Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/03/2023, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe
Resource
win10v2004-20230220-en
General
-
Target
4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe
-
Size
258KB
-
MD5
8c2506fef155bd72ee5100610aebc9e4
-
SHA1
13067fec38a031c3eb365e96a797768c1249bf96
-
SHA256
4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e
-
SHA512
79d15edbec81dbce468bccb286fec0b35c2eec84182c5052dde3679091dcab4aaa50dd54c72f84fdee0dd7b31d88279a09317fe82b27292268ae2609a1105925
-
SSDEEP
3072:e4C5oq7lwHUZZu0Po6gtmNqs8OGWHGij/Moxr0KSlkMsg67IaOqcnD53pjAXPSQo:D4ocuU7u0Po6gRw7HGQCmOqcDzj
Malware Config
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Extracted
amadey
3.68
193.233.20.25/buH5N004d/index.php
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1336-134-0x00000000022C0000-0x00000000022C9000-memory.dmp family_smokeloader -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" befr56vK31.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" befr56vK31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ctKK50AA79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ctKK50AA79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ctKK50AA79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ctKK50AA79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ctKK50AA79.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection befr56vK31.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" befr56vK31.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" befr56vK31.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ctKK50AA79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" befr56vK31.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 12 IoCs
resource yara_rule behavioral1/memory/2540-256-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-257-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-259-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-261-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-263-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-265-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-267-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-269-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-271-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-273-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-275-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/2540-471-0x0000000002110000-0x0000000002120000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation jxRK12Ko52.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation ghaaer.exe -
Executes dropped EXE 9 IoCs
pid Process 1804 ED14.exe 5076 ptSj4050Vt.exe 1644 ptmG0842gC.exe 1576 befr56vK31.exe 3280 ctKK50AA79.exe 2540 hk07mY49po25.exe 2252 jxRK12Ko52.exe 1736 ghaaer.exe 2372 ghaaer.exe -
Loads dropped DLL 1 IoCs
pid Process 2900 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features befr56vK31.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" befr56vK31.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ctKK50AA79.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ED14.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ED14.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptSj4050Vt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptSj4050Vt.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptmG0842gC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptmG0842gC.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3380 1576 WerFault.exe 94 4020 2540 WerFault.exe 109 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1272 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1336 4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe 1336 4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3236 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 1336 4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found 3236 Process not Found -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1576 befr56vK31.exe Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeDebugPrivilege 3280 ctKK50AA79.exe Token: SeDebugPrivilege 2540 hk07mY49po25.exe Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found Token: SeShutdownPrivilege 3236 Process not Found Token: SeCreatePagefilePrivilege 3236 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3236 wrote to memory of 1804 3236 Process not Found 91 PID 3236 wrote to memory of 1804 3236 Process not Found 91 PID 3236 wrote to memory of 1804 3236 Process not Found 91 PID 1804 wrote to