Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
188s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
11/10/2022, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe
Resource
win10-20220812-en
General
-
Target
b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe
-
Size
212KB
-
MD5
e5cd16545fe8d04faa7e7793e42df55d
-
SHA1
a9a297b8d843c9e742fd05708f20d51d7540a101
-
SHA256
b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9
-
SHA512
bdd802cbb218eea6e1bd7be779b8aa1755d81be0c196d1568a32b07e51fe6400b4c36d41e8170c3412f4f9a25a0dbb4ac001ed5741b3b575250c2a8f29309b1e
-
SSDEEP
6144:rdXc8LdksBzxz7uvgwc5zPViWNFdw6pu:rdXc8bB9WvpcBNHtvpu
Malware Config
Extracted
djvu
http://winnlinne.com/lancer/get.php
-
extension
.towz
-
offline_id
SSHsHMHGmSIhrz50VnIxLJJX15osxEQY6iXedXt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-Kbx8mJatqN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0577Jhyjd
Extracted
vidar
54.9
517
https://t.me/larsenup
https://ioc.exchange/@zebra54
-
profile_id
517
Extracted
redline
buildnewdomain
hrabrlonian.xyz:81
-
auth_value
90794203993789d187f29ff50d00de2e
Signatures
-
Detected Djvu ransomware 7 IoCs
resource yara_rule behavioral1/memory/3436-347-0x0000000002220000-0x000000000233B000-memory.dmp family_djvu behavioral1/memory/1764-363-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/1764-525-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1764-831-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3488-860-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/3488-913-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3488-1093-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/3832-150-0x00000000022B0000-0x00000000022B9000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/5044-1166-0x0000000000B7213A-mapping.dmp family_redline behavioral1/memory/5044-1199-0x0000000000B50000-0x0000000000B78000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
pid Process 2036 407.exe 3436 FB0.exe 1216 15FC.exe 5084 1ED6.exe 2764 2408.exe 1764 FB0.exe 592 Bags.exe.pif 1920 FB0.exe 3488 FB0.exe 4460 build2.exe 508 build3.exe 1732 build2.exe 4844 mstsca.exe -
Deletes itself 1 IoCs
pid Process 3064 Process not Found -
Loads dropped DLL 10 IoCs
pid Process 4072 regsvr32.exe 4072 regsvr32.exe 1732 build2.exe 1732 build2.exe 592 Bags.exe.pif 592 Bags.exe.pif 592 Bags.exe.pif 592 Bags.exe.pif 592 Bags.exe.pif 592 Bags.exe.pif -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2124 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2408.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2408.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9e827b42-6147-4e4c-b7d8-79d7f15cf5e9\\FB0.exe\" --AutoStart" FB0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 api.2ip.ua 13 api.2ip.ua 35 api.2ip.ua -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3436 set thread context of 1764 3436 FB0.exe 76 PID 1920 set thread context of 3488 1920 FB0.exe 100 PID 4460 set thread context of 1732 4460 build2.exe 103 PID 592 set thread context of 5044 592 Bags.exe.pif 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 4296 1216 WerFault.exe 70 1760 2036 WerFault.exe 66 2096 2036 WerFault.exe 66 2004 2036 WerFault.exe 66 4992 2036 WerFault.exe 66 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1ED6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1ED6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1ED6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2296 schtasks.exe 808 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4696 tasklist.exe 4232 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2700 PING.EXE 96 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3832 b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe 3832 b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3064 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3832 b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 5084 1ED6.