Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
d1f5ab6925535de239ea9f865dc00567.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d1f5ab6925535de239ea9f865dc00567.exe
Resource
win10v2004-20240226-en
General
-
Target
d1f5ab6925535de239ea9f865dc00567.exe
-
Size
5.2MB
-
MD5
d1f5ab6925535de239ea9f865dc00567
-
SHA1
183134c16067b16ce99c9a8d82ca129c612863ef
-
SHA256
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
-
SHA512
c050ef1219d8c1977a1f67e36bd1232c487502a77419567f8372081e3e04064a80822b3c46e1bc931b921bbf013722660b961e4e88f6c5bd44fbf2bf872fb153
-
SSDEEP
98304:xHCvLUBsgPc9Owr3MRJV1057hNd0ZkqAMUsy1X5rj8lXlWssUhndP3TsJQXtKOJe:xkLUCgPEMRJVQFgGIUNX5r4lUUhlTXti
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
Extracted
smokeloader
pub5
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
redline
pub1
viacetequn.site:80
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
CryptBot payload 3 IoCs
resource yara_rule behavioral2/memory/860-222-0x0000000000500000-0x00000000005A3000-memory.dmp family_cryptbot behavioral2/memory/860-223-0x0000000000500000-0x00000000005A3000-memory.dmp family_cryptbot behavioral2/memory/860-224-0x0000000000500000-0x00000000005A3000-memory.dmp family_cryptbot -
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000231fe-65.dat family_fabookie behavioral2/files/0x00070000000231fe-80.dat family_fabookie -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/456-137-0x0000000004B80000-0x0000000004BA2000-memory.dmp family_redline behavioral2/memory/456-140-0x0000000004BD0000-0x0000000004BF0000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/memory/456-137-0x0000000004B80000-0x0000000004BA2000-memory.dmp family_sectoprat behavioral2/memory/456-140-0x0000000004BD0000-0x0000000004BF0000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
resource yara_rule behavioral2/memory/3124-105-0x00000000028A0000-0x000000000293D000-memory.dmp family_vidar behavioral2/memory/3124-123-0x0000000000400000-0x00000000023F9000-memory.dmp family_vidar behavioral2/memory/3124-200-0x0000000000400000-0x00000000023F9000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x00090000000231f0-40.dat aspack_v212_v242 behavioral2/files/0x00070000000231f7-47.dat aspack_v212_v242 behavioral2/files/0x0008000000022886-45.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation d1f5ab6925535de239ea9f865dc00567.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Mon0260d56d9853.exe -
Executes dropped EXE 13 IoCs
pid Process 624 setup_install.exe 4136 Mon02bee09ab5e7cf.exe 3052 Mon022fbe36b52bd.exe 4032 Mon0230849f536.exe 456 Mon02983a8f4b8e1dbe.exe 3124 Mon025947de558e.exe 3668 Mon02b24a3b9593.exe 4464 Mon0260d56d9853.exe 3584 Mon02c4d42768d7.exe 4836 Mon02be65150e08b99.exe 348 Mon0260d56d9853.exe 4912 Amica.exe.com 860 Amica.exe.com -
Loads dropped DLL 6 IoCs
pid Process 624 setup_install.exe 624 setup_install.exe 624 setup_install.exe 624 setup_install.exe 624 setup_install.exe 624 setup_install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Mon022fbe36b52bd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 32 iplogger.org 35 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4948 624 WerFault.exe 90 1700 3124 WerFault.exe 112 1460 4032 WerFault.exe 108 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon0230849f536.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon0230849f536.