Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/08/2024, 09:56
Behavioral task
behavioral1
Sample
dfc8a622d0d0d1285a5d02644b908880N.exe
Resource
win7-20240704-en
General
-
Target
dfc8a622d0d0d1285a5d02644b908880N.exe
-
Size
5.2MB
-
MD5
dfc8a622d0d0d1285a5d02644b908880
-
SHA1
7faaf5a8a0494184ad4b07b3ef66220adb14fa36
-
SHA256
2787d8692bd406c6c1d6b085c5e6ddcdeca4d05d5a2619083cc0e3b7375a12cb
-
SHA512
0c221639eb108900ce8babec644e07c541a6c7c942cb82102c74e75792534e8f90c8fe32578cfe50db272e0a53ad33be256bc9cbaf2ac39996c10a63b4b4f062
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibd56utgpPFotBER/mQ32lUL
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x000a000000012283-3.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d29-9.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d31-11.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d3a-21.dat cobalt_reflective_dll behavioral1/files/0x0032000000016cdf-29.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d4a-48.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d65-51.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d5e-54.dat cobalt_reflective_dll behavioral1/files/0x0008000000016dcb-65.dat cobalt_reflective_dll behavioral1/files/0x000500000001870f-78.dat cobalt_reflective_dll behavioral1/files/0x000500000001924a-118.dat cobalt_reflective_dll behavioral1/files/0x0005000000019259-123.dat cobalt_reflective_dll behavioral1/files/0x0005000000019266-131.dat cobalt_reflective_dll behavioral1/files/0x000500000001925d-128.dat cobalt_reflective_dll behavioral1/files/0x0005000000019244-113.dat cobalt_reflective_dll behavioral1/files/0x00050000000191dc-104.dat cobalt_reflective_dll behavioral1/files/0x00050000000191f1-108.dat cobalt_reflective_dll behavioral1/files/0x0005000000018712-89.dat cobalt_reflective_dll behavioral1/files/0x0006000000018bc8-97.dat cobalt_reflective_dll behavioral1/files/0x0005000000018701-74.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d69-62.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 39 IoCs
resource yara_rule behavioral1/memory/2732-32-0x000000013F470000-0x000000013F7C1000-memory.dmp xmrig behavioral1/memory/2840-40-0x000000013FC80000-0x000000013FFD1000-memory.dmp xmrig behavioral1/memory/340-135-0x000000013F810000-0x000000013FB61000-memory.dmp xmrig behavioral1/memory/2044-90-0x000000013FE10000-0x0000000140161000-memory.dmp xmrig behavioral1/memory/2732-87-0x0000000002230000-0x0000000002581000-memory.dmp xmrig behavioral1/memory/2080-136-0x000000013F7B0000-0x000000013FB01000-memory.dmp xmrig behavioral1/memory/2128-86-0x000000013FD40000-0x0000000140091000-memory.dmp xmrig behavioral1/memory/2660-81-0x000000013FEF0000-0x0000000140241000-memory.dmp xmrig behavioral1/memory/2644-66-0x000000013F910000-0x000000013FC61000-memory.dmp xmrig behavioral1/memory/2344-137-0x000000013F790000-0x000000013FAE1000-memory.dmp xmrig behavioral1/memory/2868-55-0x000000013F5D0000-0x000000013F921000-memory.dmp xmrig behavioral1/memory/2716-49-0x000000013F1A0000-0x000000013F4F1000-memory.dmp xmrig behavioral1/memory/2732-138-0x000000013F470000-0x000000013F7C1000-memory.dmp xmrig behavioral1/memory/2608-47-0x000000013F6B0000-0x000000013FA01000-memory.dmp xmrig behavioral1/memory/2072-143-0x000000013F170000-0x000000013F4C1000-memory.dmp xmrig behavioral1/memory/2928-150-0x000000013FE80000-0x00000001401D1000-memory.dmp xmrig behavioral1/memory/1728-152-0x000000013F5B0000-0x000000013F901000-memory.dmp xmrig behavioral1/memory/2976-158-0x000000013F700000-0x000000013FA51000-memory.dmp xmrig behavioral1/memory/1960-162-0x000000013FF10000-0x0000000140261000-memory.dmp xmrig behavioral1/memory/2920-161-0x000000013F5D0000-0x000000013F921000-memory.dmp xmrig