Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2024, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
8d67e92d16bcb3f33a3114e14474fa58.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d67e92d16bcb3f33a3114e14474fa58.exe
Resource
win10v2004-20231222-en
General
-
Target
setup_installer.exe
-
Size
4.2MB
-
MD5
788045d291dccd0c7bdf32e1d8e2ae51
-
SHA1
ceda27c0b8d08c34d131575557a5ba20e797bbd4
-
SHA256
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
-
SHA512
c3a49a22d19d11afeff7af52bf6e290d150c7942de81c171a27685ec522b2757af181cdae4fc3bae97954966fff0eb4f9986838112e7ab25e7983178b706ce86
-
SSDEEP
98304:x2CvLUBsgj5x9GaxH9s8sKvdz0WV43wEdYUwGM:x/LUCgjb9lxHiCh0Wq3oz
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
redline
pab3
185.215.113.15:61506
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
CryptBot payload 3 IoCs
resource yara_rule behavioral4/memory/4108-215-0x0000000004590000-0x0000000004633000-memory.dmp family_cryptbot behavioral4/memory/4108-216-0x0000000004590000-0x0000000004633000-memory.dmp family_cryptbot behavioral4/memory/4108-217-0x0000000004590000-0x0000000004633000-memory.dmp family_cryptbot -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral4/memory/928-90-0x0000000004A60000-0x0000000004A82000-memory.dmp family_redline behavioral4/memory/928-105-0x0000000004B20000-0x0000000004B40000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral4/memory/928-90-0x0000000004A60000-0x0000000004A82000-memory.dmp family_sectoprat behavioral4/memory/928-105-0x0000000004B20000-0x0000000004B40000-memory.dmp family_sectoprat behavioral4/memory/3444-208-0x0000000002A20000-0x0000000002A30000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral4/memory/1056-114-0x0000000004820000-0x00000000048BD000-memory.dmp family_vidar behavioral4/memory/1056-133-0x0000000000400000-0x0000000002D1A000-memory.dmp family_vidar -
resource yara_rule behavioral4/files/0x000600000002321e-41.dat aspack_v212_v242 behavioral4/files/0x000600000002321d-43.dat aspack_v212_v242 behavioral4/files/0x0006000000023220-46.dat aspack_v212_v242 behavioral4/files/0x0006000000023220-49.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation setup_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation Mon201e749cce13219c.exe -
Executes dropped EXE 13 IoCs
pid Process 2820 setup_install.exe 4820 Mon2028cde87b.exe 748 Mon201e749cce13219c.exe 2992 Mon20b1a4b518b89f.exe 1056 Mon20a820a0da875e5a5.exe 928 Mon20d164ee15b14251.exe 4080 Mon20bd1069e0a1.exe 4888 Mon20e066a4a15d1287.exe 3444 Mon2008ca219fb.exe 4504 Mon20bd52299e9f784e5.exe 3084 Mon201e749cce13219c.exe 3236 Talune.exe.com 4108 Talune.exe.com -
Loads dropped DLL 6 IoCs
pid Process 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Mon20e066a4a15d1287.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 24 iplogger.org 25 iplogger.org 28 iplogger.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 1552 2820 WerFault.exe 84 4740 1056 WerFault.exe 99 2460 1056 WerFault.exe 99 4892 1056 WerFault.exe 99 4904 1056 WerFault.exe 99 5004 1056 WerFault.exe 99 3012 1056 WerFault.exe 99 4848 1056 WerFault.exe 99 4716 1056 WerFault.exe 99 4168 1056 WerFault.exe 99 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon20b1a4b518b89f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon20b1a4b518b89f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon20b1a4b518b89f.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Talune.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Talune.