Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
Resource
win10v2004-20220812-en
General
-
Target
0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe
-
Size
799KB
-
MD5
67cb4b511fa77b68a2113ff100c19d3b
-
SHA1
149295633667f97ecaa61ad40d2643595175f262
-
SHA256
0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab
-
SHA512
d315d773a9800f3d69f22c18bf5aaf9935578a2283db695631389d8469fcfa7d6e94bdce894bd0f3f660721f6ae024203477b5567d188de7f25fc3680beb60a0
-
SSDEEP
12288:yDwlmijm7u6o2t8ZrZ0ULh//VauajOtAIqXb75idAPcQcguD4FPQxPfOAzfiS/JN:WV4vDrFVaJqaIqrUAMB4FPQxJ/J0T
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 16 IoCs
resource yara_rule behavioral2/memory/4532-138-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/4532-152-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/3916-174-0x00000000069C0000-0x0000000006AC0000-memory.dmp family_isrstealer behavioral2/memory/4532-182-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2488-199-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2488-201-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/4344-214-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/4344-225-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2832-243-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2832-244-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2888-262-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2888-263-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2596-281-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/2596-282-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/3896-300-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/3896-301-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer -
NirSoft WebBrowserPassView 13 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/204-147-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/204-150-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/204-151-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/3916-171-0x00000000069C0000-0x0000000006AC0000-memory.dmp WebBrowserPassView behavioral2/memory/1004-196-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/1004-198-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/792-219-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/792-220-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/2284-242-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/2892-261-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/320-279-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/320-280-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/3756-299-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView -
Nirsoft 13 IoCs
resource yara_rule behavioral2/memory/204-147-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/204-150-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/204-151-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/3916-171-0x00000000069C0000-0x0000000006AC0000-memory.dmp Nirsoft behavioral2/memory/1004-196-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/1004-198-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/792-219-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/792-220-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/2284-242-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/2892-261-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/320-279-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/320-280-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/3756-299-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XIPWmNN = "C:\\Users\\Admin\\AppData\\Roaming\\XIPWmNN.exe" WScript.exe -
Suspicious use of SetThreadContext 21 IoCs
description pid Process procid_target PID 3916 set thread context of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 4532 set thread context of 2536 4532 vbc.exe 82 PID 2536 set thread context of 204 2536 vbc.exe 83 PID 3916 set thread context of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 2488 set thread context of 632 2488 cvtres.exe 88 PID 632 set thread context of 1004 632 cvtres.exe 89 PID 3916 set thread context of 4344 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 92 PID 4344 set thread context of 392 4344 vbc.exe 93 PID 392 set thread context of 792 392 vbc.exe 94 PID 3916 set thread context of 2832 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 101 PID 2832 set thread context of 4984 2832 csc.exe 102 PID 4984 set thread context of 2284 4984 csc.exe 103 PID 3916 set thread context of 2888 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 108 PID 2888 set thread context of 2444 2888 cvtres.exe 109 PID 2444 set thread context of 2892 2444 cvtres.exe 110 PID 3916 set thread context of 2596 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 113 PID 2596 set thread context of 1060 2596 csc.exe 114 PID 1060 set thread context of 320 1060 csc.exe 115 PID 3916 set thread context of 3896 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 118 PID 3896 set thread context of 3500 3896 csc.exe 119 PID 3500 set thread context of 3756 3500 csc.exe 120 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 7 IoCs
pid Process 3068 Taskkill.exe 2192 Taskkill.exe 1212 Taskkill.exe 3840 Taskkill.exe 2096 Taskkill.exe 3528 Taskkill.exe 712 Taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 4532 vbc.exe 4532 vbc.exe 4532 vbc.exe 4532 vbc.exe 4532 vbc.exe 4532 vbc.exe 4532 vbc.exe 4532 vbc.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe Token: SeDebugPrivilege 2096 Taskkill.exe Token: SeDebugPrivilege 3528 Taskkill.exe Token: SeDebugPrivilege 712 Taskkill.exe Token: SeDebugPrivilege 3068 Taskkill.exe Token: SeDebugPrivilege 2192 Taskkill.exe Token: SeDebugPrivilege 1212 Taskkill.exe Token: SeDebugPrivilege 3840 Taskkill.