Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
737s -
max time network
1247s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/09/2022, 01:43
Static task
static1
Behavioral task
behavioral1
Sample
bad (2).js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bad (2).js
Resource
win10v2004-20220812-en
General
-
Target
bad (2).js
-
Size
16.9MB
-
MD5
0a1eb91d290587e3f154e85a83d1b222
-
SHA1
417386e69759d61b9b3db947ffacc2dd192c7740
-
SHA256
bb1d3df26a6c9f8b1ec1608e1d177a2407ddc0efa7455ba7a68ab2f50f5381f6
-
SHA512
cad902e0d8bd106707247197907d72eb9a2cf19ed6a99ccb3a41af5fbc9569fedfe2f228b5d2a39e6f551a1eccca01d1bf8a00f1c2583ee70b90c8e5d77d0820
-
SSDEEP
49152:vvMl5ImrlOdPoXywnePgUfhZIc0fRGlMtz2nexWlgMrZiQGP:i
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1076-56-0x0000000037F30000-0x0000000037FEC000-memory.dmp family_redline -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1076 wscript.exe 7 1076 wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad99733 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad22582 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\44427bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad44427 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\66066bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))\"" cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad46399 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))\"" cscript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\39529bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad66066 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))\"" cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\46399bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))\"" cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\99733bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad39529 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\22582bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run cscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 wscript.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1076 wscript.exe 2056 powershell.exe 2188 powershell.exe 2116 powershell.exe 2532 powershell.exe 2520 powershell.exe 2504 powershell.exe 2156 powershell.exe 1000 powershell.exe 2080 powershell.exe 2472 powershell.exe 2452 powershell.exe 2436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1076 wscript.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1076 wrote to memory of 748 1076 wscript.exe 29 PID 1076 wrote to memory of 748 1076 wscript.exe 29 PID 1076 wrote to memory of 748 1076 wscript.exe 29 PID 1076 wrote to memory of 2016 1076 wscript.exe 30 PID 1076 wrote to memory of 2016 1076 wscript.exe 30 PID 1076 wrote to memory of 2016 1076 wscript.exe 30 PID 1076 wrote to memory of 1592 1076 wscript.exe 31 PID 1076 wrote to memory of 1592 1076 wscript.exe 31 PID 1076 wrote to memory of 1592 1076 wscript.exe 31 PID 1076 wrote to memory of 688 1076 wscript.exe 32 PID 1076 wrote to memory of 688 1076 wscript.exe 32 PID 1076 wrote to memory of 688 1076 wscript.exe 32 PID 1076 wrote to memory of 1708 1076 wscript.exe 33 PID 1076 wrote to memory of 1708 1076 wscript.exe 33 PID 1076 wrote to memory of 1708 1076 wscript.exe 33 PID 1076 wrote to memory of 1680 1076 wscript.exe 34 PID 1076 wrote to memory of 1680 1076 wscript.exe 34 PID 1076 wrote to memory of 1680 1076 wscript.exe 34 PID 1076 wrote to memory