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeDebugPrivilege 4696 tasklist.exe Token: SeDebugPrivilege 4232 tasklist.exe Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeDebugPrivilege 5044 jsc.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 592 Bags.exe.pif 3064 Process not Found 3064 Process not Found 592 Bags.exe.pif 592 Bags.exe.pif 3064 Process not Found 3064 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 592 Bags.exe.pif 592 Bags.exe.pif 592 Bags.exe.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2036 3064 Process not Found 66 PID 3064 wrote to memory of 2036 3064 Process not Found 66 PID 3064 wrote to memory of 2036 3064 Process not Found 66 PID 3064 wrote to memory of 3436 3064 Process not Found 67 PID 3064 wrote to memory of 3436 3064 Process not Found 67 PID 3064 wrote to memory of 3436 3064 Process not Found 67 PID 3064 wrote to memory of 3568 3064 Process not Found 68 PID 3064 wrote to memory of 3568 3064 Process not Found 68 PID 3568 wrote to memory of 4072 3568 regsvr32.exe 69 PID 3568 wrote to memory of 4072 3568 regsvr32.exe 69 PID 3568 wrote to memory of 4072 3568 regsvr32.exe 69 PID 3064 wrote to memory of 1216 3064 Process not Found 70 PID 3064 wrote to memory of 1216 3064 Process not Found 70 PID 3064 wrote to memory of 1216 3064 Process not Found 70 PID 3064 wrote to memory of 5084 3064 Process not Found 71 PID 3064 wrote to memory of 5084 3064 Process not Found 71 PID 3064 wrote to memory of 5084 3064 Process not Found 71 PID 3064 wrote to memory of 2764 3064 Process not Found 72 PID 3064 wrote to memory of 2764 3064 Process not Found 72 PID 3064 wrote to memory of 2764 3064 Process not Found 72 PID 3064 wrote to memory of 3900 3064 Process not Found 73 PID 3064 wrote to memory of 3900 3064 Process not Found 73 PID 3064 wrote to memory of 3900 3064 Process not Found 73 PID 3064 wrote to memory of 3900 3064 Process not Found 73 PID 3064 wrote to memory of 3780 3064 Process not Found 74 PID 3064 wrote to memory of 3780 3064 Process not Found 74 PID 3064 wrote to memory of 3780 3064 Process not Found 74 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 3436 wrote to memory of 1764 3436 FB0.exe 76 PID 2764 wrote to memory of 2092 2764 2408.exe 79 PID 2764 wrote to memory of 2092 2764 2408.exe 79 PID 2764 wrote to memory of 2092 2764 2408.exe 79 PID 2764 wrote to memory of 1992 2764 2408.exe 85 PID 2764 wrote to memory of 1992 2764 2408.exe 85 PID 2764 wrote to memory of 1992 2764 2408.exe 85 PID 1992 wrote to memory of 3972 1992 cmd.exe 87 PID 1992 wrote to memory of 3972 1992 cmd.exe 87 PID 1992 wrote to memory of 3972 1992 cmd.exe 87 PID 3972 wrote to memory of 4696 3972 cmd.exe 88 PID 3972 wrote to memory of 4696 3972 cmd.exe 88 PID 3972 wrote to memory of 4696 3972 cmd.exe 88 PID 3972 wrote to memory of 4444 3972 cmd.exe 89 PID 3972 wrote to memory of 4444 3972 cmd.exe 89 PID 3972 wrote to memory of 4444 3972 cmd.exe 89 PID 3972 wrote to memory of 4232 3972 cmd.exe 91 PID 3972 wrote to memory of 4232 3972 cmd.exe 91 PID 3972 wrote to memory of 4232 3972 cmd.exe 91 PID 3972 wrote to memory of 3780 3972 cmd.exe 92 PID 3972 wrote to memory of 3780 3972 cmd.exe 92 PID 3972 wrote to memory of 3780 3972 cmd.exe 92 PID 3972 wrote to memory of 1324 3972 cmd.exe 93 PID 3972 wrote to memory of 1324 3972 cmd.exe 93 PID 3972 wrote to memory of 1324 3972 cmd.exe 93 PID 3972 wrote to memory of 592 3972 cmd.exe 94 PID 3972 wrote to memory of 592 3972 cmd.exe 94 PID 3972 wrote to memory of 592 3972 cmd.exe 94 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe"C:\Users\Admin\AppData\Local\Temp\b5c2b381305b21be548d0123d9b4f44c101f324c1e0a6a3360ddaec4935de4f9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3832