memory of 5076 1804 ED14.exe 92 PID 1804 wrote to memory of 5076 1804 ED14.exe 92 PID 1804 wrote to memory of 5076 1804 ED14.exe 92 PID 5076 wrote to memory of 1644 5076 ptSj4050Vt.exe 93 PID 5076 wrote to memory of 1644 5076 ptSj4050Vt.exe 93 PID 5076 wrote to memory of 1644 5076 ptSj4050Vt.exe 93 PID 1644 wrote to memory of 1576 1644 ptmG0842gC.exe 94 PID 1644 wrote to memory of 1576 1644 ptmG0842gC.exe 94 PID 1644 wrote to memory of 1576 1644 ptmG0842gC.exe 94 PID 3236 wrote to memory of 5072 3236 Process not Found 96 PID 3236 wrote to memory of 5072 3236 Process not Found 96 PID 3236 wrote to memory of 5072 3236 Process not Found 96 PID 3236 wrote to memory of 5072 3236 Process not Found 96 PID 3236 wrote to memory of 2672 3236 Process not Found 97 PID 3236 wrote to memory of 2672 3236 Process not Found 97 PID 3236 wrote to memory of 2672 3236 Process not Found 97 PID 3236 wrote to memory of 3536 3236 Process not Found 98 PID 3236 wrote to memory of 3536 3236 Process not Found 98 PID 3236 wrote to memory of 3536 3236 Process not Found 98 PID 3236 wrote to memory of 3536 3236 Process not Found 98 PID 3236 wrote to memory of 3776 3236 Process not Found 99 PID 3236 wrote to memory of 3776 3236 Process not Found 99 PID 3236 wrote to memory of 3776 3236 Process not Found 99 PID 3236 wrote to memory of 3368 3236 Process not Found 100 PID 3236 wrote to memory of 3368 3236 Process not Found 100 PID 3236 wrote to memory of 3368 3236 Process not Found 100 PID 3236 wrote to memory of 3368 3236 Process not Found 100 PID 3236 wrote to memory of 4292 3236 Process not Found 102 PID 3236 wrote to memory of 4292 3236 Process not Found 102 PID 3236 wrote to memory of 4292 3236 Process not Found 102 PID 3236 wrote to memory of 4292 3236 Process not Found 102 PID 3236 wrote to memory of 5080 3236 Process not Found 103 PID 3236 wrote to memory of 5080 3236 Process not Found 103 PID 3236 wrote to memory of 5080 3236 Process not Found 103 PID 3236 wrote to memory of 5080 3236 Process not Found 103 PID 3236 wrote to memory of 4784 3236 Process not Found 104 PID 3236 wrote to memory of 4784 3236 Process not Found 104 PID 3236 wrote to memory of 4784 3236 Process not Found 104 PID 3236 wrote to memory of 3312 3236 Process not Found 105 PID 3236 wrote to memory of 3312 3236 Process not Found 105 PID 3236 wrote to memory of 3312 3236 Process not Found 105 PID 3236 wrote to memory of 3312 3236 Process not Found 105 PID 1644 wrote to memory of 3280 1644 ptmG0842gC.exe 108 PID 1644 wrote to memory of 3280 1644 ptmG0842gC.exe 108 PID 5076 wrote to memory of 2540 5076 ptSj4050Vt.exe 109 PID 5076 wrote to memory of 2540 5076 ptSj4050Vt.exe 109 PID 5076 wrote to memory of 2540 5076 ptSj4050Vt.exe 109 PID 1804 wrote to memory of 2252 1804 ED14.exe 113 PID 1804 wrote to memory of 2252 1804 ED14.exe 113 PID 1804 wrote to memory of 2252 1804 ED14.exe 113 PID 2252 wrote to memory of 1736 2252 jxRK12Ko52.exe 114 PID 2252 wrote to memory of 1736 2252 jxRK12Ko52.exe 114 PID 2252 wrote to memory of 1736 2252 jxRK12Ko52.exe 114 PID 1736 wrote to memory of 1272 1736 ghaaer.exe 115 PID 1736 wrote to memory of 1272 1736 ghaaer.exe 115 PID 1736 wrote to memory of 1272 1736 ghaaer.exe 115 PID 1736 wrote to memory of 4376 1736 ghaaer.exe 117 PID 1736 wrote to memory of 4376 1736 ghaaer.exe 117 PID 1736 wrote to memory of 4376 1736 ghaaer.exe 117 PID 4376 wrote to memory of 640 4376 cmd.exe 119 PID 4376 wrote to memory of 640 4376 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe"C:\Users\Admin\AppData\Local\Temp\4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1336
-
C:\Users\Admin\AppData\Local\Temp\ED14.exeC:\Users\Admin\AppData\Local\Temp\ED14.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptSj4050Vt.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptSj4050Vt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptmG0842gC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptmG0842gC.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\befr56vK31.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\befr56vK31.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 10805⤵
- Program crash
PID:3380
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctKK50AA79.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctKK50AA79.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk07mY49po25.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk07mY49po25.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 14084⤵
- Program crash
PID:4020