behavioral1/memory/2904-160-0x000000013F7E0000-0x000000013FB31000-memory.dmp xmrig behavioral1/memory/112-159-0x000000013FF70000-0x00000001402C1000-memory.dmp xmrig behavioral1/memory/2648-163-0x000000013F7D0000-0x000000013FB21000-memory.dmp xmrig behavioral1/memory/336-164-0x000000013F830000-0x000000013FB81000-memory.dmp xmrig behavioral1/memory/2732-165-0x000000013F470000-0x000000013F7C1000-memory.dmp xmrig behavioral1/memory/2840-212-0x000000013FC80000-0x000000013FFD1000-memory.dmp xmrig behavioral1/memory/2716-216-0x000000013F1A0000-0x000000013F4F1000-memory.dmp xmrig behavioral1/memory/2644-220-0x000000013F910000-0x000000013FC61000-memory.dmp xmrig behavioral1/memory/2868-221-0x000000013F5D0000-0x000000013F921000-memory.dmp xmrig behavioral1/memory/2608-230-0x000000013F6B0000-0x000000013FA01000-memory.dmp xmrig behavioral1/memory/2660-232-0x000000013FEF0000-0x0000000140241000-memory.dmp xmrig behavioral1/memory/2128-234-0x000000013FD40000-0x0000000140091000-memory.dmp xmrig behavioral1/memory/2044-236-0x000000013FE10000-0x0000000140161000-memory.dmp xmrig behavioral1/memory/340-238-0x000000013F810000-0x000000013FB61000-memory.dmp xmrig behavioral1/memory/2080-240-0x000000013F7B0000-0x000000013FB01000-memory.dmp xmrig behavioral1/memory/2344-242-0x000000013F790000-0x000000013FAE1000-memory.dmp xmrig behavioral1/memory/2072-253-0x000000013F170000-0x000000013F4C1000-memory.dmp xmrig behavioral1/memory/2928-255-0x000000013FE80000-0x00000001401D1000-memory.dmp xmrig behavioral1/memory/1728-266-0x000000013F5B0000-0x000000013F901000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2840 TMxwOdQ.exe 2716 xxzGdFD.exe 2868 eFmEBrj.exe 2644 dwMcnMj.exe 2608 sccSQoc.exe 2660 rkqYrqY.exe 2128 blLahYe.exe 2044 lqIUhYc.exe 1728 OIyiBwe.exe 340 ngCJMIS.exe 2080 uqVXUgo.exe 2344 njfJHFN.exe 2072 iXSEQFN.exe 2928 hyxTIvQ.exe 2976 HzvZTeY.exe 112 sTRsWwH.exe 2904 pyOaNOO.exe 2920 NpBUEJL.exe 1960 jvYfQmM.exe 2648 djnUtmx.exe 336 Imwvwsk.exe -
Loads dropped DLL 21 IoCs
pid Process 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 2732 dfc8a622d0d0d1285a5d02644b908880N.exe -
resource yara_rule behavioral1/memory/2732-0-0x000000013F470000-0x000000013F7C1000-memory.dmp upx behavioral1/files/0x000a000000012283-3.dat upx behavioral1/memory/2840-7-0x000000013FC80000-0x000000013FFD1000-memory.dmp upx behavioral1/files/0x0008000000016d29-9.dat upx behavioral1/memory/2716-13-0x000000013F1A0000-0x000000013F4F1000-memory.dmp upx behavioral1/files/0x0007000000016d31-11.dat upx behavioral1/memory/2868-19-0x000000013F5D0000-0x000000013F921000-memory.dmp upx behavioral1/files/0x0008000000016d3a-21.dat upx behavioral1/memory/2644-26-0x000000013F910000-0x000000013FC61000-memory.dmp upx behavioral1/files/0x0032000000016cdf-29.dat upx behavioral1/memory/2732-32-0x000000013F470000-0x000000013F7C1000-memory.dmp upx behavioral1/files/0x0007000000016d4a-48.dat upx behavioral1/files/0x0007000000016d65-51.dat upx behavioral1/files/0x0007000000016d5e-54.dat upx behavioral1/memory/2044-57-0x000000013FE10000-0x0000000140161000-memory.dmp upx behavioral1/memory/2840-40-0x000000013FC80000-0x000000013FFD1000-memory.dmp upx behavioral1/files/0x0008000000016dcb-65.dat upx behavioral1/memory/340-69-0x000000013F810000-0x000000013FB61000-memory.dmp upx behavioral1/files/0x000500000001870f-78.dat upx behavioral1/memory/2344-82-0x000000013F790000-0x000000013FAE1000-memory.dmp upx behavioral1/memory/2080-75-0x000000013F7B0000-0x000000013FB01000-memory.dmp upx behavioral1/memory/2928-98-0x000000013FE80000-0x00000001401D1000-memory.dmp upx behavioral1/files/0x000500000001924a-118.dat upx behavioral1/files/0x0005000000019259-123.dat upx behavioral1/files/0x0005000000019266-131.dat upx behavioral1/files/0x000500000001925d-128.dat