Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
ts.zip
windows7-x64
1ts.zip
windows10-2004-x64
1Install.exe
windows7-x64
10Install.exe
windows10-2004-x64
10advapi32res.dll
windows7-x64
1advapi32res.dll
windows10-2004-x64
1fonts/Alakob.ttf
windows7-x64
3fonts/Alakob.ttf
windows10-2004-x64
7fonts/Alas...ts.ttf
windows7-x64
3fonts/Alas...ts.ttf
windows10-2004-x64
7fonts/Arggotsc.ttf
windows7-x64
3fonts/Arggotsc.ttf
windows10-2004-x64
7fonts/Army...ed.ttf
windows7-x64
3fonts/Army...ed.ttf
windows10-2004-x64
7fonts/Army Thin.ttf
windows7-x64
3fonts/Army Thin.ttf
windows10-2004-x64
7fonts/BELL.ttf
windows7-x64
3fonts/BELL.ttf
windows10-2004-x64
7fonts/BELLB.ttf
windows7-x64
3fonts/BELLB.ttf
windows10-2004-x64
7fonts/BELLI.ttf
windows7-x64
3fonts/BELLI.ttf
windows10-2004-x64
7fonts/BOD_BI.ttf
windows7-x64
3fonts/BOD_BI.ttf
windows10-2004-x64
7fonts/BOD_BLAI.ttf
windows7-x64
3fonts/BOD_BLAI.ttf
windows10-2004-x64
7fonts/BOD_I.ttf
windows7-x64
3fonts/BOD_I.ttf
windows10-2004-x64
7fonts/CALISTB.ttf
windows7-x64
3fonts/CALISTB.ttf
windows10-2004-x64
7fonts/CALISTBI.ttf
windows7-x64
3fonts/CALISTBI.ttf
windows10-2004-x64
7Analysis
-
max time kernel
147s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/09/2022, 16:54
Static task
static1
Behavioral task
behavioral1
Sample
ts.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ts.zip
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
Install.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Install.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
advapi32res.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
advapi32res.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
fonts/Alakob.ttf
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
fonts/Alakob.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
fonts/AlaskanNights.ttf
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
fonts/AlaskanNights.ttf
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
fonts/Arggotsc.ttf
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
fonts/Arggotsc.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
fonts/Army Condensed.ttf
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
fonts/Army Condensed.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
fonts/Army Thin.ttf
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
fonts/Army Thin.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
fonts/BELL.ttf
Resource
win7-20220901-en
Behavioral task
behavioral18
Sample
fonts/BELL.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
fonts/BELLB.ttf
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
fonts/BELLB.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
fonts/BELLI.ttf
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
fonts/BELLI.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
fonts/BOD_BI.ttf
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
fonts/BOD_BI.ttf
Resource
win10v2004-20220901-en
Behavioral task
behavioral25
Sample
fonts/BOD_BLAI.ttf
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
fonts/BOD_BLAI.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
fonts/BOD_I.ttf
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
fonts/BOD_I.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
fonts/CALISTB.ttf
Resource
win7-20220901-en
Behavioral task
behavioral30
Sample
fonts/CALISTB.ttf
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
fonts/CALISTBI.ttf
Resource
win7-20220812-en
Behavioral task
behavioral32
Sample
fonts/CALISTBI.ttf
Resource
win10v2004-20220812-en
General
-
Target
Install.exe
-
Size
715.3MB
-
MD5
71c8dbd53f77777dcc663c9bce5fe588
-
SHA1
66008a2ceac550c246645ff2d33734014645a8bb
-
SHA256
fc7b3fd579e40a691cddecc9eb413996d30ddbd8d78a9e483d015f09510fde1c
-
SHA512
ae972a7c810e59f3a566938f1a67c46c373ccd895ed6cd96fa87fba79ca60392bbf65913029ed9b671e4cbea8dfc47f4817a67734b60840fee03c816f5d62aef
-
SSDEEP
98304:gUgVBq1XrkDRvTH++2LDyli5l1H6lGGu6xuojjObjGsM5vCFKTyw:gUaBkQV+3LDyW6lGZrojj8nsaKT5
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Executes dropped EXE 1 IoCs
pid Process 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation Install.exe -
Loads dropped DLL 4 IoCs