-
C:\Users\Admin\AppData\Local\Temp\407.exeC:\Users\Admin\AppData\Local\Temp\407.exe1⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 5202⤵
- Program crash
PID:1760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 5002⤵
- Program crash
PID:2096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 5362⤵
- Program crash
PID:2004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 5802⤵
- Program crash
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\FB0.exeC:\Users\Admin\AppData\Local\Temp\FB0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\FB0.exeC:\Users\Admin\AppData\Local\Temp\FB0.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1764 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\9e827b42-6147-4e4c-b7d8-79d7f15cf5e9" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\FB0.exe"C:\Users\Admin\AppData\Local\Temp\FB0.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\FB0.exe"C:\Users\Admin\AppData\Local\Temp\FB0.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:3488 -
C:\Users\Admin\AppData\Local\a62091aa-5405-4f5a-b0d7-16a721b3ee26\build2.exe"C:\Users\Admin\AppData\Local\a62091aa-5405-4f5a-b0d7-16a721b3ee26\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4460 -
C:\Users\Admin\AppData\Local\a62091aa-5405-4f5a-b0d7-16a721b3ee26\build2.exe"C:\Users\Admin\AppData\Local\a62091aa-5405-4f5a-b0d7-16a721b3ee26\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1732
-
-
-
C:\Users\Admin\AppData\Local\a62091aa-5405-4f5a-b0d7-16a721b3ee26\build3.exe"C:\Users\Admin\AppData\Local\a62091aa-5405-4f5a-b0d7-16a721b3ee26\build3.exe"5⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
PID:2296
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\12BF.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\12BF.dll2⤵
- Loads dropped DLL
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\15FC.exeC:\Users\Admin\AppData\Local\Temp\15FC.exe1⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 4802⤵
- Program crash
PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\1ED6.exeC:\Users\Admin\AppData\Local\Temp\1ED6.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5084
-
C:\Users\Admin\AppData\Local\Temp\2408.exeC:\Users\Admin\AppData\Local\Temp\2408.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\ftp.exeftp /?2⤵PID:2092
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Preferences.vsd & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵PID:4444
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵PID:3780
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^zsXAL$" Simulation.vsd4⤵PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pifBags.exe.pif f4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
PID:96
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:2700
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3900
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3780
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
PID:808
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
978B
MD5830080edd3711b492ca2d27ccefe7c80
SHA1a407239b3d4dbeb37acb1583d76dc39e778f3f47
SHA256eba01f49f3c81e1ced63d51c06acd4620b13634bdeee44860e88c9cfadf9cc82
SHA5122354079bef13ef3216d56fe16f738ea17cbaf0536cbac3cbb02d84f87f112eed65f450d168a12698da6e8fa99a153a15a767206b253f3d8e5772390cb15586c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD50698dbc93ba7b6bef73ba316695f8317
SHA1a444078ff1eb7c88f52cb4e324365926b491ed47
SHA256263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c
SHA512ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02
Filesize274B
MD541887f199fdd723d56eb0e67d206278d
