Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
11/08/2024, 18:31
General
-
Target
https://mega.nz/file/vQUXlA5J#mmqQmVaKos-P9JBm1gXg1NHjHTsXSpXLY3rmzF2FQig
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 11 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/vQUXlA5J#mmqQmVaKos-P9JBm1gXg1NHjHTsXSpXLY3rmzF2FQig1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd30309758,0x7ffd30309768,0x7ffd303097782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3392 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3692 --field-trial-handle=1876,i,3009828456552934828,2173660188715675497,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x39c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_nl-crack.zip\nl-crack.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_nl-crack.zip\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeProviderhost\C86qfLSjHmERUi1w5MRde1DZU9aPwIK9r2L8nfM2UAUxLa.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\bridgeProviderhost\Providerserverperfsvc.exe"C:\bridgeProviderhost/Providerserverperfsvc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agko5e2g\agko5e2g.cmdline"5⤵
- Drops file in System32 directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EEB.tmp" "c:\Windows\System32\CSCD4B54669FA144CBD804395325097CDE.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DMgsXc3D0V.bat"5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Windows\ImmersiveControlPanel\Idle.exe"C:\Windows\ImmersiveControlPanel\Idle.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_nl-crack.zip\nl-crack.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_nl-crack.zip\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeProviderhost\C86qfLSjHmERUi1w5MRde1DZU9aPwIK9r2L8nfM2UAUxLa.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\bridgeProviderhost\Providerserverperfsvc.exe"C:\bridgeProviderhost/Providerserverperfsvc.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeProviderhost\C86qfLSjHmERUi1w5MRde1DZU9aPwIK9r2L8nfM2UAUxLa.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\bridgeProviderhost\Providerserverperfsvc.exe"C:\bridgeProviderhost/Providerserverperfsvc.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderserverperfsvcP" /sc MINUTE /mo 12 /tr "'C:\bridgeProviderhost\Providerserverperfsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Providerserverperfsvc" /sc ONLOGON /tr "'C:\bridgeProviderhost\Providerserverperfsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ProviderserverperfsvcP" /sc MINUTE /mo 13 /tr "'C:\bridgeProviderhost\Providerserverperfsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeProviderhost\C86qfLSjHmERUi1w5MRde1DZU9aPwIK9r2L8nfM2UAUxLa.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\bridgeProviderhost\Providerserverperfsvc.exe"C:\bridgeProviderhost/Providerserverperfsvc.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeProviderhost\C86qfLSjHmERUi1w5MRde1DZU9aPwIK9r2L8nfM2UAUxLa.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\bridgeProviderhost\Providerserverperfsvc.exe"C:\bridgeProviderhost/Providerserverperfsvc.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