upx behavioral1/memory/340-135-0x000000013F810000-0x000000013FB61000-memory.dmp upx behavioral1/files/0x0005000000019244-113.dat upx behavioral1/files/0x00050000000191dc-104.dat upx behavioral1/files/0x00050000000191f1-108.dat upx behavioral1/memory/2072-91-0x000000013F170000-0x000000013F4C1000-memory.dmp upx behavioral1/memory/2044-90-0x000000013FE10000-0x0000000140161000-memory.dmp upx behavioral1/files/0x0005000000018712-89.dat upx behavioral1/memory/2080-136-0x000000013F7B0000-0x000000013FB01000-memory.dmp upx behavioral1/memory/2128-86-0x000000013FD40000-0x0000000140091000-memory.dmp upx behavioral1/files/0x0006000000018bc8-97.dat upx behavioral1/files/0x0005000000018701-74.dat upx behavioral1/memory/2660-81-0x000000013FEF0000-0x0000000140241000-memory.dmp upx behavioral1/memory/2644-66-0x000000013F910000-0x000000013FC61000-memory.dmp upx behavioral1/memory/1728-63-0x000000013F5B0000-0x000000013F901000-memory.dmp upx behavioral1/files/0x0008000000016d69-62.dat upx behavioral1/memory/2344-137-0x000000013F790000-0x000000013FAE1000-memory.dmp upx behavioral1/memory/2868-55-0x000000013F5D0000-0x000000013F921000-memory.dmp upx behavioral1/memory/2128-53-0x000000013FD40000-0x0000000140091000-memory.dmp upx behavioral1/memory/2660-50-0x000000013FEF0000-0x0000000140241000-memory.dmp upx behavioral1/memory/2716-49-0x000000013F1A0000-0x000000013F4F1000-memory.dmp upx behavioral1/memory/2732-138-0x000000013F470000-0x000000013F7C1000-memory.dmp upx behavioral1/memory/2608-47-0x000000013F6B0000-0x000000013FA01000-memory.dmp upx behavioral1/memory/2072-143-0x000000013F170000-0x000000013F4C1000-memory.dmp upx behavioral1/memory/2928-150-0x000000013FE80000-0x00000001401D1000-memory.dmp upx behavioral1/memory/1728-152-0x000000013F5B0000-0x000000013F901000-memory.dmp upx behavioral1/memory/2976-158-0x000000013F700000-0x000000013FA51000-memory.dmp upx behavioral1/memory/1960-162-0x000000013FF10000-0x0000000140261000-memory.dmp upx behavioral1/memory/2920-161-0x000000013F5D0000-0x000000013F921000-memory.dmp upx behavioral1/memory/2904-160-0x000000013F7E0000-0x000000013FB31000-memory.dmp upx behavioral1/memory/112-159-0x000000013FF70000-0x00000001402C1000-memory.dmp upx behavioral1/memory/2648-163-0x000000013F7D0000-0x000000013FB21000-memory.dmp upx behavioral1/memory/336-164-0x000000013F830000-0x000000013FB81000-memory.dmp upx behavioral1/memory/2732-165-0x000000013F470000-0x000000013F7C1000-memory.dmp upx behavioral1/memory/2840-212-0x000000013FC80000-0x000000013FFD1000-memory.dmp upx behavioral1/memory/2716-216-0x000000013F1A0000-0x000000013F4F1000-memory.dmp upx behavioral1/memory/2644-220-0x000000013F910000-0x000000013FC61000-memory.dmp upx behavioral1/memory/2868-221-0x000000013F5D0000-0x000000013F921000-memory.dmp upx behavioral1/memory/2608-230-0x000000013F6B0000-0x000000013FA01000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\HzvZTeY.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\sTRsWwH.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\NpBUEJL.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\Imwvwsk.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\xxzGdFD.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\sccSQoc.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\OIyiBwe.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\hyxTIvQ.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\pyOaNOO.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\djnUtmx.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\rkqYrqY.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\lqIUhYc.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\ngCJMIS.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\njfJHFN.