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1744 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 Mon20b1a4b518b89f.exe 2992 Mon20b1a4b518b89f.exe 2736 powershell.exe 2736 powershell.exe 2736 powershell.exe 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2992 Mon20b1a4b518b89f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3444 Mon2008ca219fb.exe Token: SeDebugPrivilege 4504 Mon20bd52299e9f784e5.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 928 Mon20d164ee15b14251.exe Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 3236 Talune.exe.com 3408 Process not Found 3408 Process not Found 3236 Talune.exe.com 3236 Talune.exe.com 3408 Process not Found 3408 Process not Found 4108 Talune.exe.com 3408 Process not Found 3408 Process not Found 4108 Talune.exe.com 4108 Talune.exe.com 3408 Process not Found 3408 Process not Found 4108 Talune.exe.com 4108 Talune.exe.com -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 3236 Talune.exe.com 3236 Talune.exe.com 3236 Talune.exe.com 4108 Talune.exe.com 4108 Talune.exe.com 4108 Talune.exe.com 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3408 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2820 3024 setup_installer.exe 84 PID 3024 wrote to memory of 2820 3024 setup_installer.exe 84 PID 3024 wrote to memory of 2820 3024 setup_installer.exe 84 PID 2820 wrote to memory of 4116 2820 setup_install.exe 87 PID 2820 wrote to memory of 4116 2820 setup_install.exe 87 PID 2820 wrote to memory of 4116 2820 setup_install.exe 87 PID 2820 wrote to memory of 2140 2820 setup_install.exe 111 PID 2820 wrote to memory of 2140 2820 setup_install.exe 111 PID 2820 wrote to memory of 2140 2820 setup_install.exe 111 PID 2820 wrote to memory of 4804 2820 setup_install.exe 110 PID 2820 wrote to memory of 4804 2820 setup_install.exe 110 PID 2820 wrote to memory of 4804 2820 setup_install.exe 110 PID 2820 wrote to memory of 2164 2820 setup_install.exe 109 PID 2820 wrote to memory of 2164 2820 setup_install.exe 109 PID 2820 wrote to memory of 2164 2820 setup_install.exe 109 PID 2820 wrote to memory of 908 2820 setup_install.exe 106 PID 2820 wrote to memory of 908 2820 setup_install.exe 106 PID 2820 wrote to memory of 908 2820 setup_install.exe 106 PID 2820 wrote to memory of 2364 2820 setup_install.exe 104 PID 2820 wrote to memory of 2364 2820 setup_install.exe 104 PID 2820 wrote to memory of 2364 2820 setup_install.exe 104 PID 2820 wrote to memory of 4916 2820 setup_install.exe 103 PID 2820 wrote to memory of 4916 2820 setup_install.exe 103 PID 2820 wrote to memory of 4916 2820 setup_install.exe 103 PID 2820 wrote to memory of 2444 2820 setup_install.exe 102 PID 2820 wrote to memory of 2444 2820 setup_install.exe 102 PID 2820 wrote to memory of 2444 2820 setup_install.exe 102 PID 2820 wrote to memory of 2092 2820 setup_install.exe 101 PID 2820 wrote to memory of 2092 2820 setup_install.exe 101 PID 2820 wrote to memory of 2092 2820 setup_install.exe 101 PID 2820 wrote to memory of 2000 2820 setup_install.exe 88 PID 2820 wrote to memory of 2000 2820 setup_install.exe 88 PID 2820 wrote to memory of 2000 2820 setup_install.exe 88 PID 4916 wrote to memory of 4820 4916 cmd.exe 89 PID 4916 wrote to memory of 4820 4916 cmd.exe 89 PID 4916 wrote to memory of 4820 4916 cmd.exe 89 PID 2140 wrote to memory of 748 2140 cmd.exe 91 PID 2140 wrote to memory of 748 2140 cmd.exe 91 PID 2140 wrote to memory of 748 2140 cmd.exe 91 PID 4116 wrote to memory of 2736 4116 cmd.exe 100 PID 4116 wrote to memory of 2736 4116 