-
C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"C:\Users\Admin\Downloads\nl-crack\nl-crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeProviderhost\HxQ7RwUKkFlmM5rbtinYNz5ZRiGR.vbe"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD5d63edef2f929e007f5049f0d605c578d
SHA1eb45b0786ed8c6f483b87d93e83c2266ba918642
SHA256bb2ae2a86c38b23e939c37a58287c697f390399e7059349e87bdfb934662a1ad
SHA5123329b2e88fc7006ef6ea440e2af364120d1bfc04e0ed776f83a154b535395ea2a81ef0dc8d31f151589e2c396ce9d13584d83f87ee2e10101804a9272faa7a56
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
20KB
MD544b6eb2aee378e190e23de2720c66436
SHA14360995dd8cedf3af6a7245b2e4a457c78bf041c
SHA2563d756f73f723a9ea191b2e7a7789a28ca4c539fb2f78bd77c24789783f041b3e
SHA512f149e3b25aae58c531254c7854c185394562ba5a1e85ff95963f924ab289bc09071ac6fe81b100bf1bb126a81ac02c1450f4de4e95d2bd745e8c8c9942469e44
-
Filesize
963B
MD59d5ef8ea2d4e73282e75865c7b27cae8
SHA13c90c17e33082b0f53277b829fa41ff16c79fb7c
SHA2561d19184dc59e2092920387b20a5bb4a7d5660204f4c89264f83040334a967ada
SHA5128f52f2d95051d2ddf60a32d4399a110006e50a16e6cdc7c73e75f4e5c2df36e642aadbd85e6777a388c5ba4a7a010a348f27554bad5976292321545245556b29
-
Filesize
538B
MD5ea98e143d55118f3ee2ebb6510242d61
SHA1d970dacbefc9d63c94a87e9b50dbf846e3cb6418
SHA256c92efc9118c5519275022934ef31ffc3c9a3a0561d8b1e1de7036a51a8272c57
SHA512a850669e35bcdc2c0d66cfc0322ec5540282e04ab9a89cba9fc859889cb2038cbb6631db5576fa5ed0d3f8a47d0dac2c5d23430429e2a8d0b0f706a56f95a586
-
Filesize
6KB
MD58f8942f3a4f90cdafdc66de25e79b4bf
SHA124985c2b63900e07b687e791f15c8c1fc00bd334
SHA256b9874517776a605f334a21b2a00e0e8d6dfd00eb5cea70a0b9acc60d8bdea089
SHA5127299623e4b8b8de8a303c0001efdbffb0ae1aed02073800375175c07560c9c025729383ff246220f814b33f0f77c9fd0fbc670b5ca14eb4d0b80393910a894aa
-
Filesize
72B
MD507fb1b5f1fb9044182c8065a48c51b69
SHA193a65dee5f3e128a054f2d2f704c1dabf866eb48
SHA256b7b1a4d86153d2d00e73e5aed21169a9ed016b4cf338a64aaaa7fbaad1cad937
SHA512ccbc8f940a0a7250906bff580b2a471e21ae864e940a78cb0fe9a74be6271471c40a48fbd2d39cfdc50aa8ae43344fe9e62d83f2b4a6dcf32be08d15b7749022
-
Filesize
48B
MD5154926f1f37fc6023c391419c83cba76
SHA1a6325ac51c00467e93554bd7c0d422d18a4ff09d
SHA25692ff33cd093bfd6e86d8ca7e41e291e1b44d0c185e9d930c06b40b12b788f8e2
SHA51221f73b9532f28e106642dd03b825742df14133a1bf9438c0c06998eef76fb117e1e03190e71c223b112ccb64fcdba2ec6b0e3d6c7ba72cab947ed1163745e2c1
-
Filesize
138KB
MD5ff26061b0f7adc6c632c0a4028dca2e9
SHA1734761125d12ccf38ec8f01dac253b4f969295fd
SHA256124a06fd9039e0cb2bc114b60b4ca5398ca56afdefcd838b4451733261c26ddb
SHA512f34205e00f282f9e821cdef06c30c44d7340325c04a7dda3e57af0f1d343993f25edf6be4836daa8d05b358ad5f39f3cf85d1d1445e18cf15b1b8e3ce712b0de
