Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2023, 22:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
affabc5bb8d047bc344d22e2fc2173df.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
affabc5bb8d047bc344d22e2fc2173df.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
affabc5bb8d047bc344d22e2fc2173df.exe
-
Size
788KB
-
MD5
affabc5bb8d047bc344d22e2fc2173df
-
SHA1
dab692236525745d23174b6e5e3b1d0bc9de8ce3
-
SHA256
9d334ede9c074960d9aace2a46861acb6c230cd831d2db2d8db694bffb69e839
-
SHA512
75423e801738e89b624b2dc659b068c5bf255c63954c323973307402d8dd51d4fe0948352d196959a4e0c9b75a246bf7f6dec73ccb979fb2e4d03384cdd32116
-
SSDEEP
12288:cGTDcnG0GTDcnG1tCqTPrynvWxjwOJ6z4Tfx9QfemR4BVH7L9tn:3oOoQTTynvyjwOhTJ93rP
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" affabc5bb8d047bc344d22e2fc2173df.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf affabc5bb8d047bc344d22e2fc2173df.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\diskpart.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\mavinject.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\timeout.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\verclsid.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\xwizard.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\TokenBrokerCookies.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\fsquirt.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\psr.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\mshta.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\sc.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\wevtutil.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\mspaint.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\gpscript.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\Windows.WARP.JITService.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\GamePanel.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\whoami.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\cscript.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\dialer.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\perfhost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\regedit.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\cacls.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\Fondue.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\winver.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\fltMC.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\fontview.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\WSManHTTPConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\CheckNetIsolation.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\expand.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\label.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\netsh.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\typeperf.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\provlaunch.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\WerFault.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SysWOW64\mfpmp.exe affabc5bb8d047bc344d22e2fc2173df.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\7-Zip\7zG.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\7-Zip\7z.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Java\jre-1.8\bin\ssvagent.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Microsoft Office\root\Office16\msoia.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{DD0F0D5E-5A31-4711-9A1A-DA8DCBD755A2}\MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Microsoft Office\root\Office16\misc.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe$ affabc5bb8d047bc344d22e2fc2173df.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\OOBENetworkConnectionFlow.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorQuickStart.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\servicing\TrustedInstaller.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\PrintDialog\PrintDialog.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe affabc5bb8d047bc344d22e2fc2173df.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe affabc5bb8d047bc344d22e2fc2173df.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe affabc5bb8d047bc344d22e2fc2173df.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf affabc5bb8d047bc344d22e2fc2173df.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1192 affabc5bb8d047bc344d22e2fc2173df.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\affabc5bb8d047bc344d22e2fc2173df.exe"C:\Users\Admin\AppData\Local\Temp\affabc5bb8d047bc344d22e2fc2173df.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5d1cad81558e2f4aa57ac6a505f48a176
SHA1d60b70a666b56e48cfebf2bcde62ff1de0010988
SHA256147d5bbcc2c548c910bd2fcd226d0d10d6723d233350a21ceb721a307c18f66e
SHA5121fbe7122f11ba83442af6cef171896af2030c59f37ab9820ec9c3ac2207960a3dea2ecbeaaf0cf01683cdbada5e424d22cd2d90d00a830d2d2580b11bbeacc59