Analysis
-
max time kernel
111s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 04:07
Behavioral task
behavioral1
Sample
19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe
Resource
win7-20240903-en
General
-
Target
19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe
-
Size
5.2MB
-
MD5
68c09ae86d3e839bbeb3f9474ea92e70
-
SHA1
180b3d303b2318e3dad8c9c7bffff5ff875cb8ec
-
SHA256
19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613
-
SHA512
5d9b149840017466b8654b2d57f23550237cb84016aaf625f721ef6784a897c672455f36e5fe528997ceff518ee762d9367d3129248f4c3ee52b9500f1d6ff25
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibd56utgpPFotBER/mQ32lUN
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x000c000000012254-3.dat cobalt_reflective_dll behavioral1/files/0x0008000000016cf6-8.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d30-57.dat cobalt_reflective_dll behavioral1/files/0x00050000000191fd-92.dat cobalt_reflective_dll behavioral1/files/0x000d000000018662-116.dat cobalt_reflective_dll behavioral1/files/0x00050000000186c8-68.dat cobalt_reflective_dll behavioral1/files/0x0005000000019217-98.dat cobalt_reflective_dll behavioral1/files/0x00050000000191f3-88.dat cobalt_reflective_dll behavioral1/files/0x00060000000190c6-81.dat cobalt_reflective_dll behavioral1/files/0x0014000000018657-62.dat cobalt_reflective_dll behavioral1/files/0x000600000001749c-61.dat cobalt_reflective_dll behavioral1/files/0x00060000000174bf-112.dat cobalt_reflective_dll behavioral1/files/0x0006000000017481-105.dat cobalt_reflective_dll behavioral1/files/0x00060000000190c9-95.dat cobalt_reflective_dll behavioral1/files/0x000500000001878d-94.dat cobalt_reflective_dll behavioral1/files/0x000500000001867d-93.dat cobalt_reflective_dll behavioral1/files/0x0009000000016d38-80.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d40-58.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d1f-56.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d27-46.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d0c-20.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 36 IoCs
resource yara_rule behavioral1/memory/1984-109-0x000000013F1F0000-0x000000013F541000-memory.dmp xmrig behavioral1/memory/2772-120-0x000000013F3E0000-0x000000013F731000-memory.dmp xmrig behavioral1/memory/2840-91-0x000000013FB90000-0x000000013FEE1000-memory.dmp xmrig behavioral1/memory/1568-119-0x000000013FAF0000-0x000000013FE41000-memory.dmp xmrig behavioral1/memory/2896-107-0x000000013FD80000-0x00000001400D1000-memory.dmp xmrig behavioral1/memory/2852-106-0x000000013F050000-0x000000013F3A1000-memory.dmp xmrig behavioral1/memory/2500-85-0x000000013F870000-0x000000013FBC1000-memory.dmp xmrig behavioral1/memory/888-79-0x000000013F640000-0x000000013F991000-memory.dmp xmrig behavioral1/memory/2320-131-0x000000013FE30000-0x0000000140181000-memory.dmp xmrig behavioral1/memory/1984-130-0x000000013FC60000-0x000000013FFB1000-memory.dmp xmrig behavioral1/memory/2384-133-0x000000013F940000-0x000000013FC91000-memory.dmp xmrig behavioral1/memory/3040-132-0x000000013FFC0000-0x0000000140311000-memory.dmp xmrig behavioral1/memory/3040-12-0x000000013FFC0000-0x0000000140311000-memory.dmp xmrig behavioral1/memory/1984-135-0x000000013FC60000-0x000000013FFB1000-memory.dmp xmrig behavioral1/memory/2768-144-0x000000013F6F0000-0x000000013FA41000-memory.dmp xmrig behavioral1/memory/2644-149-0x000000013F790000-0x000000013FAE1000-memory.dmp xmrig behavioral1/memory/2624-146-0x000000013F0F0000-0x000000013F441000-memory.dmp xmrig behavioral1/memory/3048-156-0x000000013FF00000-0x0000000140251000-memory.dmp xmrig