Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 09:56
Behavioral task
behavioral1
Sample
dfc8a622d0d0d1285a5d02644b908880N.exe
Resource
win7-20240704-en
General
-
Target
dfc8a622d0d0d1285a5d02644b908880N.exe
-
Size
5.2MB
-
MD5
dfc8a622d0d0d1285a5d02644b908880
-
SHA1
7faaf5a8a0494184ad4b07b3ef66220adb14fa36
-
SHA256
2787d8692bd406c6c1d6b085c5e6ddcdeca4d05d5a2619083cc0e3b7375a12cb
-
SHA512
0c221639eb108900ce8babec644e07c541a6c7c942cb82102c74e75792534e8f90c8fe32578cfe50db272e0a53ad33be256bc9cbaf2ac39996c10a63b4b4f062
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibd56utgpPFotBER/mQ32lUL
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023457-4.dat cobalt_reflective_dll behavioral2/files/0x000700000002345c-10.dat cobalt_reflective_dll behavioral2/files/0x000700000002345b-11.dat cobalt_reflective_dll behavioral2/files/0x000700000002345d-22.dat cobalt_reflective_dll behavioral2/files/0x000700000002345e-30.dat cobalt_reflective_dll behavioral2/files/0x000700000002345f-37.dat cobalt_reflective_dll behavioral2/files/0x0007000000023460-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023462-58.dat cobalt_reflective_dll behavioral2/files/0x0007000000023463-68.dat cobalt_reflective_dll behavioral2/files/0x0007000000023465-75.dat cobalt_reflective_dll behavioral2/files/0x0007000000023466-79.dat cobalt_reflective_dll behavioral2/files/0x0007000000023468-93.dat cobalt_reflective_dll behavioral2/files/0x000700000002346b-108.dat cobalt_reflective_dll behavioral2/files/0x000700000002346d-114.dat cobalt_reflective_dll behavioral2/files/0x000700000002346c-111.dat cobalt_reflective_dll behavioral2/files/0x000700000002346a-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023469-98.dat cobalt_reflective_dll behavioral2/files/0x0007000000023467-88.dat cobalt_reflective_dll behavioral2/files/0x0007000000023464-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023461-57.dat cobalt_reflective_dll behavioral2/files/0x0008000000023458-43.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1068-118-0x00007FF683420000-0x00007FF683771000-memory.dmp xmrig behavioral2/memory/1936-117-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp xmrig behavioral2/memory/5052-120-0x00007FF7EC840000-0x00007FF7ECB91000-memory.dmp xmrig behavioral2/memory/2388-122-0x00007FF6DB780000-0x00007FF6DBAD1000-memory.dmp xmrig behavioral2/memory/4256-123-0x00007FF7C7090000-0x00007FF7C73E1000-memory.dmp xmrig behavioral2/memory/800-121-0x00007FF637E50000-0x00007FF6381A1000-memory.dmp xmrig behavioral2/memory/4756-124-0x00007FF766F30000-0x00007FF767281000-memory.dmp xmrig behavioral2/memory/2840-119-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp xmrig behavioral2/memory/1784-125-0x00007FF7BCA10000-0x00007FF7BCD61000-memory.dmp xmrig behavioral2/memory/1012-127-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp xmrig behavioral2/memory/4312-130-0x00007FF77E8F0000-0x00007FF77EC41000-memory.dmp xmrig behavioral2/memory/212-129-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp xmrig behavioral2/memory/2244-131-0x00007FF7F3C20000-0x00007FF7F3F71000-memory.dmp xmrig behavioral2/memory/4528-128-0x00007FF67EFE0000-0x00007FF67F331000-memory.dmp xmrig behavioral2/memory/1936-132-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp xmrig behavioral2/memory/4540-134-0x00007FF665E50000-0x00007FF6661A1000-memory.dmp xmrig behavioral2/memory/4624-133-0x00007FF64F010000-0x00007FF64F361000-memory.dmp xmrig behavioral2/memory/1208-126-0x00007FF650070000-0x00007FF6503C1000-memory.dmp xmrig