pid Process 1712 Install.exe 920 RegAsm.exe 920 RegAsm.exe 920 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io 4 ipinfo.io 5 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1144 set thread context of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1712 Install.exe 1712 Install.exe 1712 Install.exe 1928 powershell.exe 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 920 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe Token: SeDebugPrivilege 1928 powershell.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1144 1712 Install.exe 28 PID 1712 wrote to memory of 1144 1712 Install.exe 28 PID 1712 wrote to memory of 1144 1712 Install.exe 28 PID 1712 wrote to memory of 1144 1712 Install.exe 28 PID 1712 wrote to memory of 1144 1712 Install.exe 28 PID 1712 wrote to memory of 1144 1712 Install.exe 28 PID 1712 wrote to memory of 1144 1712 Install.exe 28 PID 1144 wrote to memory of 1928 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 29 PID 1144 wrote to memory of 1928 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 29 PID 1144 wrote to memory of 1928 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 29 PID 1144 wrote to memory of 1928 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 29 PID 1144 wrote to memory of 1628 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 31 PID 1144 wrote to memory of 1628 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 31 PID 1144 wrote to memory of 1628 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 31 PID 1144 wrote to memory of 1628 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 31 PID 1144 wrote to memory of 1628 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 31 PID 1144 wrote to memory of 1628 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 31 PID 1144 wrote to memory of 1628 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 31 PID 1144 wrote to memory of 584 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 32 PID 1144 wrote to memory of 584 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 32 PID 1144 wrote to memory of 584 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 32 PID 1144 wrote to memory of 584 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 32 PID 1144 wrote to memory of 584 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 32 PID 1144 wrote to memory of 584 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 32 PID 1144 wrote to memory of 584 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 32 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33 PID 1144 wrote to memory of 920 1144 EPVWB1AChGkbWkgiPy1MbHTw.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\Pictures\Minor Policy\EPVWB1AChGkbWkgiPy1MbHTw.exe"C:\Users\Admin\Pictures\Minor Policy\EPVWB1AChGkbWkgiPy1MbHTw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵PID:584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:920
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD5893a97dfd30c11fc6f6ab072340d0569
SHA1583bb495b8c9b4f8a0eb8f49cd884e801fab340c
SHA256c88ba5ab383f5ce0ac16174c8b8f04de813347f2a14ac6fc93377714e751d76f
SHA512335f73d0daf1d8452eb3362b71939024c13a9223d868f38154e7222bc5ab319c180dbc79c846bca11c025303364fae1c1c3fdd0bd0ddb7ac1a003f69cf00d2d5
-
Filesize
192KB
MD54842462b1ff7ae5e3f527a9e30d36102
SHA1290f6eb8a1b7cbc620d638029497eb2d20d32bfe
SHA256dc1434e6bd3de66b0bcc6f06d93c68ce95a5c6699445f2adc5d673cc1ad73c68
SHA5123dd8a5abc34402f6e00b763f1d907c460ffe0b14defcf2dbc8587ee95d50c2cd22ebcaf7d8a0f6a415518c11667f827acf419ced66ed95f1e5464317297f601b
-
Filesize
192KB
MD54842462b1ff7ae5e3f527a9e30d36102
SHA1290f6eb8a1b7cbc620d638029497eb2d20d32bfe
SHA256dc1434e6bd3de66b0bcc6f06d93c68ce95a5c6699445f2adc5d673cc1ad73c68
SHA5123dd8a5abc34402f6e00b763f1d907c460ffe0b14defcf2dbc8587ee95d50c2cd22ebcaf7d8a0f6a415518c11667f827acf419ced66ed95f1e5464317297f601b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.1MB
MD51f44d4d3087c2b202cf9c90ee9d04b0f
SHA1106a3ebc9e39ab6ddb3ff987efb6527c956f192d
SHA2564841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
SHA512b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45
-
Filesize
192KB
MD54842462b1ff7ae5e3f527a9e30d36102
SHA1290f6eb8a1b7cbc620d638029497eb2d20d32bfe
SHA256dc1434e6bd3de66b0bcc6f06d93c68ce95a5c6699445f2adc5d673cc1ad73c68
SHA5123dd8a5abc34402f6e00b763f1d907c460ffe0b14defcf2dbc8587ee95d50c2cd22ebcaf7d8a0f6a415518c11667f827acf419ced66ed95f1e5464317297f601b