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\jvYfQmM.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\TMxwOdQ.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\eFmEBrj.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\dwMcnMj.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\blLahYe.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\uqVXUgo.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\iXSEQFN.exe dfc8a622d0d0d1285a5d02644b908880N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2732 dfc8a622d0d0d1285a5d02644b908880N.exe Token: SeLockMemoryPrivilege 2732 dfc8a622d0d0d1285a5d02644b908880N.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2840 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 31 PID 2732 wrote to memory of 2840 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 31 PID 2732 wrote to memory of 2840 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 31 PID 2732 wrote to memory of 2716 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 32 PID 2732 wrote to memory of 2716 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 32 PID 2732 wrote to memory of 2716 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 32 PID 2732 wrote to memory of 2868 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 33 PID 2732 wrote to memory of 2868 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 33 PID 2732 wrote to memory of 2868 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 33 PID 2732 wrote to memory of 2644 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 34 PID 2732 wrote to memory of 2644 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 34 PID 2732 wrote to memory of 2644 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 34 PID 2732 wrote to memory of 2608 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 35 PID 2732 wrote to memory of 2608 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 35 PID 2732 wrote to memory of 2608 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 35 PID 2732 wrote to memory of 2660 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 36 PID 2732 wrote to memory of 2660 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 36 PID 2732 wrote to memory of 2660 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 36 PID 2732 wrote to memory of 2044 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 37 PID 2732 wrote to memory of 2044 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 37 PID 2732 wrote to memory of 2044 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 37 PID 2732 wrote to memory of 2128 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 38 PID 2732 wrote to memory of 2128 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 38 PID 2732 wrote to memory of 2128 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 38 PID 2732 wrote to memory of 1728 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 39 PID 2732 wrote to memory of 1728 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 39 PID 2732 wrote to memory of 1728 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 39 PID 2732 wrote to memory of 340 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 40 PID 2732 wrote to memory of 340 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 40 PID 2732 wrote to memory of 340 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 40 PID 2732 wrote to memory of 2080 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 41 PID 2732 wrote to memory of 2080 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 41 PID 2732 wrote to memory of 2080 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 41 PID 2732 wrote to memory of 2344 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 42 