behavioral1/memory/1256-157-0x000000013F850000-0x000000013FBA1000-memory.dmp xmrig behavioral1/memory/1376-155-0x000000013F780000-0x000000013FAD1000-memory.dmp xmrig behavioral1/memory/2504-154-0x000000013F780000-0x000000013FAD1000-memory.dmp xmrig behavioral1/memory/2088-153-0x000000013FB70000-0x000000013FEC1000-memory.dmp xmrig behavioral1/memory/1672-152-0x000000013FD10000-0x0000000140061000-memory.dmp xmrig behavioral1/memory/2616-151-0x000000013F0D0000-0x000000013F421000-memory.dmp xmrig behavioral1/memory/2660-150-0x000000013F1F0000-0x000000013F541000-memory.dmp xmrig behavioral1/memory/1984-158-0x000000013FC60000-0x000000013FFB1000-memory.dmp xmrig behavioral1/memory/3040-225-0x000000013FFC0000-0x0000000140311000-memory.dmp xmrig behavioral1/memory/2384-227-0x000000013F940000-0x000000013FC91000-memory.dmp xmrig behavioral1/memory/888-229-0x000000013F640000-0x000000013F991000-memory.dmp xmrig behavioral1/memory/2320-233-0x000000013FE30000-0x0000000140181000-memory.dmp xmrig behavioral1/memory/2500-231-0x000000013F870000-0x000000013FBC1000-memory.dmp xmrig behavioral1/memory/2896-239-0x000000013FD80000-0x00000001400D1000-memory.dmp xmrig behavioral1/memory/2840-237-0x000000013FB90000-0x000000013FEE1000-memory.dmp xmrig behavioral1/memory/1568-235-0x000000013FAF0000-0x000000013FE41000-memory.dmp xmrig behavioral1/memory/2852-241-0x000000013F050000-0x000000013F3A1000-memory.dmp xmrig behavioral1/memory/2772-244-0x000000013F3E0000-0x000000013F731000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3040 GyCBCLd.exe 2320 MyDpMRb.exe 2384 RGjdnwN.exe 888 kWqCifY.exe 1568 jsJheHq.exe 2500 ajmuExU.exe 2840 gNUUDXO.exe 2852 eXNznyA.exe 2896 gftgaMR.exe 2772 rnnGNpI.exe 2660 iJiGcEH.exe 1672 NpWkdbq.exe 2504 KfTNvXD.exe 2768 pIpglDy.exe 3048 DkuPeby.exe 2624 OppaOfo.exe 2644 OBuIGmC.exe 2616 eretAlh.exe 2088 iWIsJdr.exe 1376 vUlKmrt.exe 1256 FLynFnt.exe -
Loads dropped DLL 21 IoCs
pid Process 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe -
resource yara_rule behavioral1/memory/1984-0-0x000000013FC60000-0x000000013FFB1000-memory.dmp upx behavioral1/files/0x000c000000012254-3.dat upx behavioral1/files/0x0008000000016cf6-8.dat upx behavioral1/files/0x0007000000016d30-57.dat upx behavioral1/files/0x00050000000191fd-92.dat upx behavioral1/files/0x000d000000018662-116.dat upx behavioral1/memory/2772-120-0x000000013F3E0000-0x000000013F731000-memory.dmp upx behavioral1/files/0x00050000000186c8-68.dat upx behavioral1/files/0x0005000000019217-98.dat upx behavioral1/memory/2840-91-0x000000013FB90000-0x000000013FEE1000-memory.dmp upx behavioral1/files/0x00050000000191f3-88.dat upx behavioral1/files/0x00060000000190c6-81.dat upx behavioral1/files/0x0014000000018657-62.dat upx behavioral1/files/0x000600000001749c-61.dat upx behavioral1/memory/1568-119-0x000000013FAF0000-0x000000013FE41000-memory.dmp upx behavioral1/files/0x00060000000174bf-112.dat upx behavioral1/memory/2896-107-0x000000013FD80000-0x00000001400D1000-memory.dmp upx behavioral1/memory/2852-106-0x000000013F050000-0x000000013F3A1000-memory.dmp upx behavioral1/files/0x0006000000017481-105.dat upx behavioral1/files/0x00060000000190c9-95.dat upx behavioral1/files/0x000500000001878d-94.dat upx behavioral1/files/0x000500000001867d-93.dat upx behavioral1/memory/2500-85-0x000000013F870000-0x000000013FBC1000-memory.dmp upx behavioral1/files/0x0009000000016d38-80.dat upx behavioral1/memory/888-79-0x000000013F640000-0x000000013F991000-memory.dmp upx behavioral1/files/0x0008000000016d40-58.dat upx behavioral1/files/0x0007000000016d1f-56.dat upx behavioral1/memory/2320-131-0x000000013FE30000-0x0000000140181000-memory.dmp upx