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon0230849f536.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Amica.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Amica.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1804 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3324 powershell.exe 3324 powershell.exe 4032 Mon0230849f536.exe 4032 Mon0230849f536.exe 3324 powershell.exe 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found 3460 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4032 Mon0230849f536.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 4836 Mon02be65150e08b99.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 3584 Mon02c4d42768d7.exe Token: SeDebugPrivilege 456 Mon02983a8f4b8e1dbe.exe Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found Token: SeShutdownPrivilege 3460 Process not Found Token: SeCreatePagefilePrivilege 3460 Process not Found -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 4912 Amica.exe.com 4912 Amica.exe.com 4912 Amica.exe.com 860 Amica.exe.com 860 Amica.exe.com 860 Amica.exe.com 860 Amica.exe.com 860 Amica.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4912 Amica.exe.com 4912 Amica.exe.com 4912 Amica.exe.com 860 Amica.exe.com 860 Amica.exe.com 860 Amica.exe.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4284 wrote to memory of 624 4284 d1f5ab6925535de239ea9f865dc00567.exe 90 PID 4284 wrote to memory of 624 4284 d1f5ab6925535de239ea9f865dc00567.exe 90 PID 4284 wrote to memory of 624 4284 d1f5ab6925535de239ea9f865dc00567.exe 90 PID 624 wrote to memory of 4748 624 setup_install.exe 94 PID 624 wrote to memory of 4748 624 setup_install.exe 94 PID 624 wrote to memory of 4748 624 setup_install.exe 94 PID 624 wrote to memory of 2776 624 setup_install.exe 95 PID 624 wrote to memory of 2776 624 setup_install.exe 95 PID 624 wrote to memory of 2776 624 setup_install.exe 95 PID 624 wrote to memory of 3600 624 setup_install.exe 96 PID 624 wrote to memory of 3600 624 setup_install.exe 96 PID 624 wrote to memory of 3600 624 setup_install.exe 96 PID 624 wrote to memory of 3528 624 setup_install.exe 97 PID 624 wrote to memory of 3528 624 setup_install.exe 97 PID 624 wrote to memory of 3528 624 setup_install.exe 97 PID 624 wrote to memory of 3588 624 setup_install.exe 98 PID 624 wrote to memory of 3588 624 setup_install.exe 98 PID 624 wrote to memory of 3588 624 setup_install.exe 98 PID 624 wrote to memory of 4648 624 setup_install.exe 99 PID 624 wrote to memory of 4648 624 setup_install.exe 99 PID 624 wrote to memory of 4648 624 setup_install.exe 99 PID 624 wrote to memory of 2084 624 setup_install.exe 100 PID 624 wrote to memory of 2084 624 setup_install.exe 100 PID 624 wrote to memory of 2084 624 setup_install.exe 100 PID 624 wrote to memory of 3924 624 setup_install.exe 101 PID 624 wrote to memory of 3924 624 setup_install.exe 101 PID 624 wrote to memory of 3924 624 setup_install.exe 101 PID 624 wrote to memory of 820 624 setup_install.exe 102 PID 624 wrote to memory of 820 624 setup_install.exe 102 PID 624 wrote to memory of 820 624 setup_install.exe 102 PID 624 wrote to memory of 2112 624 setup_install.exe 103 PID 624 wrote to memory of 2112 624 setup_install.exe 103 PID 624 wrote to memory of 2112 624 setup_install.exe 103 PID 2084 wrote to memory of 4136 2084 cmd.exe 104 PID 2084 wrote to memory of 