PID 2732 wrote to memory of 2344 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 42 PID 2732 wrote to memory of 2344 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 42 PID 2732 wrote to memory of 2072 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 43 PID 2732 wrote to memory of 2072 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 43 PID 2732 wrote to memory of 2072 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 43 PID 2732 wrote to memory of 2928 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 44 PID 2732 wrote to memory of 2928 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 44 PID 2732 wrote to memory of 2928 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 44 PID 2732 wrote to memory of 2976 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 45 PID 2732 wrote to memory of 2976 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 45 PID 2732 wrote to memory of 2976 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 45 PID 2732 wrote to memory of 112 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 46 PID 2732 wrote to memory of 112 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 46 PID 2732 wrote to memory of 112 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 46 PID 2732 wrote to memory of 2904 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 47 PID 2732 wrote to memory of 2904 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 47 PID 2732 wrote to memory of 2904 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 47 PID 2732 wrote to memory of 2920 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 48 PID 2732 wrote to memory of 2920 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 48 PID 2732 wrote to memory of 2920 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 48 PID 2732 wrote to memory of 1960 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 49 PID 2732 wrote to memory of 1960 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 49 PID 2732 wrote to memory of 1960 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 49 PID 2732 wrote to memory of 2648 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 50 PID 2732 wrote to memory of 2648 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 50 PID 2732 wrote to memory of 2648 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 50 PID 2732 wrote to memory of 336 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 51 PID 2732 wrote to memory of 336 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 51 PID 2732 wrote to memory of 336 2732 dfc8a622d0d0d1285a5d02644b908880N.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System\TMxwOdQ.exeC:\Windows\System\TMxwOdQ.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\System\xxzGdFD.exeC:\Windows\System\xxzGdFD.exe2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\System\eFmEBrj.exeC:\Windows\System\eFmEBrj.exe2⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\System\dwMcnMj.exeC:\Windows\System\dwMcnMj.exe2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Windows\System\sccSQoc.exeC:\Windows\System\sccSQoc.exe2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\System\rkqYrqY.exeC:\Windows\System\rkqYrqY.exe2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\System\lqIUhYc.exeC:\Windows\System\lqIUhYc.exe2⤵
- Executes dropped EXE
PID:2044
-
-
C:\Windows\System\blLahYe.exeC:\Windows\System\blLahYe.exe2⤵
- Executes dropped EXE
PID:2128
-
-
C:\Windows\System\OIyiBwe.exeC:\Windows\System\OIyiBwe.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\System\ngCJMIS.exeC:\Windows\System\ngCJMIS.exe2⤵
- Executes dropped EXE
PID:340
-
-
C:\Windows\System\uqVXUgo.exeC:\Windows\System\uqVXUgo.exe2⤵
- Executes dropped EXE
