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp upx behavioral2/memory/4596-96-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp upx behavioral2/memory/4820-94-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp upx behavioral2/memory/2912-102-0x00007FF76BC00000-0x00007FF76BF51000-memory.dmp upx behavioral2/memory/4780-145-0x00007FF627030000-0x00007FF627381000-memory.dmp upx behavioral2/memory/4804-156-0x00007FF6EBC40000-0x00007FF6EBF91000-memory.dmp upx behavioral2/memory/4832-164-0x00007FF7BB000000-0x00007FF7BB351000-memory.dmp upx behavioral2/memory/400-165-0x00007FF729650000-0x00007FF7299A1000-memory.dmp upx behavioral2/memory/1972-163-0x00007FF7AFAE0000-0x00007FF7AFE31000-memory.dmp upx behavioral2/memory/1556-166-0x00007FF7FC0A0000-0x00007FF7FC3F1000-memory.dmp upx behavioral2/memory/4780-167-0x00007FF627030000-0x00007FF627381000-memory.dmp upx behavioral2/memory/4820-195-0x00007FF749ED0000-0x00007FF74A221000-memory.dmp upx behavioral2/memory/4540-197-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp upx behavioral2/memory/4596-216-0x00007FF78D480000-0x00007FF78D7D1000-memory.dmp upx behavioral2/memory/3964-218-0x00007FF73B2D0000-0x00007FF73B621000-memory.dmp upx behavioral2/memory/1288-221-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\ugmHIqA.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\RlajyXG.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\NpJwVuI.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\NEIuxZa.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\sZzTnVY.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\sFccLeD.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\qOEzeDd.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\vRlKGQa.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\gMzxFMe.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\fsmBMci.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\vTmMOyh.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\PzdjiVL.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\YcLbGIU.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\wounOUU.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\IzFfcPQ.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\SvUqiuH.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\xbomhsA.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\RYYwpDW.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\eXwZCsN.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\ekHvoAq.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\bWPMcmV.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe Token: SeLockMemoryPrivilege 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4780 wrote to memory of 4820 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 84 PID 4780 wrote to memory of 4820 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 84 PID 4780 wrote to memory of 4540 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 85 PID 4780 wrote to memory of 4540 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 85 PID 4780 wrote to memory of 4596 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 86 PID 4780 wrote to memory of 4596 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 86 PID 4780 wrote to memory of 1288 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 90 PID 4780 wrote to memory of 1288 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 90 PID 4780 wrote to memory of 3964 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 91 PID 4780 wrote to memory of 3964 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 91 PID 4780 wrote to memory of 4808 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 92 PID 4780 wrote to memory of 4808 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 