4136 2084 cmd.exe 104 PID 2084 wrote to memory of 4136 2084 cmd.exe 104 PID 820 wrote to memory of 3052 820 cmd.exe 106 PID 820 wrote to memory of 3052 820 cmd.exe 106 PID 820 wrote to memory of 3052 820 cmd.exe 106 PID 4748 wrote to memory of 3324 4748 cmd.exe 107 PID 4748 wrote to memory of 3324 4748 cmd.exe 107 PID 4748 wrote to memory of 3324 4748 cmd.exe 107 PID 3600 wrote to memory of 4032 3600 cmd.exe 108 PID 3600 wrote to memory of 4032 3600 cmd.exe 108 PID 3600 wrote to memory of 4032 3600 cmd.exe 108 PID 4648 wrote to memory of 456 4648 cmd.exe 110 PID 4648 wrote to memory of 456 4648 cmd.exe 110 PID 4648 wrote to memory of 456 4648 cmd.exe 110 PID 3588 wrote to memory of 3124 3588 cmd.exe 112 PID 3588 wrote to memory of 3124 3588 cmd.exe 112 PID 3588 wrote to memory of 3124 3588 cmd.exe 112 PID 3528 wrote to memory of 3668 3528 cmd.exe 111 PID 3528 wrote to memory of 3668 3528 cmd.exe 111 PID 2776 wrote to memory of 4464 2776 cmd.exe 113 PID 2776 wrote to memory of 4464 2776 cmd.exe 113 PID 2776 wrote to memory of 4464 2776 cmd.exe 113 PID 3924 wrote to memory of 3584 3924 cmd.exe 114 PID 3924 wrote to memory of 3584 3924 cmd.exe 114 PID 2112 wrote to memory of 4836 2112 cmd.exe 115 PID 2112 wrote to memory of 4836 2112 cmd.exe 115 PID 3052 wrote to memory of 700 3052 Mon022fbe36b52bd.exe 116 PID 3052 wrote to memory of 700 3052 Mon022fbe36b52bd.exe 116 PID 3052 wrote to memory of 700 3052 Mon022fbe36b52bd.exe 116 PID 3052 wrote to memory of 4036 3052 Mon022fbe36b52bd.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1f5ab6925535de239ea9f865dc00567.exe"C:\Users\Admin\AppData\Local\Temp\d1f5ab6925535de239ea9f865dc00567.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCB080617\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon0260d56d9853.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon0260d56d9853.exeMon0260d56d9853.exe4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon0260d56d9853.exe"C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon0260d56d9853.exe" -a5⤵
- Executes dropped EXE
PID:348
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon0230849f536.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon0230849f536.exeMon0230849f536.exe4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 3765⤵
- Program crash
PID:1460
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon02b24a3b9593.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon02b24a3b9593.exeMon02b24a3b9593.exe4⤵
- Executes dropped EXE
PID:3668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon025947de558e.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon025947de558e.exeMon025947de558e.exe4⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 10205⤵
- Program crash
PID:1700
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon02983a8f4b8e1dbe.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon02983a8f4b8e1dbe.exeMon02983a8f4b8e1dbe.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon02bee09ab5e7cf.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon02bee09ab5e7cf.exeMon02bee09ab5e7cf.exe4⤵
- Executes dropped EXE
PID:4136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon02c4d42768d7.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon02c4d42768d7.exeMon02c4d42768d7.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon022fbe36b52bd.exe3⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon022fbe36b52bd.exeMon022fbe36b52bd.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe5⤵PID:700