behavioral1/memory/1984-130-0x000000013FC60000-0x000000013FFB1000-memory.dmp upx behavioral1/files/0x0007000000016d27-46.dat upx behavioral1/memory/2384-27-0x000000013F940000-0x000000013FC91000-memory.dmp upx behavioral1/memory/2384-133-0x000000013F940000-0x000000013FC91000-memory.dmp upx behavioral1/memory/3040-132-0x000000013FFC0000-0x0000000140311000-memory.dmp upx behavioral1/files/0x0008000000016d0c-20.dat upx behavioral1/memory/3040-12-0x000000013FFC0000-0x0000000140311000-memory.dmp upx behavioral1/memory/2320-16-0x000000013FE30000-0x0000000140181000-memory.dmp upx behavioral1/memory/1984-135-0x000000013FC60000-0x000000013FFB1000-memory.dmp upx behavioral1/memory/2768-144-0x000000013F6F0000-0x000000013FA41000-memory.dmp upx behavioral1/memory/2644-149-0x000000013F790000-0x000000013FAE1000-memory.dmp upx behavioral1/memory/2624-146-0x000000013F0F0000-0x000000013F441000-memory.dmp upx behavioral1/memory/3048-156-0x000000013FF00000-0x0000000140251000-memory.dmp upx behavioral1/memory/1256-157-0x000000013F850000-0x000000013FBA1000-memory.dmp upx behavioral1/memory/1376-155-0x000000013F780000-0x000000013FAD1000-memory.dmp upx behavioral1/memory/2504-154-0x000000013F780000-0x000000013FAD1000-memory.dmp upx behavioral1/memory/2088-153-0x000000013FB70000-0x000000013FEC1000-memory.dmp upx behavioral1/memory/1672-152-0x000000013FD10000-0x0000000140061000-memory.dmp upx behavioral1/memory/2616-151-0x000000013F0D0000-0x000000013F421000-memory.dmp upx behavioral1/memory/2660-150-0x000000013F1F0000-0x000000013F541000-memory.dmp upx behavioral1/memory/1984-158-0x000000013FC60000-0x000000013FFB1000-memory.dmp upx behavioral1/memory/3040-225-0x000000013FFC0000-0x0000000140311000-memory.dmp upx behavioral1/memory/2384-227-0x000000013F940000-0x000000013FC91000-memory.dmp upx behavioral1/memory/888-229-0x000000013F640000-0x000000013F991000-memory.dmp upx behavioral1/memory/2320-233-0x000000013FE30000-0x0000000140181000-memory.dmp upx behavioral1/memory/2500-231-0x000000013F870000-0x000000013FBC1000-memory.dmp upx behavioral1/memory/2896-239-0x000000013FD80000-0x00000001400D1000-memory.dmp upx behavioral1/memory/2840-237-0x000000013FB90000-0x000000013FEE1000-memory.dmp upx behavioral1/memory/1568-235-0x000000013FAF0000-0x000000013FE41000-memory.dmp upx behavioral1/memory/2852-241-0x000000013F050000-0x000000013F3A1000-memory.dmp upx behavioral1/memory/2772-244-0x000000013F3E0000-0x000000013F731000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\gNUUDXO.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\pIpglDy.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\iJiGcEH.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\DkuPeby.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\FLynFnt.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\MyDpMRb.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\rnnGNpI.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\OppaOfo.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\eretAlh.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\NpWkdbq.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\KfTNvXD.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\GyCBCLd.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\eXNznyA.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\iWIsJdr.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\vUlKmrt.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\ajmuExU.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\gftgaMR.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\kWqCifY.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\OBuIGmC.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\RGjdnwN.