92 PID 4780 wrote to memory of 4952 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 93 PID 4780 wrote to memory of 4952 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 93 PID 4780 wrote to memory of 884 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 94 PID 4780 wrote to memory of 884 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 94 PID 4780 wrote to memory of 2912 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 95 PID 4780 wrote to memory of 2912 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 95 PID 4780 wrote to memory of 4744 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 96 PID 4780 wrote to memory of 4744 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 96 PID 4780 wrote to memory of 4756 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 97 PID 4780 wrote to memory of 4756 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 97 PID 4780 wrote to memory of 3136 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 98 PID 4780 wrote to memory of 3136 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 98 PID 4780 wrote to memory of 4724 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 99 PID 4780 wrote to memory of 4724 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 99 PID 4780 wrote to memory of 1364 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 100 PID 4780 wrote to memory of 1364 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 100 PID 4780 wrote to memory of 4380 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 101 PID 4780 wrote to memory of 4380 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 101 PID 4780 wrote to memory of 4804 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 104 PID 4780 wrote to memory of 4804 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 104 PID 4780 wrote to memory of 2112 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 105 PID 4780 wrote to memory of 2112 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 105 PID 4780 wrote to memory of 1972 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 106 PID 4780 wrote to memory of 1972 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 106 PID 4780 wrote to memory of 4832 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 107 PID 4780 wrote to memory of 4832 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 107 PID 4780 wrote to memory of 400 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 108 PID 4780 wrote to memory of 400 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 108 PID 4780 wrote to memory of 1556 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 109 PID 4780 wrote to memory of 1556 4780 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\System\ekHvoAq.exeC:\Windows\System\ekHvoAq.exe2⤵
- Executes dropped EXE
PID:4820
-
-
C:\Windows\System\vRlKGQa.exeC:\Windows\System\vRlKGQa.exe2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\System\SvUqiuH.exeC:\Windows\System\SvUqiuH.exe2⤵
- Executes dropped EXE
PID:4596
-
-
C:\Windows\System\gMzxFMe.exeC:\Windows\System\gMzxFMe.exe2⤵
- Executes dropped EXE
PID:1288
-
-
C:\Windows\System\fsmBMci.exeC:\Windows\System\fsmBMci.exe2⤵
- Executes dropped EXE
PID:3964
-
-
C:\Windows\System\ugmHIqA.exeC:\Windows\System\ugmHIqA.exe2⤵
- Executes dropped EXE
PID:4808
-
-
C:\Windows\System\RlajyXG.exeC:\Windows\System\RlajyXG.exe2⤵
- Executes dropped EXE
PID:4952
-
-
C:\Windows\System\xbomhsA.exeC:\Windows\System\xbomhsA.exe2⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\System\NpJwVuI.exeC:\Windows\System\NpJwVuI.exe2⤵
- Executes dropped EXE
PID:2912
-
-