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Sfaldavano.xls5⤵PID:4036
-
C:\Windows\SysWOW64\cmd.execmd6⤵PID:848
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fARmmICHAETEVIAiewsqLILJhRoBwBFrurUNyycHHdHtUkLfezrMoLJHPojHmwGYYPnRONeXFJaxqGOwySnHnTVxzjYWSOiGKIutNTBfsuin$" Serravano.xls7⤵PID:3420
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.comAmica.exe.com Y7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y8⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:860
-
-
-
C:\Windows\SysWOW64\PING.EXEping QMWIRSIY -n 307⤵
- Runs ping.exe
PID:1804
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon02be65150e08b99.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\7zSCB080617\Mon02be65150e08b99.exeMon02be65150e08b99.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 4763⤵
- Program crash
PID:4948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 624 -ip 6241⤵PID:3768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3124 -ip 31241⤵PID:2768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4032 -ip 40321⤵PID:4964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
988KB
MD508b4ccdb856c9ac321fc54f3d145a5bb
SHA1b818cf7af6580e0ba2de2b8aca3b1bf40545b5c7
SHA2569610f8577d71f3ad4deb7d9a73c27707377f35762753a9b9d2ad5b03ec036e9d
SHA512b642278417c78fe261c192a77782ce8355cc3b51776feb2cff451cfc9280a222c842b769c154dd1beb9864fab3b0e994f5234c20532496c089f7b294abb81319
-
Filesize
597KB
MD51432a6996c72f9b50585ebd5bbd060ff
SHA17236e6f8d300ae05b9365445135826fc49850421
SHA2560e565fbefd46773352489463fd8566768ada93c97bf9b319942ad321784f580b
SHA512cb1126c07fe189494f263bc11678e7f61e514fa3550d656ad5bd67bc277581e7a6fd1ad9f9311d01c4428c14152aca933ca532e75dd504a2e1abe97cd2f49076
-
Filesize
259KB
MD5cdf3f396570fcb67a58c818bc667e6ce
SHA1d4672bd2cefba257aeaecac3c7e8bed8e6e880b2
SHA256ffdc9c539337a003afc0f8c3b3c59daf4c62df3c6fc3df148bdde7debaef42a8
SHA5124eab55fceb2bfd08348b83a7d92a3ce598b31e1be72200473c10e8b7e767fb5476ba165c3a333cf4ac7ceb53689cc04da73305842ab6e96b96bf411aaae444bc
-
Filesize
572KB
MD56dba60503ea60560826fe5a12dced3e9
SHA17bb04d508e970701dc2945ed42fe96dbb083ec33
SHA2568d49f82aaa8eb3dfa5c7d7dffd7efb9dd6b776ef08b8b8c5afc6cb8ab0743865
SHA512837c0f0dc70386ce1d143332e4d273750f64dd7f8be5b4ce79aa39628ceebf27d01e447ed0b9ec6064c6ba9dbaa13a64631c2e136ec99d27c0f4a25681053ff9
-
Filesize
276KB
MD50d2b60aa7eb24bc9958cc0783f5c3df3
SHA18c2fa196b68cec0d86f1db9b1b35467a876e6e22
SHA2562e9e7268a3c5ab1adb768429ee5d4c8cd9a78353009331a3b732538ea5507ebc
SHA512b4dc396ee6549ea18d847aa9feb1bb07d68e795dcff759fe1e1c3dcac5afb924125e93055d34f6c4dca083e7b8ddf6cf8a377688812bdea52b4695ce853352e1
-
Filesize
56KB
MD5c0d18a829910babf695b4fdaea21a047
SHA1236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA25678958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823
-
Filesize
248KB
MD5d23c06e25b4bd295e821274472263572
SHA19ad295ec3853dc465ae77f9479f8c4f76e2748b8
SHA256f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c
SHA512122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae
-
Filesize
1.1MB
MD59d1b51aaf3e3f0cdd95a7f057efe2aa8
SHA17a98e572e69b29100ab1a57f395dbb6fd6aeed70
SHA25642369b9796cd5ca03ff25aa066f66dd2fe7aca9b8f5014b2a0167db5fe00bfc9