of 1200 1076 wscript.exe 35 PID 1076 wrote to memory of 1200 1076 wscript.exe 35 PID 1076 wrote to memory of 1200 1076 wscript.exe 35 PID 1076 wrote to memory of 1372 1076 wscript.exe 36 PID 1076 wrote to memory of 1372 1076 wscript.exe 36 PID 1076 wrote to memory of 1372 1076 wscript.exe 36 PID 1076 wrote to memory of 624 1076 wscript.exe 37 PID 1076 wrote to memory of 624 1076 wscript.exe 37 PID 1076 wrote to memory of 624 1076 wscript.exe 37 PID 1076 wrote to memory of 892 1076 wscript.exe 38 PID 1076 wrote to memory of 892 1076 wscript.exe 38 PID 1076 wrote to memory of 892 1076 wscript.exe 38 PID 1076 wrote to memory of 1600 1076 wscript.exe 39 PID 1076 wrote to memory of 1600 1076 wscript.exe 39 PID 1076 wrote to memory of 1600 1076 wscript.exe 39 PID 1076 wrote to memory of 768 1076 wscript.exe 40 PID 1076 wrote to memory of 768 1076 wscript.exe 40 PID 1076 wrote to memory of 768 1076 wscript.exe 40 PID 1076 wrote to memory of 1096 1076 wscript.exe 41 PID 1076 wrote to memory of 1096 1076 wscript.exe 41 PID 1076 wrote to memory of 1096 1076 wscript.exe 41 PID 1076 wrote to memory of 108 1076 wscript.exe 42 PID 1076 wrote to memory of 108 1076 wscript.exe 42 PID 1076 wrote to memory of 108 1076 wscript.exe 42 PID 688 wrote to memory of 1684 688 WScript.exe 43 PID 688 wrote to memory of 1684 688 WScript.exe 43 PID 688 wrote to memory of 1684 688 WScript.exe 43 PID 1592 wrote to memory of 972 1592 WScript.exe 44 PID 1592 wrote to memory of 972 1592 WScript.exe 44 PID 1592 wrote to memory of 972 1592 WScript.exe 44 PID 108 wrote to memory of 1000 108 WScript.exe 47 PID 108 wrote to memory of 1000 108 WScript.exe 47 PID 108 wrote to memory of 1000 108 WScript.exe 47 PID 108 wrote to memory of 1000 108 WScript.exe 47 PID 108 wrote to memory of 2056 108 WScript.exe 49 PID 108 wrote to memory of 2056 108 WScript.exe 49 PID 108 wrote to memory of 2056 108 WScript.exe 49 PID 1600 wrote to memory of 2080 1600 WScript.exe 58 PID 1600 wrote to memory of 2080 1600 WScript.exe 58 PID 1600 wrote to memory of 2080 1600 WScript.exe 58 PID 1600 wrote to memory of 2080 1600 WScript.exe 58 PID 1600 wrote to memory of 2116 1600 WScript.exe 50 PID 1600 wrote to memory of 2116 1600 WScript.exe 50 PID 1600 wrote to memory of 2116 1600 WScript.exe 50 PID 768 wrote to memory of 2156 768 WScript.exe 55 PID 768 wrote to memory of 2156 768 WScript.exe 55
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\bad (2).js"1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\unimcumbern.js"2⤵PID:748
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\unimcumbern2.js"2⤵PID:2016
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js"2⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js3⤵
- Adds Run key to start application
PID:972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js"2⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js3⤵
- Adds Run key to start application
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\By0HWwdJuVCpJZLGG6K0.js"2⤵PID:1708
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fyTBNtRD86e7YxN8Bg6Z.js"2⤵PID:1680
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\v8UTQInQ4riGEfymPOY1.js"2⤵PID:1200
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y6hq6beYYNKAKtLs9nWi.js"2⤵PID:1372
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\S6XogndmP4wJ0Y8A5mWI.js"2⤵PID:624
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\j5XLkEMI6Ab4MCTMsiUJ.js"2⤵PID:892