behavioral2/memory/3752-136-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp xmrig behavioral2/memory/3236-139-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp xmrig behavioral2/memory/2576-138-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp xmrig behavioral2/memory/376-135-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp xmrig behavioral2/memory/3220-137-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp xmrig behavioral2/memory/1936-151-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp xmrig behavioral2/memory/1068-201-0x00007FF683420000-0x00007FF683771000-memory.dmp xmrig behavioral2/memory/2840-203-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp xmrig behavioral2/memory/1012-215-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp xmrig behavioral2/memory/212-217-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp xmrig behavioral2/memory/4624-219-0x00007FF64F010000-0x00007FF64F361000-memory.dmp xmrig behavioral2/memory/3752-221-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp xmrig behavioral2/memory/376-223-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp xmrig behavioral2/memory/2576-225-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp xmrig behavioral2/memory/3220-227-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp xmrig behavioral2/memory/3236-229-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp xmrig behavioral2/memory/2388-238-0x00007FF6DB780000-0x00007FF6DBAD1000-memory.dmp xmrig behavioral2/memory/4540-244-0x00007FF665E50000-0x00007FF6661A1000-memory.dmp xmrig behavioral2/memory/5052-242-0x00007FF7EC840000-0x00007FF7ECB91000-memory.dmp xmrig behavioral2/memory/800-241-0x00007FF637E50000-0x00007FF6381A1000-memory.dmp xmrig behavioral2/memory/4756-248-0x00007FF766F30000-0x00007FF767281000-memory.dmp xmrig behavioral2/memory/1784-250-0x00007FF7BCA10000-0x00007FF7BCD61000-memory.dmp xmrig behavioral2/memory/4256-246-0x00007FF7C7090000-0x00007FF7C73E1000-memory.dmp xmrig behavioral2/memory/4528-257-0x00007FF67EFE0000-0x00007FF67F331000-memory.dmp xmrig behavioral2/memory/2244-255-0x00007FF7F3C20000-0x00007FF7F3F71000-memory.dmp xmrig behavioral2/memory/1208-258-0x00007FF650070000-0x00007FF6503C1000-memory.dmp xmrig behavioral2/memory/4312-254-0x00007FF77E8F0000-0x00007FF77EC41000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1068 nGekGZO.exe 2840 sGMWqsp.exe 1012 QHSisKK.exe 212 CMqDAeR.exe 4624 sGCnoRM.exe 376 NMRDfkC.exe 3752 sgjNlzP.exe 3220 isrSXJa.exe 2576 LCQdvQa.exe 3236 fAuZHhk.exe 4540 fZFsKeK.exe 5052 fbGoHmU.exe 800 NObfxuw.exe 2388 numwASX.exe 4256 sMAvOxH.exe 4756 udkZlkH.exe 1784 dSNAFuB.exe 1208 MUVjJmK.exe 4528 GYRvjCb.exe 4312 IJirQQK.exe 2244 ZIjFayx.exe -
resource yara_rule behavioral2/memory/1936-0-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp upx behavioral2/files/0x0009000000023457-4.dat upx behavioral2/memory/1068-8-0x00007FF683420000-0x00007FF683771000-memory.dmp upx behavioral2/files/0x000700000002345c-10.dat upx behavioral2/files/0x000700000002345b-11.dat upx behavioral2/files/0x000700000002345d-22.dat upx behavioral2/files/0x000700000002345e-30.dat upx behavioral2/files/0x000700000002345f-37.dat upx behavioral2/files/0x0007000000023460-52.dat upx behavioral2/files/0x0007000000023462-58.dat upx behavioral2/files/0x0007000000023463-68.dat upx behavioral2/files/0x0007000000023465-75.dat upx behavioral2/files/0x0007000000023466-79.dat upx behavioral2/files/0x0007000000023468-93.dat upx behavioral2/files/0x000700000002346b-108.dat upx behavioral2/files/0x000700000002346d-114.dat