PID:2080
-
-
C:\Windows\System\njfJHFN.exeC:\Windows\System\njfJHFN.exe2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\System\iXSEQFN.exeC:\Windows\System\iXSEQFN.exe2⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\System\hyxTIvQ.exeC:\Windows\System\hyxTIvQ.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\System\HzvZTeY.exeC:\Windows\System\HzvZTeY.exe2⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\System\sTRsWwH.exeC:\Windows\System\sTRsWwH.exe2⤵
- Executes dropped EXE
PID:112
-
-
C:\Windows\System\pyOaNOO.exeC:\Windows\System\pyOaNOO.exe2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\System\NpBUEJL.exeC:\Windows\System\NpBUEJL.exe2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\System\jvYfQmM.exeC:\Windows\System\jvYfQmM.exe2⤵
- Executes dropped EXE
PID:1960
-
-
C:\Windows\System\djnUtmx.exeC:\Windows\System\djnUtmx.exe2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\System\Imwvwsk.exeC:\Windows\System\Imwvwsk.exe2⤵
- Executes dropped EXE
PID:336
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5be3a8f21e5fbeeafa277578b7c08d388
SHA15314a97a066b3f64afeb9d3ca52efc03e02ebc3c
SHA25628abe659d0d62d2d5d431d0f157684402432151b8d43b44fe173ffa4078998d5
SHA512569f75715f55de37a036adab497eadaf7e8f1a14e2ad383a456568aaf58a5f677cf7444a1d43c09c951595cf0d42725d454e1e951049cc3053996fa7e0f1ea56
-
Filesize
5.2MB
MD567cef716e2bf3a453cfe7f58b13199e2
SHA17c78973f293000b690fb9ed139660063cf4a5c4c
SHA256f2ef88b54b9f0518a66e5f9e57aa22e2b8e831905ee52a2edbaf4173acf1d41d
SHA512b61ee88783a8f614c74c5c183029017b357e29c9e8642a3ae35d806512c0fab70940a3565a2207a462b65edbc75bab8015f35f66931b3798fbf8eaa2679b2519
-
Filesize
5.2MB
MD54bdc82ec7d4ca7c35de453b82600fab0
SHA19e8a105f0477139d08a601ffcea1f3ab5ec72e86
SHA256a9a606e6d2fab063f1caad7d53206ee9659cb73b1d629f61dc8173fd6af41cb2
SHA512201d88408c624e15444f06f13d8238aedff5750cc96ed739d57d9eba9cdf59c12d90881b44eec988e37de162e85032a510b8d5c2f7313f89dfe68d608bcb68bb
-
Filesize
5.2MB
MD5ecc378b572979023c521bc48b0b180bd
SHA19c8b56604125a008ba9a44638b18c869e1b794f7
SHA2562466059a4398980b40a2100613718aba06523b83af6e0073688e32045f20b007
SHA512055003ed2ead19a291ae16c3fdb4cf75800f43fc09b4eb332d2c156c466d22d8135053d88f34c960111da304428b5d8dca024f94d7f36c40613aa974274bbbc3
-
Filesize
5.2MB
MD524845f6dc241fff20a151e05b6f4dd84
SHA12eab1374c9c8e96593cfd305e162468234fc2149
SHA256078a6779078b28e6237460c246a973b1ba6e22140d8bb6c35f597eb378cfce73
SHA51271f51d9169664e15cb07de738f51dbb62d595bd065614cbc17040d9d612d1a6ed0075a97ccdd7e2fe964fcf753ae1d448fde246b6727743a00bb5dc7a70e7927
-
Filesize
5.2MB
MD502b41161f1e856243653a43376eddd4c
SHA1839af24440ae0a9542d1de638d01bd822a20fbf8
SHA256523c3adbb213f65841b88edf41d24f0c851542e93aee7de56c599b6a0745ad36
SHA512a9decd9d6525ec92815726baba6bf350a8c55fe703da247975d6ca97d96f6f52e0d0fb3e8715594fed0ed5791f7aa77eaf5b1a8ddb08e3017b6c54ad531fa1ff
-
Filesize
5.2MB
MD58d3e8aff44413e9ad8130037fcfe439b
SHA1ab1e149818d1adbe331c5c3059ee202695ede587
SHA2564513c5ab1397e98337becc05953c11a50f422977f39efea67b3948cbd51971b3
SHA512caba7dbd2d966105bafc042485b48230fe7556b90e43188155ac40f4ca53cd7ba083a7fa5c3024577753b0554c958b1dec0f83b06d51728f52bcc0c6252a1d72
-
Filesize
5.2MB
MD56981f3fde8a9ac61ff00677370d4d62f
SHA10ecffd9d6da58cbe4d86640efc2074dea8292a5c
SHA2567fd72e7c36dd79773bc5cedcd310eca477aa1d6c2eb2b1d1085857f18e8ec5a3
SHA512ff3f024cc583b56d43afab45dda0088d820e9b0e77942ed0605dcd9fcdc896340fe0376ccd8fc3c3496f29a5c4149eced7434ca8b486d8a58d121e4ecc5e7dbc
-
Filesize
5.2MB
MD59d54178fbbe157ffeadcd525ff17b781
SHA1b7e17092eb94ca2ccc93f24f7b8d6a1dd3bb2afe
SHA2564a20ecaaecde0438a3a57f87405901c6d5b7827306e444523b6c083f3c6aa76c
SHA5127592f44b28ff9452084137101484ce3b6615431ce06a6e7701c093a6ad56ae7b70306b51862269317da940438116bb41043d8146d262ff307831352728b858da