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\q2EoIIRtkGyoNzBV67pp.js"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JeW9i6W4h48g7O8SFLO4.js"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gMCQWlAtqIVyVUSXns2r.js"2⤵
- Adds Run key to start application
PID:1096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QH5Jj9d3Q8if2PHKUeOg.js"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.5MB
MD5d447e3dcdac667ada7145c58fb42b0dc
SHA12c1b54997822a92fdd81c1091f779dfe41aa8d51
SHA256a1d213d51ebba599f3f3b86c63f8bc0ac3ef1fba052acaba3e141f7cab34d07c
SHA512b9595fda19ae47ed396cae76bc45abf1cb332032710f1ab2e6e3bb85e32fd8cd561680ba6a6e6f879fae54da88b36e2369c81b257a6daa0d5a728b2d62bb7f7a
-
Filesize
211KB
MD5748d757540bca88f79aa391291c3133d
SHA16d3c40adeb42ff2c9acb900911c66729e40a12a7
SHA25617033f49578eb20c10cd492ff72b05bdd7eab17b8caa04d00e0777ade93ffcc3
SHA51294201037ed8d254966577a4b7180c7023823a5d6a25172288bf8ffcefb543ad3f29102bc092e1f169b81a4ee9eede4fc380800fb4dbbf64377c78e42a2d0205c
-
Filesize
214KB
MD567ae3798c0e6a512c3dd0d202b2bfa17
SHA1ac9ea30ccb51e486635abe57ef4d00628a13dea7
SHA2561dd705f06b3ecb7528d6fc15a3ddef17fa89c3a44f24b46f62bb4e55f7132d88
SHA512d32114d5a0d261e1d119adf5ef406759516102192e4ce81a5791ad027903c55a74f110a80b1002332a5bc22509f68f89b34f3b38d02049e160169b5229458eab
-
Filesize
9.2MB
MD5edc6877808b8532ec36dd967c57b31de
SHA1852a5a91e0c9a3472a5c89aae2c421d920a8acde
SHA256ca52043bdf4904b34e2a69aed0be4d77fa1b24c7caa2f4265292ef0677e0d49c
SHA5123e7af7fe93f25ba95661ac0ddd7b278009ca44c6934707b9073a96f19693f12d5883eddcff0717c1a17fb4b58283e0770f7d581b1bc4143f1a0857d05a82c20c
-
Filesize
9.2MB
MD563ad6f493f5c59783bc47316ef3b92af
SHA1c305e179439a10794fdf2f268fe1e3ab645d5983
SHA25667cbe3781f6f76624b4aa0190e5291be65126c254879bc301727d4407326a32a
SHA512bde7492e1a50f685158545557e978691055c83152fd6b72f32ac0bf393c727ceba24f6fe705fff632524ef9cd24a7e0f32e9f307387b43d214047b7e0a04f993
-
Filesize
206KB
MD5721271c51c6611c82c7d1d335c01b92c
SHA1e0021c9fe85517ae724f4584bca19e6e392c5197
SHA256f09227bb0197b6b20409c4a7e6dacb5662d594b6e54a12421bb90cb9ac9680cb
SHA512a800aa46ea268cea016b53054baedf46371da3db3443669d06d30d2ea20c99a21f1130fddc03499815fa14a6a1082bb22fb9d557d70b18751eb1fd890f9771b1
-
Filesize
205KB
MD51631086ce2efffca6ffab9ae97b8f3ff
SHA175ca403dd06a741af86b109c0b720d33c0af4b71
SHA2565bfdb3c2a9763232dde5f3fce4646d7688fe1f70598ca94fa13c29a1c7273510
SHA512ced54d2e3d99218e3b3024dce627e495a6f688a41580cd1bfcb14bb9ea5c1614a3516fbb27bac284bc2fd618cd912a859326f3e839ddeceb2ebbe7cab8511254
-
Filesize
12.5MB
MD593da6927a8d751ee017242a470d9b7da
SHA130aaa5686e10174b7925c3f1db372f006b771c58
SHA2561003bdb0c719dd600468cf91fceea53f110830fa8888f48755efcdd6b0b08ccc
SHA51289731aeda0dd6c0c05a98b4291b731dff60f182f6651a3ddcb01b4187f0b76dc0472999f270daa68393be32441338a8734a25eb9a31974386761f809d31b1666
-
Filesize
208KB
MD5724aac2641b067d08e6cf9370d86273e
SHA12dc6fd3d9433f6ff2cfb1e25ee7b4543db8a1529
SHA2568a8e43a32b5f80a79b2352afa9eac07dfd49d55cb6263538212e6cbe41d7db0f
SHA51249b7b588b2acd2416c5a6aabec583b88e683ec1f66ee4b5bd3ae51720756eb5a91d33e0f266e4b823aa87f01804245807577b26c31ae92705f810d10fc83ef57
-
Filesize
9.2MB
MD5a7a3245cb1379140e6d83c3935098a13
SHA1a19b46abe6e48f80806dfd84e59b9eece8d1de82
SHA256aa5d60235c292f3935ffa7ed8c18d7583c79363b1f72ca4fd2ba2d394a1367d5
