Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 23:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe
Resource
win7-20240508-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe
-
Size
7.2MB
-
MD5
68039ea285456b07636828f963515e22
-
SHA1
d0a086a3dc0cdf1eb05219f909a4cd234c57dfd5
-
SHA256
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a
-
SHA512
184fdae7214d880573519be8b8b0a0aa84de5714093fb036757f994a98163e432eaed1ccf7797fda25c446fc168c37b6d756cc1ec374669e3721c645aeb0188a
-
SSDEEP
98304:47O82rQfXHndMdQIvJ0Cd/C5jKRbAlAQAzNwpUJx4O875RjfxIrfvoYJMZx68owi:4CQP6QUJ0s/CWAOpWi6RrxYvD+68owi
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 27 IoCs
resource yara_rule behavioral1/memory/2556-1-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-3-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-5-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-4-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-7-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-6-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-15-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-13-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-11-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-35-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-45-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-48-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-43-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-41-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-39-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-37-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-33-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-31-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-29-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-27-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-25-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-23-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-21-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-19-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-17-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-9-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2556-116-0x0000000010000000-0x000000001003E000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2596 xl.exe -
Loads dropped DLL 1 IoCs
pid Process 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
resource yara_rule behavioral1/memory/2556-1-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-7-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-15-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-13-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-11-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-35-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-45-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-48-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-43-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-41-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-39-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-37-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-33-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-31-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-29-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-27-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-25-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-23-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-21-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-19-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-17-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-9-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2556-116-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created F:\CNGHO\desktop.ini 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened for modification F:\CNGHO\desktop.ini 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\M: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\S: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\Z: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\G: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\V: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\E: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\I: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\O: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\Q: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\R: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\X: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\Y: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\H: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\J: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\L: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\T: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\A: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\N: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\D: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\F: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\U: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\W: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\P: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\K: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2136 WMIC.exe Token: SeSecurityPrivilege 2136 WMIC.exe Token: SeTakeOwnershipPrivilege 2136 WMIC.exe Token: SeLoadDriverPrivilege 2136 WMIC.exe Token: SeSystemProfilePrivilege 2136 WMIC.exe Token: SeSystemtimePrivilege 2136 WMIC.exe Token: SeProfSingleProcessPrivilege 2136 WMIC.exe Token: SeIncBasePriorityPrivilege 2136 WMIC.exe Token: SeCreatePagefilePrivilege 2136 WMIC.exe Token: SeBackupPrivilege 2136 WMIC.exe Token: SeRestorePrivilege 2136 WMIC.exe Token: SeShutdownPrivilege 2136 WMIC.exe Token: SeDebugPrivilege 2136 WMIC.exe Token: SeSystemEnvironmentPrivilege 2136 WMIC.exe Token: SeRemoteShutdownPrivilege 2136 WMIC.exe Token: SeUndockPrivilege 2136 WMIC.exe Token: SeManageVolumePrivilege 2136 WMIC.exe Token: 33 2136 WMIC.exe Token: 34 2136 WMIC.exe Token: 35 2136 WMIC.exe Token: SeIncreaseQuotaPrivilege 2136 WMIC.exe Token: SeSecurityPrivilege 2136 WMIC.exe Token: SeTakeOwnershipPrivilege 2136 WMIC.exe Token: SeLoadDriverPrivilege 2136 WMIC.exe Token: SeSystemProfilePrivilege 2136 WMIC.exe Token: SeSystemtimePrivilege 2136 WMIC.exe Token: SeProfSingleProcessPrivilege 2136 WMIC.exe Token: SeIncBasePriorityPrivilege 2136 WMIC.exe Token: SeCreatePagefilePrivilege 2136 WMIC.exe Token: SeBackupPrivilege 2136 WMIC.exe Token: SeRestorePrivilege 2136 WMIC.exe Token: SeShutdownPrivilege 2136 WMIC.exe Token: SeDebugPrivilege 2136 WMIC.exe Token: SeSystemEnvironmentPrivilege 2136 WMIC.exe Token: SeRemoteShutdownPrivilege 2136 WMIC.exe Token: SeUndockPrivilege 2136 WMIC.exe Token: SeManageVolumePrivilege 2136 WMIC.exe Token: 33 2136 WMIC.exe Token: 34 2136 WMIC.exe Token: 35 2136 WMIC.exe Token: SeIncreaseQuotaPrivilege 480 WMIC.exe Token: SeSecurityPrivilege 480 WMIC.exe Token: SeTakeOwnershipPrivilege 480 WMIC.exe Token: SeLoadDriverPrivilege 480 WMIC.exe Token: SeSystemProfilePrivilege 480 WMIC.exe Token: SeSystemtimePrivilege 480 WMIC.exe Token: SeProfSingleProcessPrivilege 480 WMIC.exe Token: SeIncBasePriorityPrivilege 480 WMIC.exe Token: SeCreatePagefilePrivilege 480 WMIC.exe Token: SeBackupPrivilege 480 WMIC.exe Token: SeRestorePrivilege 480 WMIC.exe Token: SeShutdownPrivilege 480 WMIC.exe Token: SeDebugPrivilege 480 WMIC.exe Token: SeSystemEnvironmentPrivilege 480 WMIC.exe Token: SeRemoteShutdownPrivilege 480 WMIC.exe Token: SeUndockPrivilege 480 WMIC.exe Token: SeManageVolumePrivilege 480 WMIC.exe Token: 33 480 WMIC.exe Token: 34 480 WMIC.exe Token: 35 480 WMIC.exe Token: SeIncreaseQuotaPrivilege 480 WMIC.exe Token: SeSecurityPrivilege 480 WMIC.exe Token: SeTakeOwnershipPrivilege 480 WMIC.exe Token: SeLoadDriverPrivilege 480 WMIC.