-
Filesize
5.2MB
MD50919a6f9fac3fca338cbe11ace3636d6
SHA113b0c0fd5dcbf96216a4f23fba70ef50a146b0a5
SHA256d5c2ef7d36e10a791f4598537727a89a03e49f2505bca57902dc16ec4c8c9f32
SHA512070109670e345489dafb84dbff51e1d2260c4fee8ea1d038d099f9579fa42b7dcdc179bb81323280ebdc277515cc07c556fe6d05e61f8fd3b58f36e72bab1c2d
-
Filesize
5.2MB
MD545fbba86c5eb28714a531ca902608c1c
SHA132e9d177bc4dd9d5620af2729eade964befa0216
SHA256733ff48a9f614bf7a930d5d2845b622d570595dc6d932ba54ab0c5b58c3317bc
SHA512195d9553bd18bcda74c8e75a951a431884e48fc2421cdfa2237d7eaa9a7a3ffa5cae0d8efef11d475df981a4bfd1dd04cbac7c1a6f004da0fc0def4a3c1c4c57
-
Filesize
5.2MB
MD59c171ba5b4b0da3a8ff4bb34edeacf8a
SHA1147d1ee6b4ec9fd5e024f16e43119e226bce612a
SHA256e3f75a8f9aa6bab26261ebab1595e6add18130ed8afe9b66525b67e42fab1412
SHA512a0dfdf4c765e89023704db23237b65345cf183004bc54ac6779483a667e042fae86a869dd867b5a96bba855c31fea5655d0593af0deb536df91c970076b521b7
-
Filesize
5.2MB
MD57c950ca2f94cf295f4b66d9b61dfc40a
SHA16b2aa57bbdf95050ddb4a03d18b4b9e9b9b1f510
SHA256479cb74d81fc55cbefaa1985d1a2510f9f18b0038cc3339435cecd6cd98455bd
SHA51292df3bc48c34ba36dfab553dd01e7d7c46f043fb6dd94e9310f7494560b1589f197e1c03896e3ba8b833d25f95d28bff075ecbfb778aeb1144b34e9c5a21b05f
-
Filesize
5.2MB
MD539229a4d601b25baed68242f35fcc766
SHA16b7561d26940796cf854b92b8c12601b9cda43d7
SHA25676b330b11da2e2be8c5960bf393eb759d702157ea8e8f6cfedee31b636b90fa3
SHA512acaa60a1f03530cde2c1728627c63c9f85d61b547a2a96a4ac86cda464e07ea49f4d18d384c0dd269da00dbb220fc1efdd00d1d03fc718fa9fc6df7e6dd3c675
-
Filesize
5.2MB
MD52f54d393fc48362bda9ced39f459f445
SHA1f2a2df92bd948c0d32775e27d2aa447c8bb9efdc
SHA2563071b3c71acf71d46e4a6127c3d6d52fe3510bdbfb248a6bbb1653534050b194
SHA5129fe0610998d866febe5a59e11a95c65be4006b744aa66e6f33f3daaa0d41b5abba9ad5e0c65d5700256f6b0072580f548707d461d58d1acb00fa1f33500fe12c
-
Filesize
5.2MB
MD5c6a2c8cb5f507d5f14f7964cdac745f3
SHA11f132e27880dd8ff9a5a1b0e4c671b3083dda8c8
SHA2560517b7f752b7749f6d4a66761802806ceee236c1a544dcce3ed1e265d3ab36b7
SHA512004a8ad41469faee3367007edfada59cfab26b7d239900a437c85dab144f91e383ea43c0b2a9b7f9f83cc0fcb154d110e73b762931c9e84b4ebcf0c16f5a906b
-
Filesize
5.2MB
MD5d03336c862735a1e5aaef85397b1f712
SHA131c05dbfb0ecd622714d690df2377252354f84cb
SHA2560301254ca1c544eed3b2e2bc4c275bf86de8a2180d001c585440c1501416d7a4
SHA5127ef002167f443ca0d35f17de83f26f52f9447014e3de2ec43a4f1e1ae0ecba2dc7277f98158d60d8d3eb4257942a8aab4c3b85614c27097a513f261b76a2833c
-
Filesize
5.2MB
MD5c1e86c19ff6cfcea94e7e5ed06112e2f
SHA11cd3cd8ff3fc94a8e203f4bca02fddce36c856d2
SHA256780e27dcb43930087b9006e92bdc248b4d2a54a8e559a6151d4e891afd0294f2
SHA5129e3ac243d42aa7de085095b64e0927a704e750c1e35711ef9b45cae34e2ea6c8ae9413fa48e7add356a8bd7f163aea9f98ae9035ab2d3fb6244f52dbaaefcdfe
-
Filesize
5.2MB
MD5669ab117d89ebf325be920d28e3bbac6
SHA1bb4e863db66414123846a6cb695274a78eb2326f
SHA256ebe2359254e2c4564c2a1730e22c6adde7c256e3625330262b39254ff0e30d65
SHA512126009d13ee6650b4a9a274e310e8470512a08bb0e9d70916457f81805af94e1417786cbb9b91d25d6c66da7ddaf7c24c3f57013213b77d4eba2b44c959a7c6c
-
Filesize
5.2MB
MD519de1090a6bab7263d38b615ae0ce93f
SHA103531fb7041fc2d18800eabe3c0217bf6bb4b5d2
SHA256c2706cd14f9978a987ff640be3519deaf6c205aabbfa52661aa5e064b7463195
SHA51254ea801318c50218f3967bf8526ab81bdf298ee66f1d9a0bb0d673a315db2f26282caf15159f46d730439f1092d5633b93cde1c53d6be9348e11857afaae5b53
-
Filesize
5.2MB
MD534fb38e494bf9c50560f1b9642d8c179
SHA1d5026a0d1e95f7d3672988d3a7b692a26cbeec84
SHA256d65a966156c27e0d6f4e706e939a8ed04db7aecb06a6bc228583345666d32127
SHA512c0905e040113263afb5edcd8a70d99b8062a66fc67c7c4c0737ed54cd290b9b7668e03ec3084c841012975df86bf7ad7e1cfffb6564bc7f502f84bacd3602725