C:\Windows\System\RYYwpDW.exeC:\Windows\System\RYYwpDW.exe2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Windows\System\vTmMOyh.exeC:\Windows\System\vTmMOyh.exe2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Windows\System\PzdjiVL.exeC:\Windows\System\PzdjiVL.exe2⤵
- Executes dropped EXE
PID:3136
-
-
C:\Windows\System\YcLbGIU.exeC:\Windows\System\YcLbGIU.exe2⤵
- Executes dropped EXE
PID:4724
-
-
C:\Windows\System\NEIuxZa.exeC:\Windows\System\NEIuxZa.exe2⤵
- Executes dropped EXE
PID:1364
-
-
C:\Windows\System\sZzTnVY.exeC:\Windows\System\sZzTnVY.exe2⤵
- Executes dropped EXE
PID:4380
-
-
C:\Windows\System\sFccLeD.exeC:\Windows\System\sFccLeD.exe2⤵
- Executes dropped EXE
PID:4804
-
-
C:\Windows\System\eXwZCsN.exeC:\Windows\System\eXwZCsN.exe2⤵
- Executes dropped EXE
PID:2112
-
-
C:\Windows\System\qOEzeDd.exeC:\Windows\System\qOEzeDd.exe2⤵
- Executes dropped EXE
PID:1972
-
-
C:\Windows\System\wounOUU.exeC:\Windows\System\wounOUU.exe2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\System\IzFfcPQ.exeC:\Windows\System\IzFfcPQ.exe2⤵
- Executes dropped EXE
PID:400
-
-
C:\Windows\System\bWPMcmV.exeC:\Windows\System\bWPMcmV.exe2⤵
- Executes dropped EXE
PID:1556
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD55c08a14ae4161344ddd1235c1ebfb9b8
SHA1e3a98e83ca4d3f8a526e720ed96a106f8b150eab
SHA2560dee5d0cd49d89d09a124b4b98f04c25a18d9854751e742b4a564d3d034f5eff
SHA512334ad5a4b90b0cbedd3c3ad19bd96641c5101a4afcab91c4c1ac9a632d59628b55ef4815fb091063e9415389fd3f4f3af0444fd50b3b35acaf5374882938fb85
-
Filesize
5.2MB
MD51c209986663ff58d682178e33926055f
SHA1021e855c3bf48420fc2fd0d6e556ca5d64bce417
SHA256b7f7e0e32d972e3892cf4c93688c34248c14dc8185c70fd6f8bb2ac3ddf78b27
SHA512f9969c84e651a82dc8c62be09707860f2d2bb2872e394c5bc4b1a977bf1879924c789ceeeebc2c11e428bd5265e69cbd003b7e8125e72578eabcf86e20888d28
-
Filesize
5.2MB
MD53722a101c3b89a4cccc785c747066e7c
SHA16ffa69dedd205961a085d78b312246d6468f1ff0
SHA25625959d593a5eea39c5c7fc49a4159b5607e3729d46b018a6d4477ee513ea5f65
SHA512b661e2c590b027ba9bedcb7ed8bfb77d07f0d0d20717521bb2bca95411d2a7486940d8677ea6195c5052e9794ed154aad3bc8cdc472339bbd6905bee5b8feec3
-
Filesize
5.2MB
MD5078702d27239dbf99aed271c0aa5b783
SHA12fdfae471709a428d816843beb6831c9ea390722
SHA2565df2dac6387bc0afb1f0d7f83e734cb59d80a23aa7167a31244ecee3196641bc
SHA512b2cffdcf7ee4135766aca4add6714a39ff7043e0dd01404021c6269f421f385fe8cdc0eb9ea561e136ad47241cf8c3c2d38aa602371eb3239b644ca7a81eeb17
-
Filesize
5.2MB
MD5b6ae04400b159fa930578e7da2787b9e
SHA14567125bb54b8fdc95e422af6cf7e1c452cd6359
SHA256a4e86f894360dc2ed59dfbcfb120527981ab90cba1de678323b9e5409fe95db7
SHA512bca8087ff1d2443e05cec5d5a5f3164f8aca6c4cf1c6575726358b0a8e2ec1d351ef26db52d8bf9026d261058f77e17f0f3005537bc22f089ff3fe7694cce106
-
Filesize
5.2MB
MD5d78e0514e5bd3d6a84183327ca7663e7
SHA1be9d4adc650673d4310ec71a8386b6eee4e3ff84
SHA2560d0de0595907434f5e17e1357c43568ea02a60ce912fb063b9981f0e46019ae8
SHA512f99756789647441bdaee2c071edf354a0221e8e06b978446419277f63294a41cac60867c485d1da05a7788552cc8ce191f051f970ae87d5b19ff0d187c85389e
-
Filesize
5.2MB
MD57db360efa94bad923e6731b0dc44c80d
SHA1b819745ab0699f84f29a04a3f61891fd7196f874
SHA256195cc4702c55c21886b4814f5dca927b38e0990e509ed1d789bb1a50732870be
SHA5123b7f7477cbf98c3781bd22b41a125a9e751e97cc708075723d8605ae3a792031546138f32a331e42e0ab6fd22f87a8f44a960a2ad758d31c1022c1ee2c4bc195
-
Filesize
5.2MB
MD59dc64d07c30eabd3cadde647264ccdd3
SHA1c84ae1b82c6e38341b72f6d50e6e2bf3a9e45b62
SHA2560fa366dc3632669b7ecb1d672ce45fd73bc91778c8e58bb0c614ef4d37e4691e
SHA5125b068d960779ef27b6dcf700d7bfcffa8ffeb513c196263d317c282eb36913522539ce27625b70dabadbb1b93264a10fb353f1b53c3fc43da9788b239b09aad1
-
Filesize
5.2MB
MD5635d108cb29398736ea4ceacb0ad202e
SHA1e66717e13b135b8503b0be42e73d4b70f3ca2619
SHA25634a0748f53ee8ffbb008591032c1ca83b98ce6ec3c2372f66ee7e1fdb6de6d14