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2596 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 29 PID 2556 wrote to memory of 2596 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 29 PID 2556 wrote to memory of 2596 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 29 PID 2556 wrote to memory of 2596 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 29 PID 2556 wrote to memory of 2596 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 29 PID 2556 wrote to memory of 2596 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 29 PID 2556 wrote to memory of 2596 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 29 PID 2556 wrote to memory of 2192 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 30 PID 2556 wrote to memory of 2192 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 30 PID 2556 wrote to memory of 2192 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 30 PID 2556 wrote to memory of 2192 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 30 PID 2192 wrote to memory of 2136 2192 cmd.exe 32 PID 2192 wrote to memory of 2136 2192 cmd.exe 32 PID 2192 wrote to memory of 2136 2192 cmd.exe 32 PID 2192 wrote to memory of 2136 2192 cmd.exe 32 PID 2556 wrote to memory of 788 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 34 PID 2556 wrote to memory of 788 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 34 PID 2556 wrote to memory of 788 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 34 PID 2556 wrote to memory of 788 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 34 PID 788 wrote to memory of 480 788 cmd.exe 36 PID 788 wrote to memory of 480 788 cmd.exe 36 PID 788 wrote to memory of 480 788 cmd.exe 36 PID 788 wrote to memory of 480 788 cmd.exe 36 PID 2556 wrote to memory of 1420 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 37 PID 2556 wrote to memory of 1420 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 37 PID 2556 wrote to memory of 1420 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 37 PID 2556 wrote to memory of 1420 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 37 PID 1420 wrote to memory of 1516 1420 cmd.exe 39 PID 1420 wrote to memory of 1516 1420 cmd.exe 39 PID 1420 wrote to memory of 1516 1420 cmd.exe 39 PID 1420 wrote to memory of 1516 1420 cmd.exe 39 PID 2556 wrote to memory of 2324 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 40 PID 2556 wrote to memory of 2324 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 40 PID 2556 wrote to memory of 2324 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 40 PID 2556 wrote to memory of 2324 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 40 PID 2324 wrote to memory of 2120 2324 cmd.exe 42 PID 2324 wrote to memory of 2120 2324 cmd.exe 42 PID 2324 wrote to memory of 2120 2324 cmd.exe 42 PID 2324 wrote to memory of 2120 2324 cmd.exe 42 PID 2556 wrote to memory of 864 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 43 PID 2556 wrote to memory of 864 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 43 PID 2556 wrote to memory of 864 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 43 PID 2556 wrote to memory of 864 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 43 PID 864 wrote to memory of 1948 864 cmd.exe 45 PID 864 wrote to memory of 1948 864 cmd.exe 45 PID 864 wrote to memory of 1948 864 cmd.exe 45 PID 864 wrote to memory of 1948 864 cmd.exe 45 PID 2556 wrote to memory of 2456 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 46 PID 2556 wrote to memory of 2456 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 46 PID 2556 wrote to memory of 2456 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 46 PID 2556 wrote to memory of 2456 2556 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 46 PID 2456 wrote to memory of 2416 2456 cmd.exe 48 PID 2456 wrote to memory of 2416 2456 cmd.exe 48 PID 2456 wrote to memory of 2416 2456 cmd.exe 48 PID 2456 wrote to memory of 2416 2456 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe"C:\Users\Admin\AppData\Local\Temp\717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\xl.exeC:\Users\Admin\AppData\Local\Temp\xl.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic BASEBOARD get Manufacturer/value2⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BASEBOARD get Manufacturer/value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic BASEBOARD get product/value2⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BASEBOARD get product/value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic cpu get name/value2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name/value3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Path Win32_DisplayConfiguration get DeviceName/value3⤵PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic Path Win32_DisplayConfiguration get DriverVersion/value2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Path Win32_DisplayConfiguration get DriverVersion/value3⤵PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic SOUNDDEV get Name/value2⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SOUNDDEV get Name/value3⤵PID:2416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427B
MD5d4f2205ab045a47877764f78840ab40c
SHA1cb8b63d9c7f68026088517e98f6ca04cfecaba0f
SHA2566e70857d2726ad583f9fe6373532fa27235a4736aaa2a8ee890c996d83f5b65f
SHA512358d80377a3b58beedde8c4c3ef0918cd24ee5eab39df310e4621eefdde79c6c49a5da5e699a06c5f22b157f85d163bccdf79748ac67e3a2c56c6a36c7b717f1
-
Filesize
82B
MD5313e9dea853ec6718438256b524b665d
SHA10ee11aa0b0f829a2eae8d33268caaff945ced5cb
SHA25634c613693709fc4deb729d77b0a21d64a8db00c2d889fa55bb3bcdb975c67e47
SHA512b2a85fdeaeed438643558d744fc8e600937de4cfd6342d21b154facb1b175ad99dab67a03cbb86aafabccfd4ce9b724da550d65dedbab706acc8776e63868fa1
-
Filesize
2.2MB
MD5a1e1b658a9dc29cc30d0371e9fa94e12
SHA1a56a24fe5245643af3ec9a12875d59dd44e6d5fa
SHA2567c7b24362e3529bbaa540b9885bd4922ccfa85951054af5aa610f6cbe415bb45
SHA512f38f47608deb58fcba0f5639632651df76983e169cf752c8b03313cb46bdacb4d9d5285580ac3244c6a4584da69e2bb61c8897de82aa60026bc21d92bf60b807