upx behavioral2/files/0x000700000002346c-111.dat upx behavioral2/files/0x000700000002346a-102.dat upx behavioral2/files/0x0007000000023469-98.dat upx behavioral2/files/0x0007000000023467-88.dat upx behavioral2/files/0x0007000000023464-72.dat upx behavioral2/files/0x0007000000023461-57.dat upx behavioral2/memory/2576-56-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp upx behavioral2/memory/3220-50-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp upx behavioral2/files/0x0008000000023458-43.dat upx behavioral2/memory/3752-42-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp upx behavioral2/memory/376-38-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp upx behavioral2/memory/4624-34-0x00007FF64F010000-0x00007FF64F361000-memory.dmp upx behavioral2/memory/212-27-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp upx behavioral2/memory/1012-18-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp upx behavioral2/memory/2840-13-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp upx behavioral2/memory/3236-116-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp upx behavioral2/memory/1068-118-0x00007FF683420000-0x00007FF683771000-memory.dmp upx behavioral2/memory/1936-117-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp upx behavioral2/memory/5052-120-0x00007FF7EC840000-0x00007FF7ECB91000-memory.dmp upx behavioral2/memory/2388-122-0x00007FF6DB780000-0x00007FF6DBAD1000-memory.dmp upx behavioral2/memory/4256-123-0x00007FF7C7090000-0x00007FF7C73E1000-memory.dmp upx behavioral2/memory/800-121-0x00007FF637E50000-0x00007FF6381A1000-memory.dmp upx behavioral2/memory/4756-124-0x00007FF766F30000-0x00007FF767281000-memory.dmp upx behavioral2/memory/2840-119-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp upx behavioral2/memory/1784-125-0x00007FF7BCA10000-0x00007FF7BCD61000-memory.dmp upx behavioral2/memory/1012-127-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp upx behavioral2/memory/4312-130-0x00007FF77E8F0000-0x00007FF77EC41000-memory.dmp upx behavioral2/memory/212-129-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp upx behavioral2/memory/2244-131-0x00007FF7F3C20000-0x00007FF7F3F71000-memory.dmp upx behavioral2/memory/4528-128-0x00007FF67EFE0000-0x00007FF67F331000-memory.dmp upx behavioral2/memory/1936-132-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp upx behavioral2/memory/4540-134-0x00007FF665E50000-0x00007FF6661A1000-memory.dmp upx behavioral2/memory/4624-133-0x00007FF64F010000-0x00007FF64F361000-memory.dmp upx behavioral2/memory/1208-126-0x00007FF650070000-0x00007FF6503C1000-memory.dmp upx behavioral2/memory/3752-136-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp upx behavioral2/memory/3236-139-0x00007FF6DF680000-0x00007FF6DF9D1000-memory.dmp upx behavioral2/memory/2576-138-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp upx behavioral2/memory/376-135-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp upx behavioral2/memory/3220-137-0x00007FF61C820000-0x00007FF61CB71000-memory.dmp upx behavioral2/memory/1936-151-0x00007FF71CEC0000-0x00007FF71D211000-memory.dmp upx behavioral2/memory/1068-201-0x00007FF683420000-0x00007FF683771000-memory.dmp upx behavioral2/memory/2840-203-0x00007FF65A2A0000-0x00007FF65A5F1000-memory.dmp upx behavioral2/memory/1012-215-0x00007FF738AF0000-0x00007FF738E41000-memory.dmp upx behavioral2/memory/212-217-0x00007FF62F4C0000-0x00007FF62F811000-memory.dmp upx behavioral2/memory/4624-219-0x00007FF64F010000-0x00007FF64F361000-memory.dmp upx behavioral2/memory/3752-221-0x00007FF7C2A50000-0x00007FF7C2DA1000-memory.dmp upx behavioral2/memory/376-223-0x00007FF779E70000-0x00007FF77A1C1000-memory.dmp upx behavioral2/memory/2576-225-0x00007FF76F660000-0x00007FF76F9B1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\sgjNlzP.