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4532 vbc.exe 2488 cvtres.exe 4344 vbc.exe 2832 csc.exe 2888 cvtres.exe 2596 csc.exe 3896 csc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 3892 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 78 PID 3916 wrote to memory of 3892 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 78 PID 3916 wrote to memory of 3892 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 78 PID 3916 wrote to memory of 728 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 80 PID 3916 wrote to memory of 728 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 80 PID 3916 wrote to memory of 728 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 80 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 3916 wrote to memory of 4532 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 81 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 4532 wrote to memory of 2536 4532 vbc.exe 82 PID 2536 wrote to memory of 204 2536 vbc.exe 83 PID 2536 wrote to memory of 204 2536 vbc.exe 83 PID 2536 wrote to memory of 204 2536 vbc.exe 83 PID 2536 wrote to memory of 204 2536 vbc.exe 83 PID 2536 wrote to memory of 204 2536 vbc.exe 83 PID 3916 wrote to memory of 2096 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 84 PID 3916 wrote to memory of 2096 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 84 PID 3916 wrote to memory of 2096 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 84 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 3916 wrote to memory of 2488 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 87 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 2488 wrote to memory of 632 2488 cvtres.exe 88 PID 632 wrote to memory of 1004 632 cvtres.exe 89 PID 632 wrote to memory of 1004 632 cvtres.exe 89 PID 632 wrote to memory of 1004 632 cvtres.exe 89 PID 632 wrote to memory of 1004 632 cvtres.exe 89 PID 632 wrote to memory of 1004 632 cvtres.exe 89 PID 3916 wrote to memory of 3528 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 90 PID 3916 wrote to memory of 3528 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 90 PID 3916 wrote to memory of 3528 3916 0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe"C:\Users\Admin\AppData\Local\Temp\0273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\XIPWmNN XIPWmNN.exe && exit2⤵PID:3892
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp344.vbs"2⤵
- Adds Run key to start application
PID:728
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:204
-
-
-
-
C:\Windows\SysWOW64\Taskkill.exeTaskkill /f /im csc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:1004
-
-
-
-
C:\Windows\SysWOW64\Taskkill.exeTaskkill /f /im csc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Suspicious use of SetThreadContext
PID:392 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:792
-
-
-
-
C:\Windows\SysWOW64\Taskkill.exeTaskkill /f /im csc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵
- Suspicious use of SetThreadContext
PID:4984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:2284
-
-
-
-
C:\Windows\SysWOW64\Taskkill.exeTaskkill /f /im csc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2888 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:2892
-
-
-
-
C:\Windows\SysWOW64\Taskkill.exeTaskkill /f /im csc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵
- Suspicious use of SetThreadContext
PID:1060 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:320
-
-
-
-
C:\Windows\SysWOW64\Taskkill.exeTaskkill /f /im csc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵
- Suspicious use of SetThreadContext
PID:3500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:3756
-
-
-
-
C:\Windows\SysWOW64\Taskkill.exeTaskkill /f /im csc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
Filesize
503B
MD586dc349215cb12b97a82f27ced7d4a8d
SHA1504736b4080560d9bfbdb15bf0adc99b9eee7806
SHA256bd06227d721c84aa6754c9abdbdb889358277906556ed38f51377110135913f7
SHA5122f1fbffb447caec50b513cea8b52a8abe8f916af3b1226eddd96033f6d737dfedb97269376cbd1fe2979246b78fcf5008ecffc2928d233baa6fe90bce9c56159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD557039f0f59221ab8522caec4c9349a37
SHA1cc05e73efe574d14ca89422bfb4febb36a5a2687
SHA256e2685c49ff5f61a2b43a90a8f367f9f5811148add5b6ba060ac3cb3b10af0f7c
SHA512ba87f6abef473116f2ccd45556852c8df776e80d62df1b1d340f22ffb1461810ea12b6b4efa86ba2fa86d5f1d8d851a03d7bf93ffa13993d487c1cb1f2b438ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6CB7F08D18153E44672D7BE969FFEDF
Filesize552B
MD5e97149824b1eabf6fef75a99040a89d4
SHA126165a0ea0973853549524df5660ffde347a8c68
SHA2563965dac3a482af7611708393e00bc3cff37d1415fc86fc4c2d28597008b5c111
SHA512619ded5e16257e107cf191acf7658255369fed179f532312fe0f3e08ef3cb8d14faa4b67e155959e6948e6fecc224d0549d7c3bf7ea3a0ba01fbd07266772ca2
-
Filesize
252B
MD5c10e946c362363acc20b684b4ec40bea
SHA126df82fcda0e6c0625055757507d9d5876cfd3d4
SHA25646f69a124ff9f3db37ccedc5034bb412a9a9e624968df9717d928270eca0aa71
SHA51295d42b57f4d3586ed9d9d49c32c31bf3ca319a65ad2f04d7170f02ed5bcbe392e25a1a1ad73a63f91facbaeaf50a07475f2342e2a6133e0700b85a644fcdf535
-
Filesize
54B
MD5c10dbeca73f8835240e08e4511284b83
SHA10032f8f941cc07768189ca6ba32b1beede6b6917
SHA2560b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA51234f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967
-
Filesize
54B
MD5c10dbeca73f8835240e08e4511284b83
SHA10032f8f941cc07768189ca6ba32b1beede6b6917
SHA2560b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA51234f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967
-
Filesize
54B
MD5c10dbeca73f8835240e08e4511284b83
SHA10032f8f941cc07768189ca6ba32b1beede6b6917
SHA2560b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA51234f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967
-
Filesize
54B
MD5c10dbeca73f8835240e08e4511284b83
SHA10032f8f941cc07768189ca6ba32b1beede6b6917
SHA2560b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA51234f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967
-
Filesize
54B
MD5c10dbeca73f8835240e08e4511284b83
SHA10032f8f941cc07768189ca6ba32b1beede6b6917
SHA2560b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA51234f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967
-
Filesize
54B
MD5c10dbeca73f8835240e08e4511284b83
SHA10032f8f941cc07768189ca6ba32b1beede6b6917
SHA2560b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA51234f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967
-
Filesize
799KB
MD567cb4b511fa77b68a2113ff100c19d3b
SHA1149295633667f97ecaa61ad40d2643595175f262
SHA2560273f419416b2626a6047a1b848ca818e40f20be4be075237ebf02ea3ce381ab
SHA512d315d773a9800f3d69f22c18bf5aaf9935578a2283db695631389d8469fcfa7d6e94bdce894bd0f3f660721f6ae024203477b5567d188de7f25fc3680beb60a0