SHA1d81d3c6b210ffbd17ffc214fa03f17dc99e3aad0
SHA256eafacaea44dc8aca28838295f1f9b25ef4a2bcbe2df9be1806a2c0736f91a941
SHA512a8bf72d6a63c445bff61f6f321255308855114850df6532eae3be4f604ca4195b5c3556628f6573518fa027c7451d8118a882bd5a06a47b76625f5ed1eeaadd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5397462ca04c9d2a0717e6d5a75606f5c
SHA180825e7c216575d56b29a5929f45b0753e79e984
SHA256fae94b018259e94e82a7f5d5bbc21d0537ae74e2c25f13285d19d3e21f227837
SHA5122322754c9c46c1904b29d08c72e0cdd21c56720166b37d6509dacdc30f7cb093fd0522acbe98eed5e1a1ab9ec05aacb4c7e72649b27d04301c182f8cfddf682f
-
Filesize
794KB
MD57b64f806fa586af2a86c5f23e0c663e3
SHA1d90156925d2b201d33c3ee7adc5da673af9df4c6
SHA256dabde7613fffa25ef0f3d562f1918f81afd615dc74186e7dc2c004fbb12a7210
SHA5127a93714867880d4abf5ec687a2e79014e4617161e7f989d6de44581086a599cece9d6c524bee7981858cca826de8852c8a1c5e20f735537349770526efd05035
-
Filesize
1.4MB
MD5ee4e00c732ed0e71a3e15eb848f99f84
SHA153bf346138bfa70ed91756c0a1835dc2d68813bf
SHA25658ee95995100dee5d1511f860081b27ac8bdca627e43ed0c783f14351a1eb70d
SHA5120c1c33be5b9da02c3a6c7a6b1f25b9a8898717853ba1b31835514b593364da4edfbc2224c86820551be124c9c7b2e22c15f0e2effd8c5c2c68f74c8d8d316b62
-
Filesize
274KB
MD51ffcf9fb93401efc7dcf8824c76b2256
SHA1811a2b23568b091da9ca1d74707a17afbf0aa308
SHA25630502d73924e948dadf7c1162bb2ad385fe2bc04872eb37bcdb002c9351095bf
SHA51234c4992ad352ac06a10cc1b8a7825e5547136de316d3ec901b37cb4aa46ba4efc44ca0d247c10449fba2b27ad1fa1ce11122dc42176a0e7017115f4127701725
-
Filesize
274KB
MD51ffcf9fb93401efc7dcf8824c76b2256
SHA1811a2b23568b091da9ca1d74707a17afbf0aa308
SHA25630502d73924e948dadf7c1162bb2ad385fe2bc04872eb37bcdb002c9351095bf
SHA51234c4992ad352ac06a10cc1b8a7825e5547136de316d3ec901b37cb4aa46ba4efc44ca0d247c10449fba2b27ad1fa1ce11122dc42176a0e7017115f4127701725
-
Filesize
210KB
MD5ceb55d4e8fb75c30709f5cf397a875f3
SHA184343825bcef7c5fa1513dfee0589e0c2fffadd9
SHA2563599c6fbe5598cc5675f586a3e07085e412aaf383919ac140d44ab58dbeb2ff8
SHA512b888e26364d0818b6124c2a65227c461e7279d7241462831abe1f7736aa16f4b4a4f6c25ae720fa22c35a21d8bd798eadc42f81332efbe57e992567cc73b0093
-
Filesize
210KB
MD5ceb55d4e8fb75c30709f5cf397a875f3
SHA184343825bcef7c5fa1513dfee0589e0c2fffadd9
SHA2563599c6fbe5598cc5675f586a3e07085e412aaf383919ac140d44ab58dbeb2ff8
SHA512b888e26364d0818b6124c2a65227c461e7279d7241462831abe1f7736aa16f4b4a4f6c25ae720fa22c35a21d8bd798eadc42f81332efbe57e992567cc73b0093
-
Filesize
692KB
MD552d4af6eab9e603ed974524ea0a7103c
SHA10bd5d7b73a649c17c40685fab934aeb13d734c82
SHA256b7d5fb28fcb3168a491be679b71c79ad28e4dde619361671095c81c2b6c97970
SHA512f9211e95ea9aec395e32165c82f2663924a2097e454cd7c8e3e8bc394073ec963be4ec7a5b6193368f403e502efa475b0a218565b8860d18d57f792290421e25
-
Filesize
5.6MB
MD545554a2f4d9efc56d628e366cb1a422c
SHA16dd14e3d049c253f591b5fc6ec0ff92269f461ff
SHA2566195bacdbdc31eac651bfd70ba776ec45ad417bf50372e01fd0169f51d1a4603
SHA512e8cde51ff0004d7d89e21da8897f024c3750957e280047c9f3a41062a61802734fd71c41caadb3871d8853ea80b0f8b68ce2dd20ef4191a57cf8596940aedf93
-
Filesize
5.6MB
MD545554a2f4d9efc56d628e366cb1a422c
SHA16dd14e3d049c253f591b5fc6ec0ff92269f461ff
SHA2566195bacdbdc31eac651bfd70ba776ec45ad417bf50372e01fd0169f51d1a4603
SHA512e8cde51ff0004d7d89e21da8897f024c3750957e280047c9f3a41062a61802734fd71c41caadb3871d8853ea80b0f8b68ce2dd20ef4191a57cf8596940aedf93
-
Filesize
794KB
MD57b64f806fa586af2a86c5f23e0c663e3
SHA1d90156925d2b201d33c3ee7adc5da673af9df4c6
SHA256dabde7613fffa25ef0f3d562f1918f81afd615dc74186e7dc2c004fbb12a7210
SHA5127a93714867880d4abf5ec687a2e79014e4617161e7f989d6de44581086a599cece9d6c524bee7981858cca826de8852c8a1c5e20f735537349770526efd05035
-
Filesize
794KB
MD57b64f806fa586af2a86c5f23e0c663e3
SHA1d90156925d2b201d33c3ee7adc5da673af9df4c6
SHA256dabde7613fffa25ef0f3d562f1918f81afd615dc74186e7dc2c004fbb12a7210