SHA512063f5a15c06d4a681ca47dbd781fc851fd703ab8a5c4df0993732be3c2ceecd69bee2104917cdd6572750d1fe48d281a462274acf80e22489d42a23e714522c5
-
Filesize
208KB
MD58ac34eab182f9ff242fa0fa7f141b6a2
SHA1864c2bcc37392141fe520bf825a7003ba1056eb4
SHA256d5b3e3d59ce04590d5a621288b8615a2d26acc73bdbccde347af9e88115796fc
SHA512bb81fc9b75875251a44747ea358b48a1d5c22ec173b3f31aaaf3dd5cf0a620aeae0b99ed52f7c37f7c69c1b128a4451ad512d94a2dfc7d3d3dd86da8685edbe4
-
Filesize
16.2MB
MD5c0f2e303dd3ed98a3c87db633daf3c3b
SHA12d0b1123bf586cc6e2e5ca69603224c7f6a74825
SHA256ab607c2f6794fde7454be02b77627c3e4c68831c7f31c0925cb165c97ea32231
SHA512ff4ef8d079aa9eaa225b864ad4924d52db3e6a9a0bd02a07f4ff0cbf304e8c342d70e589ec818090890347c0dad68fe9e15a10b78c7f24c82671a882e951ca53
-
Filesize
14.3MB
MD5fe4ff2491a8e61f9d64b583a6fecba7a
SHA1040cf16a2ddb6deb561406507d35f7a5f3fae51a
SHA2564736b0dd694e384230f6385f920a76d40da44af8f8e047c9c75cb41f0be5a897
SHA512620c8c85c75b6b8131cf2afad712b9e00b3767a35025372100e848acfd6601da30fcd12375099d85e0aa2262d7eea103e24a5f07cac3ef31c988fd734792f3e7
-
Filesize
10.7MB
MD54cfc15db60ca867669359829c71cbd07
SHA1850697050b30f28c86888e1613a331852642c55f
SHA256701402fd306b645e0e4cf9b49eba5c921cbfbe38416a8d29c2085166205f57f1
SHA512b67e357812e5f5668fc393c5d2694f77570bcf8a7145e77164f36273a706b59d8d634c8d730beed0d398e9beb7ceaf5787403e6674341ee415f266acbb3bf497
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c77a1b8dcd2f2ac240937566596b943a
SHA1c16a1b1d9a82678a1c4662a2386baba8fc72896a
SHA256473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26
SHA51214b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c77a1b8dcd2f2ac240937566596b943a
SHA1c16a1b1d9a82678a1c4662a2386baba8fc72896a
SHA256473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26
SHA51214b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c77a1b8dcd2f2ac240937566596b943a
SHA1c16a1b1d9a82678a1c4662a2386baba8fc72896a
SHA256473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26
SHA51214b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c77a1b8dcd2f2ac240937566596b943a
SHA1c16a1b1d9a82678a1c4662a2386baba8fc72896a
SHA256473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26
SHA51214b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c77a1b8dcd2f2ac240937566596b943a
SHA1c16a1b1d9a82678a1c4662a2386baba8fc72896a
SHA256473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26
SHA51214b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD519d313196703e7b710f9c34a2046b094
SHA131f957d1d14befa1fcb166cff3c8c65b4e782f5a
SHA2563d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed
SHA5123aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD519d313196703e7b710f9c34a2046b094
SHA131f957d1d14befa1fcb166cff3c8c65b4e782f5a
SHA2563d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed
SHA5123aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD519d313196703e7b710f9c34a2046b094
SHA131f957d1d14befa1fcb166cff3c8c65b4e782f5a
SHA2563d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed
SHA5123aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD519d313196703e7b710f9c34a2046b094
SHA131f957d1d14befa1fcb166cff3c8c65b4e782f5a
SHA2563d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed
SHA5123aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD519d313196703e7b710f9c34a2046b094
SHA131f957d1d14befa1fcb166cff3c8c65b4e782f5a
SHA2563d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed
SHA5123aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89