SHA512c3d21321a320baf0e422fb903e17a4bcddd5a7ad5f54bf23a759f6e5acd436f3d69640a6b6080fe4416947803c9b3af57a9f1c550ff03fcd52b68c30018713d0
-
Filesize
325KB
MD50a597ac2ecbf33a49858d0fd36af4453
SHA1378bf935c1b8f07efb740e917a258eef8e6b3e2b
SHA256124f6ffd185299f85a783c903889e1d23d6b992cad6d4e17c64572b14e38ebc9
SHA512e8f1ba69c38259c197ba9da92109ae4e0ef25b8da26d6e5380b772bb93c1ff7393e3b3d8eb6912e6a1862d7f0c071bd3fdaad79c46d1c9bd56e590533c31a9e5
-
Filesize
8KB
MD5408f2c9252ad66429a8d5401f1833db3
SHA13829d2d03a728ecd59b38cc189525220a60c05db
SHA256890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664
SHA512d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b
-
Filesize
1.1MB
MD5451e8bf04a3a6e8186e6cb95e2417b7f
SHA1706b8d0dbbebfea4ddae3e0d84f000101665e36c
SHA256ad387ece2ec4bf988cdea1f2cb65c1bf641773569952acec49080a4067b26b0d
SHA512318ce4ba36c4ee9441f1147118dc2a389517ad3796b08149d76dc0bc77d5cbd25156d7d01938ce187469d4e308ab4367589df1575516bc6e1cd7fe9e575e9bfc
-
Filesize
956KB
MD5538c551e61c01ff7b478bc10a6250b0b
SHA19dad995f090254f80f715109fa7c4b9cc57cac6f
SHA2565b5fedb279917af3884164c39edb1f1e86fcaec24163d1ce7eae553b93c2a58f
SHA512d61df3e7dd3b6dba9ac8719efd24cc13bb833333363a249af11a3c1d21596a61d6574ddf20e1d5a44d1f0129809b5fc7a077c4361184dccf80a69c9f4adfb127
-
Filesize
156KB
MD5cda12ae37191467d0a7d151664ed74aa
SHA12625b2e142c848092aa4a51584143ab7ed7d33d2
SHA2561e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e
SHA51277c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
863KB
MD5e8aa997b5f56bab6bb3cdf7517cfae46
SHA19ffcfe989f78deff7b2d53286db6f511e49e1cdf
SHA256010f1ee3c8538a90acff5e859105493e9ab3706fc58a33ae7800c2afc16c9162
SHA5126d64ae0e54f5f36d06b660de9989205da7ebc5547f0c7ef8b0c7f32ad91a61ed08c22bab26dbf6475426548256cf8d6aba8dfa2344c6c41a66d5558393b9f635
-
Filesize
2.1MB
MD5e0b4f4f6cb7c19dd40f4db4fef5b3e88
SHA11de5b5eb46d7bcf52b3b66ed180a2ac4ccc6a359
SHA25671104305d6617c0b2f4f4699110fc47288c32ecaa9ead0932746204747e769b0
SHA512b8a11b02f8ae1bf55fee90cc3ce5a154837574dd6432ade8916c59f80497869af40b02df01d8eec515e09f6af15ffe777a940f65b50138df943f078647108bf2
-
Filesize
1.8MB
MD57d3b3dc82d4141050388cae3b79d443b
SHA12452cf45d52ab64996431028731fbfb7394b47d6
SHA256887b88d8d61b2dbc0f767c5c70aaf3eb4e183997e3933a73f6a65eaa20a1a307
SHA512e639b07154f1dcba1f46f20562dd9dac1c412f12f794d5d82ba764388cb72723440f3c36fc6c1187b7f8ed82da793f05e4d84bc8fb9170852ab25df58449663e
-
Filesize
39KB
MD57a119b59767e545278943d0472a71d3a
SHA1347cc44f773a5db372b7071403183be4ceb534d5
SHA25661538e89eec5de209d44fc7ae42573ebb347cad434ee948e7701aad2a69340ab
SHA51228abacbfe5bac7060f9b6719c40df0336bf292c9c84aa1cb0ff0357b9848d4aea7fb00b2106aa25ae6b08a58e188caea24bdc5ebb6af8665477b925ad12dd3d9
-
Filesize
1KB
MD57072b8646a31e8b82e49de9590348585
SHA19b0311e9151a7be05a2b34cd9b20ebb112c2ed95
SHA2566330f31e81661eeed45f9e08b53c63cd5489868f242e6c6454a9d4d0b1c919ae
SHA51206d90afca865220220878853514874ee25e78b6141dad6a10a6dd9a91ba5b307f61931275dd49d125a2eb015be534c54c2840bb4b55a8e95294744849346cf92
-
Filesize
6KB
MD5f8159fac42c66940c5e7d5b0236436fd
SHA124686a1585afef9304b31bb6df7f2adcd1b76af6
SHA256b699668ab1105cf1908698e32512ff90e1914357c997f963e4b3b4eedf3167d2
SHA51216f113904ce17b6b5bc7703c2d564bf55a89bf09de6dc220f0c55e87b039747c814b7e70f910d163098afbcd72a04c00ffa0573bb9725c59cb1b9f9260284ddf
-
Filesize
3KB
MD53f322882272426dba5ea441d6296b5db
SHA177bdf8fe746c77bb452c244619cabd1b4ebabe09