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\isrSXJa.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\CMqDAeR.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\LCQdvQa.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\numwASX.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\dSNAFuB.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\fZFsKeK.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\fbGoHmU.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\sMAvOxH.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\GYRvjCb.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\nGekGZO.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\sGMWqsp.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\QHSisKK.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\sGCnoRM.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\ZIjFayx.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\MUVjJmK.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\IJirQQK.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\NMRDfkC.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\fAuZHhk.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\NObfxuw.exe dfc8a622d0d0d1285a5d02644b908880N.exe File created C:\Windows\System\udkZlkH.exe dfc8a622d0d0d1285a5d02644b908880N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1936 dfc8a622d0d0d1285a5d02644b908880N.exe Token: SeLockMemoryPrivilege 1936 dfc8a622d0d0d1285a5d02644b908880N.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1068 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 85 PID 1936 wrote to memory of 1068 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 85 PID 1936 wrote to memory of 2840 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 86 PID 1936 wrote to memory of 2840 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 86 PID 1936 wrote to memory of 1012 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 87 PID 1936 wrote to memory of 1012 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 87 PID 1936 wrote to memory of 212 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 88 PID 1936 wrote to memory of 212 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 88 PID 1936 wrote to memory of 4624 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 89 PID 1936 wrote to memory of 4624 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 89 PID 1936 wrote to memory of 376 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 90 PID 1936 wrote to memory of 376 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 90 PID 1936 wrote to memory of 3752 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 91 PID 1936 wrote to memory of 3752 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 91 PID 1936 wrote to memory of 3220 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 92 PID 1936 wrote to memory of 3220 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 92 PID 1936 wrote to memory of 2576 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 93 PID 1936 wrote to memory of 2576 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 93 PID 1936 wrote to memory of 3236 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 94 PID 1936 wrote to memory of 3236 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 