cmd.exe 100 PID 4116 wrote to memory of 2736 4116 cmd.exe 100 PID 908 wrote to memory of 1056 908 cmd.exe 99 PID 908 wrote to memory of 1056 908 cmd.exe 99 PID 908 wrote to memory of 1056 908 cmd.exe 99 PID 4804 wrote to memory of 2992 4804 cmd.exe 92 PID 4804 wrote to memory of 2992 4804 cmd.exe 92 PID 4804 wrote to memory of 2992 4804 cmd.exe 92 PID 2164 wrote to memory of 4080 2164 cmd.exe 96 PID 2164 wrote to memory of 4080 2164 cmd.exe 96 PID 2364 wrote to memory of 928 2364 cmd.exe 94 PID 2364 wrote to memory of 928 2364 cmd.exe 94 PID 2364 wrote to memory of 928 2364 cmd.exe 94 PID 2092 wrote to memory of 4888 2092 cmd.exe 93 PID 2092 wrote to memory of 4888 2092 cmd.exe 93 PID 2092 wrote to memory of 4888 2092 cmd.exe 93 PID 2000 wrote to memory of 3444 2000 cmd.exe 98 PID 2000 wrote to memory of 3444 2000 cmd.exe 98 PID 2444 wrote to memory of 4504 2444 cmd.exe 97 PID 2444 wrote to memory of 4504 2444 cmd.exe 97 PID 748 wrote to memory of 3084 748 Mon201e749cce13219c.exe 107 PID 748 wrote to memory of 3084 748 Mon201e749cce13219c.exe 107 PID 748 wrote to memory of 3084 748 Mon201e749cce13219c.exe 107 PID 4888 wrote to memory of 1952 4888 Mon20e066a4a15d1287.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2008ca219fb.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon2008ca219fb.exeMon2008ca219fb.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20e066a4a15d1287.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20bd52299e9f784e5.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2028cde87b.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20d164ee15b14251.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 5643⤵
- Program crash
PID:1552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20a820a0da875e5a5.exe3⤵
- Suspicious use of WriteProcessMemory
PID:908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20bd1069e0a1.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20b1a4b518b89f.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon201e749cce13219c.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2140
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon2028cde87b.exeMon2028cde87b.exe1⤵
- Executes dropped EXE
PID:4820
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon201e749cce13219c.exeMon201e749cce13219c.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon201e749cce13219c.exe"C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon201e749cce13219c.exe" -a2⤵
- Executes dropped EXE
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon20b1a4b518b89f.exeMon20b1a4b518b89f.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2992
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon20e066a4a15d1287.exeMon20e066a4a15d1287.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Conservava.xlam2⤵PID:4704
-
C:\Windows\SysWOW64\cmd.execmd3⤵PID:1864
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^aXXPLdOdpKvHEwwcALYIInWmgGDtBFsVVodqfjpjFmFfheNjFpLslXxTwbAyMJPDzALcKwugCMepSGkjSsms$" Suoi.xlam4⤵PID:2948
-
-
C:\Windows\SysWOW64\PING.EXEping VFMDDVWB -n 304⤵
- Runs ping.exe
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.comTalune.exe.com K4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com K5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4108
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon20d164ee15b14251.exeMon20d164ee15b14251.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2820 -ip 28201⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon20bd1069e0a1.exeMon20bd1069e0a1.exe1⤵