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe File created C:\Windows\System\jsJheHq.exe 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe Token: SeLockMemoryPrivilege 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1984 wrote to memory of 3040 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 31 PID 1984 wrote to memory of 3040 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 31 PID 1984 wrote to memory of 3040 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 31 PID 1984 wrote to memory of 2320 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 32 PID 1984 wrote to memory of 2320 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 32 PID 1984 wrote to memory of 2320 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 32 PID 1984 wrote to memory of 2384 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 33 PID 1984 wrote to memory of 2384 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 33 PID 1984 wrote to memory of 2384 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 33 PID 1984 wrote to memory of 1568 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 34 PID 1984 wrote to memory of 1568 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 34 PID 1984 wrote to memory of 1568 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 34 PID 1984 wrote to memory of 888 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 35 PID 1984 wrote to memory of 888 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 35 PID 1984 wrote to memory of 888 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 35 PID 1984 wrote to memory of 2500 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 36 PID 1984 wrote to memory of 2500 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 36 PID 1984 wrote to memory of 2500 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 36 PID 1984 wrote to memory of 2772 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 37 PID 1984 wrote to memory of 2772 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 37 PID 1984 wrote to memory of 2772 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 37 PID 1984 wrote to memory of 2840 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 38 PID 1984 wrote to memory of 2840 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 38 PID 1984 wrote to memory of 2840 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 38 PID 1984 wrote to memory of 2768 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 39 PID 1984 wrote to memory of 2768 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 39 PID 1984 wrote to memory of 2768 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 39 PID 1984 wrote to memory of 2852 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 40 PID 1984 wrote to memory of 2852 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 40 PID 1984 wrote to memory of 2852 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 40 PID 1984 wrote to memory of 2624 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 41 PID 1984 wrote to memory of 2624 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 41 PID 1984 wrote to memory of 2624 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 41 PID 1984 wrote to memory of 2896 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 42 PID 1984 wrote to memory of 2896 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 42 PID 1984 wrote to memory of 2896 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 42 PID 1984 wrote to memory of 2644 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 43 PID 1984 wrote to memory of 2644 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 