94 PID 1936 wrote to memory of 4540 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 95 PID 1936 wrote to memory of 4540 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 95 PID 1936 wrote to memory of 5052 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 96 PID 1936 wrote to memory of 5052 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 96 PID 1936 wrote to memory of 800 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 97 PID 1936 wrote to memory of 800 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 97 PID 1936 wrote to memory of 2388 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 98 PID 1936 wrote to memory of 2388 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 98 PID 1936 wrote to memory of 4256 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 99 PID 1936 wrote to memory of 4256 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 99 PID 1936 wrote to memory of 4756 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 100 PID 1936 wrote to memory of 4756 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 100 PID 1936 wrote to memory of 1784 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 101 PID 1936 wrote to memory of 1784 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 101 PID 1936 wrote to memory of 1208 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 102 PID 1936 wrote to memory of 1208 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 102 PID 1936 wrote to memory of 4528 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 103 PID 1936 wrote to memory of 4528 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 103 PID 1936 wrote to memory of 4312 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 104 PID 1936 wrote to memory of 4312 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 104 PID 1936 wrote to memory of 2244 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 105 PID 1936 wrote to memory of 2244 1936 dfc8a622d0d0d1285a5d02644b908880N.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"C:\Users\Admin\AppData\Local\Temp\dfc8a622d0d0d1285a5d02644b908880N.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\System\nGekGZO.exeC:\Windows\System\nGekGZO.exe2⤵
- Executes dropped EXE
PID:1068
-
-
C:\Windows\System\sGMWqsp.exeC:\Windows\System\sGMWqsp.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\System\QHSisKK.exeC:\Windows\System\QHSisKK.exe2⤵
- Executes dropped EXE
PID:1012
-
-
C:\Windows\System\CMqDAeR.exeC:\Windows\System\CMqDAeR.exe2⤵
- Executes dropped EXE
PID:212
-
-
C:\Windows\System\sGCnoRM.exeC:\Windows\System\sGCnoRM.exe2⤵
- Executes dropped EXE
PID:4624
-
-
C:\Windows\System\NMRDfkC.exeC:\Windows\System\NMRDfkC.exe2⤵
- Executes dropped EXE
PID:376
-
-
C:\Windows\System\sgjNlzP.exeC:\Windows\System\sgjNlzP.exe2⤵
- Executes dropped EXE
PID:3752
-
-
C:\Windows\System\isrSXJa.exeC:\Windows\System\isrSXJa.exe2⤵
- Executes dropped EXE
PID:3220
-
-
C:\Windows\System\LCQdvQa.exeC:\Windows\System\LCQdvQa.exe2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\System\fAuZHhk.exeC:\Windows\System\fAuZHhk.exe2⤵
- Executes dropped EXE
PID:3236
-
-
C:\Windows\System\fZFsKeK.exeC:\Windows\System\fZFsKeK.exe2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\System\fbGoHmU.exeC:\Windows\System\fbGoHmU.exe2⤵
- Executes dropped EXE
PID:5052
-
-
C:\Windows\System\NObfxuw.exeC:\Windows\System\NObfxuw.exe2⤵
- Executes dropped EXE
PID:800
-
-
C:\Windows\System\numwASX.exeC:\Windows\System\numwASX.exe2⤵
- Executes dropped EXE
PID:2388
-
-