SHA2565c76d32543cf7ef516f5ff94a2a31f044f7ebbcdf5ea5ef51e617254b5219e74
SHA512de7e4ebd9f47b7ee29f2b0955732c17e5a7b2428b8fe33aae2cd21339986bb5253d7217108bb53182df9de9c2f07f9150831c42ead8ba6e06ebbc0b72fa12926
-
Filesize
45KB
MD5148effc21368be5e1f035acb057eec9a
SHA1a26d4a352c53e0f4d1402586703fe494011ae849
SHA2565fac2960fdf4cb11996d47b4bdb06dd778eaaa712d59bf0757f783679341422d
SHA5123915efbfe929a247a486eaa596a66b825ecc4ace0858d2826715a93595a3d1ebad398370fbcc402bf832e9381c78340208bd8aa2a5a655ab72fa13d315fb0e93
-
Filesize
1KB
MD56eb383fa67617939437f7afb71ea8dcd
SHA1a8f15d4b3a619894c89509d1eb9305fe91d8a5f2
SHA256d43e8353228cb8a1f357c55d7c531d346c11c0b4c81c793de987603276e4a5bb
SHA512c5404cd2487fbb459cdd3516c8d3cca2b0d17ea232effeac6eb88d12af302c9852dfdd6768bb24299ec4574be6621ecad1a87126e5e861f7ab21114d38a5d71b
-
Filesize
7KB
MD5dbefb7d49437cf5454127174ce23d9d8
SHA1fc639a61891916d6265535d7cd76086e98d38d1c
SHA25602a1a2266533ac62d2d106e04783d024e8032b94a2e3389565c05fb516643075
SHA512e8852cfabb8533f5f26ebdb7cd2b3e55a192d7ffdee069edcf4350291646f204ac4df60bb56935a53b04ec47ebe74e25b4c52d50a97ae691bfab191f05b252dd
-
Filesize
777KB
MD58f93ace3912a8d007feda389491b4d29
SHA1261eb74bd2984aa6b4aba91efa9ac2cedfc48bef
SHA256395adc732dc0aab9a765554a3b4807d2d05ecf4e86065cbb40896e2b88c02c8d
SHA5124a82d11fbf2e7ba25512bad8c2affaed88c2e2d7cde2b4f5c1cdcc47a03c34620af1bcac72c4380437d0dda01000d4b9eec55407934803b87b3b4831133b2160
-
Filesize
401KB
MD54372c828eb02457cd38f930e30899b36
SHA1571d1237079d8f1fa42f6b53d0bad61948d2a2cd
SHA2562ebdfa3af386152d9801a76b4e615986f200862f82d734b20bb032bc7f03248a
SHA5123c61257a3c7553978cf5cd41f2b9da95f09ce3b7849a113e8379bc58d9a0ac1d7c31653bcc0abae206cc4314fb859e46c363e5f10a9696aa4ece1c56747eb196
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
882KB
MD5890c973b9a423247c7b86a08afbe4c72
SHA164f7b204ca243b824b5c6dbe06e15293a22220ed
SHA25694a77409b420387daab07e7475fe2dc25e62c3793c5fdd04b304bb378ce95280
SHA51251ecc4e1b547323e2cae3bdbd5ca341afa3550f819f02fc691bb0737ebbd79b6594fdf637654bb2ebae35b4811caa78d52d72403a0ab5989c0217dd7b6589913
-
Filesize
301KB
MD5a8f3a111397b287b91a194ec0f7d50f9
SHA1e460c567c6a441e13c6a6645392e7649a78ab4b3
SHA256a57447fffb15dbc2f531f1c4beee442fd4fd813d3a3976178fa8292e296a7526
SHA512cc116e744a7e17c450846a1572a77289d8a766021b40a44191c20396442897a70b70b1cac214f64ba97779ccfe0f5e11b0e9b78ac62bc63c28877ac8567a863f
-
Filesize
526B
MD526ebbe10f1e4b7581ee0137b3263c744
SHA17f5b7949216744cbe8cde40f8b4762224cce8cc0
SHA256376c16f256225ebadc257dab804c5bfbc1dde251a7aea7b55239d30261098495
SHA51248014f2f9de728f0d5af3b072a11552e798e6de07f86ed2ff6448b7ac3dbacf582801ee128a175d17df2be9e0d7c27caf6dc455b4b4f5786868567aa41a4f8ed
-
Filesize
216KB
MD5862a918616d1f8283902fa0d8e48005e
SHA15b30bf375d13c16f96c68031764814c71f89b6be
SHA2568ca0ec1b375f9621b80764757dc2e8b51f65abfc15f6221352fa831458fb0438
SHA51274024ba11f081c9f0fdf00d343868def03c0182cb92094e43f43035c8d4c5c3eee3970b2b6674434fc3a0e814a2d67656a15ebacab164021a8b660fc7c948a01
-
Filesize
561KB
MD542d1b9089eb847b51713cb0890f634d3
SHA1a14bd5ff6d2a34ce98f790865a848e16186a1bd8
SHA256c20b256d19582ee188b63820ca8c0edf2e353f402d2a7eeb1c6b5e87ad8146c9
SHA512b6dfc22ab831a57da3de0e3ad7339f2bfd81f2f2734f407a691ef3fe9309f60b740c843fcd95eead085dbced8de7897f22cc68fc91969c8c039ea7004bec6fbd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82