43 PID 1984 wrote to memory of 2644 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 43 PID 1984 wrote to memory of 2660 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 44 PID 1984 wrote to memory of 2660 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 44 PID 1984 wrote to memory of 2660 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 44 PID 1984 wrote to memory of 2616 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 45 PID 1984 wrote to memory of 2616 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 45 PID 1984 wrote to memory of 2616 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 45 PID 1984 wrote to memory of 1672 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 46 PID 1984 wrote to memory of 1672 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 46 PID 1984 wrote to memory of 1672 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 46 PID 1984 wrote to memory of 2088 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 47 PID 1984 wrote to memory of 2088 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 47 PID 1984 wrote to memory of 2088 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 47 PID 1984 wrote to memory of 2504 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 48 PID 1984 wrote to memory of 2504 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 48 PID 1984 wrote to memory of 2504 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 48 PID 1984 wrote to memory of 1376 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 49 PID 1984 wrote to memory of 1376 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 49 PID 1984 wrote to memory of 1376 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 49 PID 1984 wrote to memory of 3048 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 50 PID 1984 wrote to memory of 3048 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 50 PID 1984 wrote to memory of 3048 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 50 PID 1984 wrote to memory of 1256 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 51 PID 1984 wrote to memory of 1256 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 51 PID 1984 wrote to memory of 1256 1984 19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe"C:\Users\Admin\AppData\Local\Temp\19339153f1d1a9383ee2374f8c406d917f0dd61f003520488f02929e3bd38613N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System\GyCBCLd.exeC:\Windows\System\GyCBCLd.exe2⤵
- Executes dropped EXE
PID:3040
-
-
C:\Windows\System\MyDpMRb.exeC:\Windows\System\MyDpMRb.exe2⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\System\RGjdnwN.exeC:\Windows\System\RGjdnwN.exe2⤵
- Executes dropped EXE
PID:2384
-
-
C:\Windows\System\jsJheHq.exeC:\Windows\System\jsJheHq.exe2⤵
- Executes dropped EXE
PID:1568
-
-
C:\Windows\System\kWqCifY.exeC:\Windows\System\kWqCifY.exe2⤵
- Executes dropped EXE
PID:888
-
-
C:\Windows\System\ajmuExU.exeC:\Windows\System\ajmuExU.exe2⤵
- Executes dropped EXE
PID:2500
-
-
C:\Windows\System\rnnGNpI.exeC:\Windows\System\rnnGNpI.exe2⤵
- Executes dropped EXE
PID:2772
-
-
C:\Windows\System\gNUUDXO.exeC:\Windows\System\gNUUDXO.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\System\pIpglDy.exeC:\Windows\System\pIpglDy.exe2⤵
- Executes dropped EXE
PID:2768
-
-
C:\Windows\System\eXNznyA.exeC:\Windows\System\eXNznyA.exe2⤵
- Executes dropped EXE
PID:2852
-
-