SHA512ff6ac5e28e5247aadb9c31957eddb926f8df589cdceac48c06324cef2aa3886c7866e5abdcea0095a99e61f0371f697ebd871db6ef00b81a130194788bbcd367
-
Filesize
5.2MB
MD55bf32d9e897401fda076a6c00c98973f
SHA1102f1afaad02379d94466307c24f40d4dca7c4f5
SHA256a3b4afa8863579f08858f6576fa342d1fc00080dc61cf131c8668432948c12c1
SHA5128f11d39b57a7d665739201b5c42e573c0d0c501cadef6e93c0fa18427cc5e13dcb23e2bd5ce60f76885ffde8be52dd0bfbe1fcf5aeeef52a06f3a3f562e516c6
-
Filesize
5.2MB
MD5ebe0cf06c48754962f292c41e3d8d774
SHA1a154066345453b2f4a41a3a5de38a9ea74d63aea
SHA25623ff92e5bffb3429ec21947e179f33585ce5711335dcd22a2cd39e2fc1f25b63
SHA5125af918499474f4ea7191a8de0c4d9ef29ff346fbae3cbe6943c277b65667ccddb621d91b840231571cb4d4f33aa8217c24682e36cd6e4e2c7ebf55d12cdc1ef2
-
Filesize
5.2MB
MD52606917091aa97c4ce010a2d5e355757
SHA15adfa1ee7d864590d28dfd9951e26d8a034455f6
SHA2566aff6abd3ccef24786048d902eff7f722dc043e006395d2c65af492577d60980
SHA512f87d63042d2ddb02ff0127cf2db5bcf75f5bbe1a231b9acdbea182abf8e42534fd4d5b86511ed9f5c7b71131f2c9ece004dcc017ab1862de7caf07f19bb38186
-
Filesize
5.2MB
MD561106d9617efe1adc55221dd25073bb6
SHA18da41e1840070c479e8247ac84924557d64a93f6
SHA256cca5cbfcc2963a783b585651fa4c990bc614b769ba38c14a31d21fac378d78a8
SHA51251e1c899346c379f3ec0dc438ac66d0ab47a6cecea926658a092a96854d1e7a4fe47d564859782c6d5fded264717cc826ccc8fc566e1ce4709cb09b7c79062af
-
Filesize
5.2MB
MD5785865a0bca0cdab161abbbc3f79b67b
SHA1cfde894b730e0789f93622e174eb9dbb2693a40f
SHA2562d49634d952f87dd464d6e1f6c25b988dd392dac6e168802aa896350e27cc66f
SHA512ef898bb094cc11e8be56d260267b4594c2377b81f43b489eac34c85e13a33f23f7e9be4b3a961c275a296f162815cc5d334389a4f339fb15002a1d74ad8fc33d
-
Filesize
5.2MB
MD5b093240e4d21d912ee53a44d24ebefd0
SHA15706e68378212293060bd8914b340dbea1b26bb3
SHA2565b79e810782b68f848a310a7a86dc470f01418c1c9fb6766ddd7125c52821e25
SHA51271481c17ca2facff02a1baad1d9c4d04ed634e718219ef4e3849181050118799ba714770a22d8adf890692ed67cab06cba68bf687f0e188d87dd1fcd0e877974
-
Filesize
5.2MB
MD500fc4c5fcb5c78c87b77e8ae3fb7df9b
SHA1c8e4393755714a67cc7a0a72135dbe1419341660
SHA2562b130667a6f8e913955228741bb4e2b141e8e75eba9f9d125297f1f282450d65
SHA51288a51559f0d4dc22c58408bb10ff443c1ac0f62a0ce97598fe42d474289c0dc1e49d2de1f704105cedb936711bae5af08f03a7fc069d890b4e7c7edbf43eecb2
-
Filesize
5.2MB
MD5051284e965c1383e6b45debf8f8e643c
SHA1ca2a3a56434a49baeb69753a50e968650e713373
SHA25618e984f3074812ec577b300bfc7e324e5c817c34fb725812160703f18d295ce5
SHA512e0c23b9b3d185bf0ed51d89d79ae21a05c73f0c0b4ce0aaefa914c688b52bf4a8390256ff129b1afbcecb76d0acbcf8a98ba8a47fe7a45e0bca6fda8ebbc5426
-
Filesize
5.2MB
MD543cb3f544a2b07a999afd35eabf5b155
SHA130cc148db3c21e27f3094a628fdc474d4b4ec733
SHA25698979d1acb3b9f6a06db2b298869336ff182aa7883032a9982a21b431bb68ead
SHA51260de4eb68b8b624d3c4590a639bdcd89da1f32ddce7361f5c3bd5b25dc2bc587bb4eaaa683af6ac57a2ed4381cbbc35fc2cfac24a3858a2b86c6cd4161b7b14e
-
Filesize
5.2MB
MD57d37b3d1fbafb212ad870d650c9b21e7
SHA17724a3d1c4d0373ad7fe1fe7360ff8dadc85f606
SHA25625dd6e0d36142fb366c77cc25c122a1b1e63b28d01a837c4575121d0a29b0e1f
SHA51202a22ebb4ec6e8b5b3a145f3aac77364519321e0726e538e2155f850e9deb88b0d7fec40b14c90c8522a29ed167db1883fba3f5edff178fe159d7349c7af9b87
-
Filesize
5.2MB
MD5096bab978e09edb5c4c16e5a47a63725
SHA1115474f1cd8108f7e1ba7348d0257f78c0a6ec03
SHA25608ba1ad1df6b9988b6ecd3eb47b6a179703122f38907d0a7957f12b79e218e0b
SHA51237592ab263b36121de298772dc59795362d87d210973bdf830c4b30857f5644d31eb679566e4958ab4c3ab0a1a74e04a7654f9cfade4d6ae987e3eb75a42a1b2
-
Filesize
5.2MB
MD5b51856889301e3b5c5571b46da25a198
SHA1ca4baa10d0f5d86f96356ba1d8e9cffd1729602a
SHA2567b38a0c31a498cd62b5589fae18cbbdf0c010d1f51caa7da987a15a2e457786d
SHA5126c7b9e42169e67862295b4bffe6eef74cb6a97ffccdd10b53a487b4c4877ec00d9f8afc2dc2f6ca2b503e12bdd7fa43e7c324f173e830a0cad24c22f4443dd5a