- Executes dropped EXE
PID:4080
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon20bd52299e9f784e5.exeMon20bd52299e9f784e5.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Users\Admin\AppData\Local\Temp\7zS0DBF8947\Mon20a820a0da875e5a5.exeMon20a820a0da875e5a5.exe1⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8242⤵
- Program crash
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8442⤵
- Program crash
PID:2460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8442⤵
- Program crash
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 8642⤵
- Program crash
PID:4904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 9922⤵
- Program crash
PID:5004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 10602⤵
- Program crash
PID:3012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 15202⤵
- Program crash
PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 15642⤵
- Program crash
PID:4716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 17802⤵
- Program crash
PID:4168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1056 -ip 10561⤵PID:924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1056 -ip 10561⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1056 -ip 10561⤵PID:1148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1056 -ip 10561⤵PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1056 -ip 10561⤵PID:4996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1056 -ip 10561⤵PID:3056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1056 -ip 10561⤵PID:3120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1056 -ip 10561⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1056 -ip 10561⤵PID:2076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1056 -ip 10561⤵PID:2136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1056 -ip 10561⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ce3a49b916b81a7d349c0f8c9f283d34
SHA1a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4
SHA2569a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40
SHA512e7e0150f3c79300c4e11ca391de9553440846c4b9594b49d8854769a347deb4ba10d5f7d3e7684e3a942ff15b61484910adc12014495adef68eaeb98f887ed80
-
Filesize
56KB
MD53263859df4866bf393d46f06f331a08f
SHA15b4665de13c9727a502f4d11afb800b075929d6c
SHA2569dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA51258205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6
-
Filesize
50KB
MD59dc01cfed647c36a1eda2747d69b15b7
SHA151bd783f60cdbfcda85d830ccdcc056a35bb2d05
SHA2560fbb107a4980b485975f929e7e078c518c70a2661e5377c3029d6c5cbe54e549
SHA512c03c741b597be33292f889188ece3884f8498f9bcd762d2ffb2c45fba7073d938f4244b403e6eba1a7df698c63c628285ac00cb5bb2f4a7233495baf004993af
-
Filesize
631KB
MD564be7ccaa252abfd99ecf77bc8cce4d5
SHA19a9633c3cd6b394d149982021e008da3ceb64be0
SHA256d9e8d0bdac5bc0b2a4958536474496fcaaf964d135cd1fe49d1e566b6640199c
SHA512392782e14a78c1c157ee2935990805b13e0db39cd7629be7c880fe05c078c36a5807fb36e70320e6997399be88e85b8c51272fa51a48863bf2ea99c669e32de2
-
Filesize
557KB
MD5e8dd2c2b42ddc701b1e2c34cc1fe99b1
SHA1c3751581986d6cada60747843792d286fd671657
SHA256835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17
SHA512e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d
-
Filesize
189KB
MD5aaa920633b44d1df8480d308da98529f
SHA154ba9f7c1d9df76d182f896d1932adc0de7159d2
SHA2565470f015df95f647b3064b2dfc67b6689a5e63e73812dbbf8971b7a05d798f4d
SHA5120f8c82e3c0bca2fb95552ae38bf6eeaa920a426d9e08f6997ed3fbce4b5a1936bb102c23e7c52d4083700b56f971a9098856241cd70065e24d90f8c7ac16c1d2