C:\Windows\System\OppaOfo.exeC:\Windows\System\OppaOfo.exe2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\System\gftgaMR.exeC:\Windows\System\gftgaMR.exe2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\System\OBuIGmC.exeC:\Windows\System\OBuIGmC.exe2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Windows\System\iJiGcEH.exeC:\Windows\System\iJiGcEH.exe2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\System\eretAlh.exeC:\Windows\System\eretAlh.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System\NpWkdbq.exeC:\Windows\System\NpWkdbq.exe2⤵
- Executes dropped EXE
PID:1672
-
-
C:\Windows\System\iWIsJdr.exeC:\Windows\System\iWIsJdr.exe2⤵
- Executes dropped EXE
PID:2088
-
-
C:\Windows\System\KfTNvXD.exeC:\Windows\System\KfTNvXD.exe2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\System\vUlKmrt.exeC:\Windows\System\vUlKmrt.exe2⤵
- Executes dropped EXE
PID:1376
-
-
C:\Windows\System\DkuPeby.exeC:\Windows\System\DkuPeby.exe2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\System\FLynFnt.exeC:\Windows\System\FLynFnt.exe2⤵
- Executes dropped EXE
PID:1256
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5db3e40948be55e76af528f44e979ea80
SHA1cc9894ea3c11aae4ae33e606fc8b6846f4bb81ab
SHA2563fa984e108ece432afe0d71c8896aaf8993455529545068e18bfce9b042c4bd8
SHA5121984b6e2fc78c6c9bc35dc7efd926e87a0a6f673701df51992f64f169ae019b085573e2b7d083f2ab864ae011c45f2b844314f0c6b7a731b0d7aebc188b132b5
-
Filesize
5.2MB
MD5986a8cd04984c75eef3bdb68cb8b6da7
SHA1658cb246eafd06d9edab9087adf97cc7b7c43cb4
SHA256bd72a9400c8578a35283679a4d9582f929ac792df8637e61927c0c7ad8cbb75d
SHA5127d98cc5150709c2f814590e6fceadb4119bc2fea4dbaaedf891cb12ea487528b2fb890946ee5c4c35103d94160e2fc325fd41549973d9c5bfeb799bf07a94933
-
Filesize
5.2MB
MD5c7a8a72f37047fb6c87cc569acfe2a1a
SHA1a4d696f4e3a91ea9181c9084e1c4bdefb3e4c19f
SHA2561dda8d103db20e81ce9f5200311ab5ac8c89971856808ad1f38ec46be84ad4b8
SHA5128942794618cf89b8f65f71d98a1c7096b90c690d90ac9fc0e48c852a2ecef21575467deed67c04725a2604daeca4f76a90dd626859c1f71efbfb58e54523cb96
-
Filesize
5.2MB
MD5a91bf925146810ef00a9ae86d39df835
SHA1f88d9dd423c61e399dee2cdda1d9909c62b225d8
SHA256283c1a59f90a39cd55475ab4679f2f2c8e2314856b3286937cbcd4e6f9dc442f
SHA51241f67a7ec1d7461debd9881e8d9ee804f3e9bb97911709fe707fcbcd85362ab3cb5b9525dc5c1dff4f1d8ae811f247c3fa7df728a5f3865822160b07b7757f93
-
Filesize
5.2MB
MD594e3fce4c99b477fa8712535515eabcf
SHA1705df6e1d1a1840a6a951f49e24a285b6115da9a
SHA256074a5817eb8cbd7f521541d76a619922ab6a274522a3490b70a5c2aa8bea23d7
SHA51249fe9672640fa94f7e5b29738f47e413c75ede2b3af5fe55dca0e60ecfce78a47ba0f443afa369ef16f262f100b7b855f5267029d54e77e37c1e5e0760f55085
-
Filesize
5.2MB
MD5d4d9583a0663c7e69456204cb3b97398
SHA15665b654ee9503be7639c8ee0b152a19c4ca15d5
SHA256faf3a42ade5013ae1f32956800bd6b19f57d747525839a70ab2920ff7f5346a9
SHA512976af01408133fa381d2f21e03373ddebc1b8a472e37ac5e578408ade2dae226c819c4dd49a6659251d02da36aa9217e529533c63ead2e439c0a9f7848f12e92
-
Filesize
5.2MB
MD552fd2aa4d89a3310a52cd90b43796620
SHA1268efafae010f5427155e680817bfd52392bffc8
SHA2561dd9731bb72dfe1210d9ac10ac454ddf5353c807beb7fe61ddbc5926ff8843e3
SHA512187543129c6eb38b0ac4bca87b409ddf8503aedba5052d9daeb403e18e6936b6b2d44c782711e99c70a58df2de3f7a1b8ff450043395a86099be17125df45cd0
-
Filesize
5.2MB
MD54e16a44d4a18aa076d04b14b94d6f92a
SHA1933273fe118c9344f37f14d2a01cc4938bcb6f23
SHA256deebfc49b72186c8d934922cc03677d61383b7c9b2dc8ce447e3a0e23be06d50
SHA5124e8c113d142ef5d4adb8ff7bce638863aeb22aa044fef2b6d2f9562c97987e766c077d82b5bf5ec215a9e86ed96e806eb7727d47a99999351d6c22c2944e7103
-
Filesize
5.2MB
MD5fdd61251d7d6cd97143d2032ece05ca8
SHA160f2ff3d9d26809ff4019f9c5366f481344a132e
SHA256567a92045ae2e67334e665228273fcf2773e7dd308e514eed24f432ec59a2f37
SHA512729194c7bedcf7cb3e5f3dfe62642457b515bde1aba530052da0470346ccb317ba6652bc6f9c0fd2a0d4a1bc739d2cd0acf51d60eb4d883260d35ea1517b1a1a
-
Filesize