SHA5127a93714867880d4abf5ec687a2e79014e4617161e7f989d6de44581086a599cece9d6c524bee7981858cca826de8852c8a1c5e20f735537349770526efd05035
-
Filesize
794KB
MD57b64f806fa586af2a86c5f23e0c663e3
SHA1d90156925d2b201d33c3ee7adc5da673af9df4c6
SHA256dabde7613fffa25ef0f3d562f1918f81afd615dc74186e7dc2c004fbb12a7210
SHA5127a93714867880d4abf5ec687a2e79014e4617161e7f989d6de44581086a599cece9d6c524bee7981858cca826de8852c8a1c5e20f735537349770526efd05035
-
Filesize
794KB
MD57b64f806fa586af2a86c5f23e0c663e3
SHA1d90156925d2b201d33c3ee7adc5da673af9df4c6
SHA256dabde7613fffa25ef0f3d562f1918f81afd615dc74186e7dc2c004fbb12a7210
SHA5127a93714867880d4abf5ec687a2e79014e4617161e7f989d6de44581086a599cece9d6c524bee7981858cca826de8852c8a1c5e20f735537349770526efd05035
-
Filesize
794KB
MD57b64f806fa586af2a86c5f23e0c663e3
SHA1d90156925d2b201d33c3ee7adc5da673af9df4c6
SHA256dabde7613fffa25ef0f3d562f1918f81afd615dc74186e7dc2c004fbb12a7210
SHA5127a93714867880d4abf5ec687a2e79014e4617161e7f989d6de44581086a599cece9d6c524bee7981858cca826de8852c8a1c5e20f735537349770526efd05035
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
725KB
MD5e0352752dddef97bad04fa25c81fe867
SHA11c040b67598bbccdd510a49f842668935365fd71
SHA25697208cb34d8b0af9e7bf3b8400ddd249337a58c4be8a38f39e3874900a73d455
SHA512331ac25e2122779710fd0c4b3818df6ab3c1ea7df2d406953cfe39734dac32283f849a37766c0070fcd2dba82502c22b2e28867dcf64a9931cc5d8c14e4a1240
-
Filesize
10KB
MD523df91b58a61d477860ae3d23b098968
SHA1b474e7cd93994fbbe780842e3cbebcd833981a34
SHA2567f50c3b8b4e5f2117c562a78e2a08c65a25c019e3341c649b2a44b7873ae190d
SHA512ea05e91b616ec2861ae2586fbd17120fd00e3b059c3200a7676a57146344bc54ff418902912ac2a184eb7e0ab1926b9a56774a10ba68166c030319a6974f4331
-
Filesize
924KB
MD575d2326d2d1bb6de24f3dda341482c13
SHA138c9138a24824073eef171cf365ebb01a2c4937f
SHA256b6031d6424a4221830e29153fc7125dbd251b454539de76fee852a6875840431
SHA512b3521bdc95c871ffb8f5866f2f9699ed8343715437e40f9da42a4740e1b279ddb6d4aa85229485baf8331bba5868c4299860031888c322e96b29ce6aa3761dc3
-
Filesize
255KB
MD59c3d4324a153c6438f48083bc333a962
SHA1033e80e2008f4f62d2716ce0473bb0d763d52277
SHA2565ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98
SHA5128cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd
-
Filesize
255KB
MD59c3d4324a153c6438f48083bc333a962
SHA1033e80e2008f4f62d2716ce0473bb0d763d52277
SHA2565ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98
SHA5128cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd
-
Filesize
255KB
MD59c3d4324a153c6438f48083bc333a962
SHA1033e80e2008f4f62d2716ce0473bb0d763d52277
SHA2565ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98
SHA5128cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.4MB
MD5ee4e00c732ed0e71a3e15eb848f99f84
SHA153bf346138bfa70ed91756c0a1835dc2d68813bf
SHA25658ee95995100dee5d1511f860081b27ac8bdca627e43ed0c783f14351a1eb70d
SHA5120c1c33be5b9da02c3a6c7a6b1f25b9a8898717853ba1b31835514b593364da4edfbc2224c86820551be124c9c7b2e22c15f0e2effd8c5c2c68f74c8d8d316b62
-
Filesize
1.4MB
MD5ee4e00c732ed0e71a3e15eb848f99f84
SHA153bf346138bfa70ed91756c0a1835dc2d68813bf
SHA25658ee95995100dee5d1511f860081b27ac8bdca627e43ed0c783f14351a1eb70d
SHA5120c1c33be5b9da02c3a6c7a6b1f25b9a8898717853ba1b31835514b593364da4edfbc2224c86820551be124c9c7b2e22c15f0e2effd8c5c2c68f74c8d8d316b62
-
Filesize
1.5MB
MD550741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
Filesize
1.5MB
MD550741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
Filesize
1.5MB
MD550741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
Filesize
1.5MB
MD550741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
Filesize
1.5MB
MD550741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
Filesize
1.5MB
MD550741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3