C:\Windows\System\sMAvOxH.exeC:\Windows\System\sMAvOxH.exe2⤵
- Executes dropped EXE
PID:4256
-
-
C:\Windows\System\udkZlkH.exeC:\Windows\System\udkZlkH.exe2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Windows\System\dSNAFuB.exeC:\Windows\System\dSNAFuB.exe2⤵
- Executes dropped EXE
PID:1784
-
-
C:\Windows\System\MUVjJmK.exeC:\Windows\System\MUVjJmK.exe2⤵
- Executes dropped EXE
PID:1208
-
-
C:\Windows\System\GYRvjCb.exeC:\Windows\System\GYRvjCb.exe2⤵
- Executes dropped EXE
PID:4528
-
-
C:\Windows\System\IJirQQK.exeC:\Windows\System\IJirQQK.exe2⤵
- Executes dropped EXE
PID:4312
-
-
C:\Windows\System\ZIjFayx.exeC:\Windows\System\ZIjFayx.exe2⤵
- Executes dropped EXE
PID:2244
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD58b5b1b75c6255532334ebf1731e7f096
SHA16d3f733c546428ccd4eef26719becdad504cd5a1
SHA25603af8600255395a235d9dbfa66db17623caf0f8e654d67eeddf6b3e4eb373a36
SHA51236ae012e5fef6bb548b9c4043394cb13802b97a2bfd359b5582e6ad74b23ece1cb5999c97e299ca34c83154644fc6bce42afd41a253fe48199c055bd3a11c552
-
Filesize
5.2MB
MD574bde36d0cced7fb522f9f067c6bfc9b
SHA1a756f7328518cd198a5661ebb33729e1d3b982a1
SHA2562951ececb26ea5924a27c63d826aa2d6b092db7d4985b77f3848f6f26185d464
SHA51232ad4b6469fc30fa53423fa86a28bc8e5220b6081f69dca018aac454ce358f073c118b7a8607dbf1abe6389d8d80373f1024fd7905a6cdfbb74327099dd9e879
-
Filesize
5.2MB
MD5a662823cc28d5479e71ce12c83e34b1f
SHA1689e2c0ce6cc522b46dc416fe53e394dd53286f2
SHA2561430c888c952cd9f30bfa0cf4d807f29e1f301a39a3d89261c7a444b12d586c2
SHA512aba561c9286e629dac579a0fa22bfff37c09158fb1c3b9d525bb2be898f19798a501a3d5ff0e13a9de684a92b544eb4debc6fbee6f3512245067cc982008ea15
-
Filesize
5.2MB
MD52af98bd749b9773fd5250de45a01fcbb
SHA193ceb65bb26be712dac5a4895644d8bf346fef62
SHA256e3e2bf0028b45b80f792aa3146738b31e47e30c75bfbe7bd9ab9c6a3bda3e8d8
SHA512177b38ae7932efa3dec21bf0b89b39542155f9b7a35bded1570abdab8b60d34a845a9d106b9824a59482f15e8c86e6139abf74a64512e01dba5e90633a3612b0
-
Filesize
5.2MB
MD57338579a293ab737b70f8fdc9bda8170
SHA1b4a87b1dde79521945c7b3eb561e0fc2bc8489ae
SHA256dbcb6932eae52aa90daddce0bae531c11c537c07f98523e80d15d2a1b544d079
SHA512cff37643c837e858c20cb40fafb77779071f06fca3cebb07d9f4de113517073b9c4b9199e42c2692cab564469107e878fc459495e7cc918e2a78e903ddf61565
-
Filesize
5.2MB
MD56e37ae946c943d7f924ace1bde9deb6c
SHA171b6d32d78c399f6f5d16499a1ecc9e5bdd94f7d
SHA25623fec14d1a24cd694feac7f0fa3c3fb96b0122ca86a7c80444390c30b228c132
SHA512b8da5aadc8215bea893e997c718fff2377410cc816808df3f62da9b4c8d30f137da67683ee1f2b37ed60c838f57744120796131383e744d517aa3a01f5756b58
-
Filesize
5.2MB
MD5bc116653bb5a07193928a9a92ed8617f
SHA1d8a4399fadf26b92988cf8afd785b39865c44ec0
SHA25669ba588e45dae25d2e1c6d8acd71be0f5b2963d67e1cdba1378371917840c6c4
SHA512fddd435b86928a1a3f3398e1eb785a257f72ed61d3802dbc9fb3404cf059b13ae5746eb7f3ad6dda288f87e1804aaa4da949b6f2ca104736b4d390435aa93776
-
Filesize
5.2MB
MD5418da85a9fb2e4a1996762b337dbcc17
SHA1db6b0da2bb235297c5f03485bf42591abbbb4251
SHA256c919adde334d16d786ebef3b715a13feb38abcc10ff4844a486e5fa64f22661d
SHA512370c235fb3d693c5c065aec82330b874b0ee699aa5fe68fc1cafee838cefac69190411e031be368c71895864e58bc0308044ca815c7da3b0e5e806d5378be1f9
-
Filesize
5.2MB
MD5922146d280feefefe98bac8486b7641a
SHA11b6717899bc6bfc606a4e1d07c5590ad81f3bf5c
SHA256e1556d1fea069c6ce0553ce9fa81b4032e4413be677df4f17e11bc4984d09bff
SHA51241212000608f168dac86174a8a3b9ee9dfd58d4f9b6f9b1383e71be212111bf63d62491379ab47f6760f52bdc859da56039374acf86ab269513f458e6d632e92
-
Filesize
5.2MB
MD582cdf330d67b0017a05f09847290add1
SHA149470dd435aa3a34635232aedd00b4293f3d10d9