5.2MB
MD516dc2d9a2493f0e7907e4b1479b530da
SHA1bd239bb7bcd53e3cd4e005917acd9654bbe0e45a
SHA25619600d42ce68a53b0b37831d23723528a66d5d4b235bb37f87a64fe070d7654f
SHA5123c0c48f7b77ae8c67286f5d0bfb6789acb621faedfb1d16c14e3f73fe5bbd19fed8fbe4634580d57ced6a64e92990164cd8d800cd0516b5ecc270160fd00e0b4
-
Filesize
5.2MB
MD5d58c2b74a6736a0eb009e8ced1d87067
SHA16097d6d18308c0dc7220389623b8ce0499aa6ea6
SHA256ad59f4d7e7c2e46088e1c5b1607fd83463dada12bb408271d93413d9887fa07b
SHA512d5122fb9e049c9e043129da8958843c589aad8f345465526c8d782773ef5b8a74678ddbdfad8cac6deb9e9c24b20dad542ab894910c7292dfd512cf972cf8502
-
Filesize
5.2MB
MD5d1fc901ede94b5e30f268d5a1091b082
SHA1060c8afbe6b8ce62a0f6ee5002e80bd02d0099eb
SHA256f0945150c0d780fe3b0742041ef14682d353373d033a364cca57238434935cd9
SHA5121c77d6ea0e730fc4964dc97c0741203a95f20fe0c8698caf33c47bdfe0653cf7878080b646a49b8ab557d38eb02f758626ba86c5e79d28b877c2dded531f4578
-
Filesize
5.2MB
MD528b937006169d211ff09411f79e9814b
SHA1e0c84937a7b0b144a48d119c2aa9cb2845a91991
SHA256e357cb3cd8fa2030bfcb922f81e179e4869367c3aaa1d71e4bee111b7a1cf578
SHA51225dce7acd11822883e485159b8141c8378b4306471e207213e72ef256c410abaf9cff6ecb4d5de96cdb3821475479e32a9463b1deefcacc9f08edfeadb631193
-
Filesize
5.2MB
MD58bf7f38ad22aa75627cb0e661185e080
SHA174c15d1fd21013175b191821d08106efe9eec9b7
SHA256f62fbfcb8b16edc2392cf150023536494c5b73e2e37adcb4da6690ff3d1ec730
SHA5125ae05b7ab222308c3af824b4ce0d83f88a5ae3a7d8b8d53b556cacf88798d95eebb9382393ab222b43f5f95654256c3ffb6456d082d3fe20bdc531407b5a296e
-
Filesize
5.2MB
MD570e6f9c6ce72c95d961e28b6240d91e5
SHA1af99fc3edd161d733a4ae1904ef9aad15d1cf34a
SHA256bb77478054fb3226e9dbd4623c17d528823c494aeb19e6aa5e3d656774fee73a
SHA512a8967e08ba37e8864c76e30e76f53e2ad52001662f4b068ef54165aa045209e621745559f216a43fdd82e1169cd11dcc6b4a25f923b34038ec38d0aa4221557c
-
Filesize
5.2MB
MD5ee0daf2a43484a88201c14f26e25d4fb
SHA154bd71b5577562fd57683a18384b51e75228e35d
SHA256bfb13ba3650dbb9289f5f035b5631591825b8fac06f7c05a295569f41d8e819f
SHA51230e7bfc6cb6be9fa65a6970d0fd56f84b735ee3f7017186b90270efcc9260c06fe75a92740dccb7ee972098160caa33b897c4bcd4baf8a04462a6758599a1bcc
-
Filesize
5.2MB
MD5e179b7314f61a9ffe60da9a5aa207abb
SHA1a28eb0c29567c9b73e5c996b6b22b32e51e07912
SHA256b015eb93dce106834ba3c9e104a6b62f3dd3778f95294e900da7ea1573481e5a
SHA512153e261303966a62065f65fc01ce51262939ad2eb37988addfe8203dc4d344ad3369b1ede942d07765ae52f70daed137ab9b5c11a9b16492f24ead0d0399cb93
-
Filesize
5.2MB
MD52c79f8afde41741dee50b06f3fb78fc2
SHA10a03c4e446435f0db8f52d630a833ab14f5af786
SHA256b78139f5283663f60ad717f39b29b0dc6eccc7c42ad9a91e85381f59a2913c67
SHA51240db29a5c84d2d3fc1587a6bb844ff6cfab3b55a1d97fded4fe4731e04d0db2179a9b8e5ce2d09e5587a21b8d2d06c63fbd716512d008797e0357594a0b367fc
-
Filesize
5.2MB
MD5f14996330fa998248d883773176b6433
SHA13d9daf61701564b94f4d7ee16742e2487a86b835
SHA2560cc2d19d0e12fd100a6bcefdd5199175bb22e4c6a311a4a0d69326dd58991362
SHA5120cee1834666eb83d592e9e141f4a9783dbee7b59fa2ce52f3ac361be3bf0f504f809b11774bb2b17557cbfc1975297806d03b6270468d14dd603e45fe36ec38d
-
Filesize
5.2MB
MD5096b774db7ae16087490119f4458bcfc
SHA1db4d82116f98a58c17d6ee0d61cb2093e448e43d
SHA256f5b977cfd0cdce63137c1af6023e4d96ed299364ad3c42b72de99bddbbb94506
SHA512ff5d4291e10daad7b9bf6f916c06702058b0b6b7d9cc97b9d6982614b0269e39f72b39a77c138666d439e1ff29a0647bc372b55ace24a8bc7af2d67d02b6382a
-
Filesize
5.2MB
MD594450bb0f2ad307ca5792e3180d3e6a5
SHA118c9856734672c4a808d64ffc62949d20718bd89
SHA2566830dcfa6f4f13b74ccac93e953adb7cd2a2982254ba1044a233115dad57f30b
SHA5125be23418c402564e0296b65afa3ab1c99e99f240dc102d3ab4fac41406a89c59b3df81da82605a5d9a60b6393f3bffcc2d14df651f857f7b7e5a68e22e7ad02b