-
Filesize
170KB
MD591449c066c505b8f9f9160942499265f
SHA1262f70466bc649ebf6399aa7c662c54e5864930a
SHA256d4ed564cfa810708ad16ac42dc7dd3a0d94c6154d37de91a7c14ff241c518cba
SHA51281e46845a1493ed95152169458913d6a1dd48c86c27e20bb8f15ed401c8e2150e06c9a07b6fd04af8e71dfc3db5a57415d43ddb44cfb746a3a6123421447599d
-
Filesize
241KB
MD55866ab1fae31526ed81bfbdf95220190
SHA175a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA2569e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA5128d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5
-
Filesize
124KB
MD59996968bf823f79bb6cd767642974947
SHA151ec008918335b895fb8fecb186dec0dacdd64d8
SHA256252a203815e00302d4eda7c66b0432494adfaadd555859ee89ca775dc013fe76
SHA5124cc7d0ec1572d5a8a72b714018402c90028dc194ce2919295cf9b726848e80824a45c5a241f1f2d0532be1e953a184aecf2e05430361d3a2f399c37cc92bd72e
-
Filesize
279KB
MD5af23965c3e2673940b70f436bb45f766
SHA1ccc8b03ea8c568f1b333458cff3f156898fc29f7
SHA256e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503
SHA512f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611
-
Filesize
1.5MB
MD5f3d679a13d543153a37d9d95a6118ffd
SHA18064e6f869049bf3682b802b2ffeafbc60383288
SHA256164e93724abba0dd0d6ef012b48eaffea77c983a7a7828f2663b1ab8c26d348f
SHA5126942757c458000b27427fc2a2e607ede781382618febb1f0909a240a3d55d7af3bc3664d6363ca536469cc3f44e34bdaece3ec801c92d288e79758785eaf2c1e
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
513KB
MD54d94aba641cc42da79015924439347d5
SHA1a96a039fc20a415db9653257cf5460420c0f66bf
SHA2569074f297132f316e277a8d385ffc068f42e64a66787c0a9cab14539423599c30
SHA5128ddc414e58678db4446e054d70ab2576fd482b595de527c2c4f5473a834fc7d99c763fa3f2af724eaf90fff7e94b50d4a1564f88d9b3c26e986cde7214b46a41
-
Filesize
629KB
MD59e2f4aaed00f0ef8b209b93048696b3c
SHA1f39aa47dcc11336c82e5d83e74a9326585759379
SHA256ba0647acf43607a9e730b61ed55f295b65e2243c4b477b50be3a6ce615d14eb5
SHA512fda9dec9d2a7e00d52198a3fb5157c66b8616480ce5c548e9a07d2b2330185bc228c87e2d03b1293b1725bee55346fdbd523f19c579d26e831faa82b0ffd0b99
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD57f9f202bd0665d86287e5b415834d5eb
SHA195e5bea910a63fda6461ac9c1cc23c3ff57903cd
SHA2562ef4daa595ab1e09bc77bf33dfd5d7bbd8ddd80dfbec0a723cc1700420eeba47
SHA512617884c3e013619560ae1fefe113ed2cf85aa85aa8c42d74a111945211af0952978eb12d81cd7efccdc88563f9687756ca8a61a335fbf6e1d5a9119663060d14
-
Filesize
1006KB
MD56ca37afd3f54c02deed1015fbd1109f3
SHA18dc3bdde0651d54731a2fedf9b4d51f0d526e183
SHA2562ef9d90943e4bb5977b27a7490cb4524a86596e39575604a4f4de9707657d45d
SHA5129003868a451103580e8ccbfd1f48dce30150cdb26d5559fb069e8f0bcc7725c6d37feb1099238e51db99a19b6588f577fd377068ce9da4ccd38d676da9041113
-
Filesize
40KB
MD59e66c34062bdaec3e2340db62a1a4842
SHA1e4bd148285b9f49e404cee70b846427607b4bc73
SHA25657adad88e954c4a2a4771a6357bf7fde760d3785bc1420fac3f51c0d451f7216
SHA5121ba5cb38c9d35e2c96e297e38a6281e544df1391e794bcc8c28797eedb7924e653282eb3df476f42e161bb72888d8517f8b63c3a721284cebb7ae40a7a7f379a
-
Filesize
2KB
MD526a27b8d201baac9861fd10dbdcdc435
SHA1265a8d5882b9754a5dfcf06834cbdcd723579ba6
SHA2565c5569c6ab04ff72a0972ce5397c19b7fa8855fd0978a3aa214c846d8c256497
SHA512eac02e404a7ca56fb0d06fe3716da437b3258585fdbb543b063cd8aedc889b9288b1575b87811ab07594d7a31d594abca2567a9ed71ed8b72764db3415cd4d58
-
Filesize
3KB
MD521eebdbb5577db243f0148c50585e37f
SHA1313054befef453e672b3948d70d93e33c8c10a06
SHA25684ea14fa0992cb5a6b549794c2ae26b81e4ff8181f350b05e6e1d1485e92979f