SHA256382a92d553d349131c504d329452cc660fd0ff57c7c717feab933c621313028a
SHA512f088c6fb1c077cfb85c5e9382e05063b02ef4da1846daca985f3f4712a4e3b9eb7a58521095ea22fee2d91a24a9a1dc20a20fb5116a9902cfd65ac8a87db9af3
-
Filesize
5.2MB
MD598c257e2a0355b36196db2ac4b56805d
SHA129f57b63dfc04343ecdba0a0ff143d32a22713e9
SHA256a13a6dffa58272495480e2cea18b1d96520cec4e5971d2f9e70a6e53e8c7c2aa
SHA5123eed6dac6a28cc56eee96c22e427e411669b46ed14f0cc8a37f9d5c9c255f28de6520b52ea618f4b20ce32cbe5534ddf56e2798a056d3eeeebca01ff0420f33d
-
Filesize
5.2MB
MD5c9dd21662579b9c1a6656c9c641775c6
SHA1cbf3cdfe99dc03d953aa26e092359ba9d3889ff0
SHA256b73c341010b385759a2a6cea8d555bdebbb15886c76ea7a093621216be775a32
SHA512e74a2398df6f63f1a4d55f99fe2752b8ce5193fda6cdab745fcafa49c0cc57aaf59a0b1237a340e7e70a331e814762b381775ff65df6d6258787530dc75d8436
-
Filesize
5.2MB
MD57e6c559bca4d3adead5bb7b50acd9584
SHA18b2ed3b6658369496273c48d696bd9e75e494b5b
SHA25683e37d7a120bd596a2ca9ed082e3e26dcbbd2d22dc36ce2930da3c433362a24c
SHA512b0a70a4eb1435532822cf77a628a374aeae704883bbf05b9fff57310158e9b879d6c5a992e8d94e9e0ba2ecaf2ee49a77c07003c36c85c5ff809df795df60709
-
Filesize
5.2MB
MD5c36c0e4a650f0da7a106e3a030d57758
SHA1fedf2954614e5e08125d1ccd2f862b2717e450cd
SHA2562256043826b0cee17c113a84bad06d9b864e6b4928ab34b38d72a23d1aac0630
SHA512b70e80e7d5cc33104ca7a8e97a1811420a819c3572ad1924aa002618809dc3d5aa3c91b9a90a07db74da46693cb18f6453970b47e7023118a48e83e3ea1896c7
-
Filesize
5.2MB
MD5917cecf9e81a0192fcbaabee761b6529
SHA18586eee827f74251a83351233268b2440f746162
SHA256326458a4fcebc21ce140b82507c0312ad9292e4a885b0ab362301ffb60fd2727
SHA512c4f8be1c722151d78144aab0dbe34d4b06663651d3728f5379ba06bb571058b8135a4304d759dea64fce074c08a834a703b62f140db95915dd974c5fb9023f20
-
Filesize
5.2MB
MD5b57a5a34c444ddefebbb6c815f90f5ed
SHA16ea331be6460cf9f8e42cb992d3040d5c18a55c7
SHA256b3d4bcaae5811cd9d897f6410d14e298d4be90dfbf571b8d220c21412441365a
SHA512d017f19a6ceeb9afaae4424385184ca3743dc3fc1e85ea06015cd299be07b004502747cba6e263c5d64513460e0e37610ad1f84b223a60f5c741d9efae690dfe
-
Filesize
5.2MB
MD550a738b4636721dcc742c5f240e56867
SHA1170da6e849d07d6913068543ddab45052b2235f9
SHA256fa1a1bd5c929c78dc98fa3ba361241f1337922fe05dbac3793efc48566b0f9a7
SHA512896c523ff104c323a4f410939802cd11d7efd21ca7471231054d4edd306d36db3d17e7d27128f72feb8f74433459c10e5dfaa054b98db67a79f7c5b201f5a4fc
-
Filesize
5.2MB
MD5e40d81805a747a70b905957ab6a5851d
SHA1ec5f20b0b835ee0a8f0ad4a8e823d8a895ba6d6c
SHA256e6bf8145c17d1ecf7b6c3ed28e82ec8e81f25ebc278f29672c176f89353f13ff
SHA5125d62e2002dd34600402522b3289ab1258266fe6530dbd93aa5eeed00ff99bd6308cb3c1439b4e431ea737a7132e6a8b9b0baadd012c8cbeed724544ac4894410
-
Filesize
5.2MB
MD52c8d54dff95451a6c8e4ae43c8583cd7
SHA1090b4e5ab375f8ac08599818f3b25d20f3790f6c
SHA2562d608f37296f4fb7948e9c64244ec5f56fa299682b3fafa054c7175d7f6b6aa4
SHA512663345621c03f576bf97e61694fb7bcbd218a5198e1a67922cd7f4fedf60cb0f1c879eef3d3227afe2f6125993c8536d0347119b691af4f2796627fb236bf7bb
-
Filesize
5.2MB
MD566505fd2b68f2fbe1645b2dc00266c4b
SHA1265db95ffce95d4d081e30a80028b87163bbbfd3
SHA2566bd66af1ac4527742b2aaa37262614400fea5968c6353198fc8bf4f995f695ac
SHA5129042a35c502712110877534353cd20ff20c666ca37d0dd537895e7e76579dc8cfcb72de04a4e9185b42cbc2d6e72b8539528de39bcf22e2ec641e948e600c2de
-
Filesize
5.2MB
MD585763807ffa4023088209af65de31f1c
SHA16c37a3869d7ebea3529e27b7fb2351af0d37df97
SHA256ac6b72e3bc82c1836da148e462920b2f97c91ee3453ed4be3b30771df9718416
SHA5128d7140073a79c21def8bc19c4d0624dd644565d4889826a1e573ff7cbc3d1458df09c126e0a7e89aae2f81eb13305f7c4102eca623bd33c90776922c667d6e65