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxRK12Ko52.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxRK12Ko52.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F4⤵
- Creates scheduled task(s)
PID:1272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:640
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:N"5⤵PID:3884
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:R" /E5⤵PID:4044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2196
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:N"5⤵PID:3880
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:R" /E5⤵PID:1476
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2900
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5072
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2672
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3536
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3776
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3368
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4292
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5080
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4784
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1576 -ip 15761⤵PID:404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2540 -ip 25401⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
PID:2372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
900KB
MD586f055d5a69e7666c0966f1cf7f34d0f
SHA1455d1356c4468824436e12dce4ffac66978b3521
SHA25626773f4b456f97d3ffa64aa3e705b42837103343bbc433dc0af635cf97579079
SHA512e652909b4560ee0a7ccf9e161056bf85399d8b15bc5087770c3659bc0295a1c97bb6705528c2bef04f5cd940b43238eef5703d72d6863ad1ded0b8483be1b0c9
-
Filesize
900KB
MD586f055d5a69e7666c0966f1cf7f34d0f
SHA1455d1356c4468824436e12dce4ffac66978b3521
SHA25626773f4b456f97d3ffa64aa3e705b42837103343bbc433dc0af635cf97579079
SHA512e652909b4560ee0a7ccf9e161056bf85399d8b15bc5087770c3659bc0295a1c97bb6705528c2bef04f5cd940b43238eef5703d72d6863ad1ded0b8483be1b0c9
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
714KB
MD58139edcd8671b9d9c7406a9d3840dcbc
SHA1236e54a52f78b62868b5e987068ca20235fee733
SHA25624cb382a240229b53ce418f0347d46ebb074fb04bc443aa92462e05c94a90db7
SHA5120f9516fdab13a7cf91586406ca59542fbb29ff41469991d293196c59e1b69b71a8979c68e9cdb9615ae3cc8dac28bb37943400ab85cfac1f0e1626636db41b17
-
Filesize
714KB
MD58139edcd8671b9d9c7406a9d3840dcbc
SHA1236e54a52f78b62868b5e987068ca20235fee733
SHA25624cb382a240229b53ce418f0347d46ebb074fb04bc443aa92462e05c94a90db7
SHA5120f9516fdab13a7cf91586406ca59542fbb29ff41469991d293196c59e1b69b71a8979c68e9cdb9615ae3cc8dac28bb37943400ab85cfac1f0e1626636db41b17
-
Filesize
367KB
MD5f49c7a029cd55e390570e3a1dfaf1612
SHA14db6d31063c5a1d611b47c02e13a01ea52c04388
SHA256f6882c20312f9e005ea4954a01e9e53dad39a3cec99bebdf3f87f695356fa37b
SHA51287b6e399f32f45211e20fdfe23252a7d60c758781302a448ca04d1c2108438b507a7a81867dd78716860fb2166147a142bd3eda052d19bdf28dac3220b9fc68c
-
Filesize
367KB
MD5f49c7a029cd55e390570e3a1dfaf1612
SHA14db6d31063c5a1d611b47c02e13a01ea52c04388
SHA256f6882c20312f9e005ea4954a01e9e53dad39a3cec99bebdf3f87f695356fa37b
SHA51287b6e399f32f45211e20fdfe23252a7d60c758781302a448ca04d1c2108438b507a7a81867dd78716860fb2166147a142bd3eda052d19bdf28dac3220b9fc68c
-
Filesize
357KB
MD5c535c9302209f071fbaa5946157e1527
SHA13fdb74d5251d22776abb66d1b0e42af3f8ff3e9e
SHA25646556cecb42a6813fc4e15f1c3a16cedf7698bbc9a9ee7459da4b778c67b2d05
SHA5127c80090829a42dc6f0c8ffbe4513a5e18d053fbc23df095413e3c88ca3a042c331998b267bcc9333f836a3adc8f0c253f00a6b3f97078ee3e06ad723548ffe1e
-
Filesize
357KB
MD5c535c9302209f071fbaa5946157e1527
SHA13fdb74d5251d22776abb66d1b0e42af3f8ff3e9e
SHA25646556cecb42a6813fc4e15f1c3a16cedf7698bbc9a9ee7459da4b778c67b2d05
SHA5127c80090829a42dc6f0c8ffbe4513a5e18d053fbc23df095413e3c88ca3a042c331998b267bcc9333f836a3adc8f0c253f00a6b3f97078ee3e06ad723548ffe1e
-
Filesize
309KB
MD54cf9a087703b0404c33a309c02247319
SHA13059339f5d92d22e3edb359c28865e4578c45db8
SHA2560a22f607da5bb93676591657f8417f665d7c433bfd2b558cf2e641ad736b6f32
SHA5124a2015355cc84c786cbf218295062a2f4bfe4fbf82ca8eecacb7d41dc028d7026b63474d3c3532bf6d3033a866dffde4785d7320ac4ae02c39f3008e455a29fc
-
Filesize
309KB
MD54cf9a087703b0404c33a309c02247319
SHA13059339f5d92d22e3edb359c28865e4578c45db8
SHA2560a22f607da5bb93676591657f8417f665d7c433bfd2b558cf2e641ad736b6f32
SHA5124a2015355cc84c786cbf218295062a2f4bfe4fbf82ca8eecacb7d41dc028d7026b63474d3c3532bf6d3033a866dffde4785d7320ac4ae02c39f3008e455a29fc
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5