SHA512db4dd99e837e4fae19ad2604936197e215ca191d0f5362a5fcb3b01126585612be1048828bd6911e5e23df1b346597140b94b69b24b2033a5a3e8d5c11bf73b7
-
Filesize
4KB
MD5fd8437128c01d073ef348ede0e6ba016
SHA12d3554809738e2596ee579c8465e4aeb594cf080
SHA256fbb2edc539830a0f04eb7e16ea666d3767688fd585cd9d0addd7b8b22e4950ab
SHA51282ae808feaf42866fedb6f04abd4fc5651f8d02e8d40129739fc5bcfa4f0e026e3727107b73d4c46ab86fcc48858049ac5a6336db91eb85582a7645ec6d7ad6b
-
Filesize
46KB
MD525c1694c4426f754cc65b2e39eece796
SHA17fe3be8e42eb7012f2e36712e703095a117395bd
SHA256e250a88312d6c35fd7d14ccff34fceee4c2412d4ca61cea5069c66b8feb43c95
SHA51296983a5dae2081c84438cff8f1ea0fbd541f46307ac94dddd670633a2e5faa867e049d334b90734962c8833d4200abdaf364c49ed5d149bce45c56bae69f98e1
-
Filesize
7KB
MD5894b159d4d9e37acd8449186876da26e
SHA16dab1fcf050cf1ba5f11f8bd6fe05ed0fe332e36
SHA2568d32e11a57cb0442d4a615ca7bf987b765b50c5034a02f7ba6402f465fd35e35
SHA512f5197cb8794e1ca96bc79c18982dce23454dd4240e810091affd4ca199f6cf7aaf06f2197ee6e10ea3956c52df22c4b1b499b6251d3f85a5354179edd5e45df9
-
Filesize
360KB
MD51aec73e8b7ee08ab40c87ec06ecd65ea
SHA1e55cec873a47bb81745d61398b6bc6e152856f00
SHA256a9367605b4654d9296e0128f24e1ea5869c3fdf55f09e51c8f8b47eb2f0093a3
SHA512f9ba5ac1bca21ea255d35c75c94d7f676cd3d18cf14d9d697fca323d3ef7d590a86c2f02b46e22308585c34ce41377bb8915812f8ab8db21a0e36c2e80a0a227
-
Filesize
439B
MD567db09870ad0361cb90cfcceffe5c87c
SHA13d5071241bc942beab03782aabd90e2618fac1df
SHA256455e2f47d0fbeee0f9e5b5ea7b51ce923d85fb98ba46572ccf6740814fa524a0
SHA5121f0d712bf99001a38d3c7af42ca0a6ab226660b18f422963305aef35e33064ad43949eb9b516f3c3efdf8bf4b7bd5e5f8d02baebd3762f79fbdf3850ffc879cb
-
Filesize
324KB
MD5e10a35cf779c93b471c3afddf1a2406e
SHA1386995bfa8bb835698d2feeb3cfe8af11355b9c6
SHA25669fa8dd680871b41de773d793a972538feec5e4dce2bc909f7bb4210b38082fd
SHA51288a8540134f6f2bc2b636af37432e12a3b01f5231bc73d7fb0e9922cf6e23d0b7e7a848eaea11a7be7102f1d74988fae166e2ad2f373b5452949f791d4d5c32d
-
Filesize
188KB
MD54e6517bd9d090ae49186e49d65fd20fe
SHA1230f4749cf6ab1ddb74f598790ea7469ba52ef03
SHA256f97a5858ff6cc7f35cd6357ded5cb7ec732ced15214180e6396cc963e1a58ef8
SHA5121cc6e972b1f926cc305d182d94733a0a9785a9425fa092933fbeff6539b36bbc55be1abc559950fda875c27f3923c279617a67c6b116558f9a6d5df6c6033488
-
Filesize
614KB
MD5870d62c029205a90e2fe2f092a70fa42
SHA19db99bee700055603c42ed36c07e8567fd7ee5f4
SHA256bc27341fa7f3a2cbdf42e9399577ad4e22b99966a11920a74d410445e14f456f
SHA51256fad2d237c7276b44fb68daff72016bd5344dfb46aad72dff08e5d96ccd5c365dbd2f16e93bd7b15067cf44d3d56957727f7a1ed2b8367d0cde6102a9de163d
-
Filesize
222KB
MD5f5f17a5df995320f7832e444835d8c1f
SHA1635729d66fc1aeececa08ab25e7ebc82b6f06460
SHA2568a8805e7ff4a2568bb941db91417c0ce678a90ca28f1fb3078d4326b4cc34d0f
SHA5122f272c65d67246af7c7878a6574fbe8170b7ec0c880448d7c32d235913ba905f15669cc3949694a012697aa4d4b95afff4eea6c17a75136fa192afd9d2bdbdc5
-
Filesize
415KB
MD5b2d35e3a5f54f19a61237bc9cb563b22
SHA182d2460ceef4da6c6fde12b81dac654dda435c58
SHA256ccc7abc762c09501c0c9c12e5b7b845c5ae974a2c5704a1638f1b6d74942b7e0
SHA512f52249456a35206220b53557ca2aa698e38746135b86ea155bd4e957fe991f6750664c6a4d02155db3a45cf1596c49ca5a57b33a35d8dddea88c2df715e0ba60
-
Filesize
217KB
MD58842c4db98d0f9abd74c52418580b1c3
SHA1a296bf4079aa0ba2cc37d156bfbc64dd20838596
SHA2568742bd8de2319aeef09b3ca14563f856dd2705ca9f715345b4d362b89e6ecd0c
SHA5129e786e75f64a9af26c6efbc69c3a5677453d401d4db2d7c3947ceec848d5a47585aa1f190e6a66210779413d6a5a71029be70c8875d614b11396f8593a7be5d3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82