-
Filesize
138KB
MD503c5edd518d03f6462934b27900c1436
SHA1b7df0bad4c4ae1db8525dd51e923e35ff66d191f
SHA2563ea544e92f4a2413117a43b71744be492574a6a69dcd96eb77e2cfa2b314ebd3
SHA5128b84f39b600a4f669c71eda95f3857784c31468dfcb9516823c4f5e9f1994bc47304119ad725a074daa4db50dc8e05dc9276329da12b02dc885972c86a379423
-
Filesize
137KB
MD52a31e0e6a58c77554107aa90c7a08667
SHA19b5ccbe6797ccce08228334e6a729082597c1a13
SHA256a207102a191f1d89d8a11ae3fc769895583d8a5e36727be6020edea15ffa1201
SHA512e63c8945ddbd363f2fcc7aede5c985a4fe3c138c196f01f5316fd101b67f09afeb36d6ced84b521a5962425488e3080bcaa3b9631863304a670352e08ef0fc06
-
Filesize
194KB
MD5d840ce1ec464ecd0ac72fc56fe30f4af
SHA135d6a0f1cc671f373f0417bd4bebe0d589e822d6
SHA2563ef3533a8d57605f5ba4002b9d392b53c4378170a9392f8e7131af748e52130a
SHA51202818c7a944d609631964791d5510360c5987c59e077f2030c33512dbe5ba1a663c295cf0721f2abad2e06ec14a1b302ea8193e66b7b6a6d61854d1b98c0c782
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1KB
MD5612d41711ef02ae317c8010cbeacdb2e
SHA112fd5ebd424b188cf7c2bef7cd1a5b53c88247f9
SHA2568d4ebe479ecf776281aee719a167b4e8d18aebff60b4c2d48a3597aa023abdf3
SHA5124f67b01e0a9c6832f950ccc5f3e142be1c0497e00c958b3a4438ae0a8307ec09c18ee4f5075193739c3fc2ea0ce95ea4c39e286fa5b003a97147954fc4383ae8
-
Filesize
217B
MD5dfa2c701167693cc30de555a6cd08019
SHA147b470e645a635857d884dd81da28325ef36b420
SHA2569e5661f54957cf11f1088b5c58b3df9baf4353a26f6ad5118cd19296f1282630
SHA512379507a4bfc589cbc87bbc9a26d430d3c3351348fb37ad9d9ab01927813f8992c5a139c3ab2fa34231f18fb2a272a15ca3d8eaa5b002f49d1ba60b7744784a22
-
Filesize
1KB
MD5d7f7a03367a89d3b742f2529a0961b49
SHA10475614c6af77165ffeb01c0e5a39ed0f6842368
SHA25680a9cb29228431d95c8d597086a07d00fa5c68a07f32f00f0219969c5b9d8fe8
SHA5129a5097614e9fe7eda670b07c9da3b13f802fe73de3086662fedec14672435c5d7301020e7dc0c79db41bcc1b6e3ff7ece40453dab5514931f9e0d2165d1cb0ed
-
Filesize
1.6MB
MD59a7f9d89f1e5c9f67c3cdcce42fa6004
SHA10a17535eb717c01decb847826d98a204553cc6cf
SHA256d82b859ba1e2c3de59ec78c32617816f8b71a5579bc185cbe5752f1915d5f968
SHA5127c405ba36cc0dd9884f84f97c41d06440e64203ce3af64f8066f52ecccd5ffc6080cf542a4c7e16e5af4802e140629d3b8abe7b9c25bed1a76ce1122e207dade
-
Filesize
96B
MD5b84c322723e90402b7f13205e133be7c
SHA1720b9bda9fdfb412dd22e3c6233fdfbf76dae16d
SHA256d52c06ce005b07d34ff0b1db20965d94a0c93f61aa96f57545b19071975226d4
SHA512f28037777137f84ad4e8cef8dac0571107ec5a8f638af5070ad9fd81c7e517bd16666cdfb348749c6fa76bd79af1e79bb02750f6d3bfd7c13727e3cf1cb960d6
-
Filesize
243B
MD5935673cc250e3ba8e93645f20306709a
SHA1a1c720939da19f9f27cced06ad4be39d67135928
SHA256a1e86b56b0590f52e1e7a7b49ec27130475d153470753e60fb8cbf1978b6dfe4
SHA51245b10bd2b1ceac082e2b5c73bfc8cf237874a06610a1fda721a4e909233b4038ea981505977369282ee9245f247b28a9510e66e2a85a31b3935c4b8c65fcbaac
-
Filesize
1.8MB
MD5b4e83b47cbe5799e5176f0c234db2da0
SHA1423d25898dbc6e60154119b21c6ab5a90a24f71f
SHA256d5b1e85a7441544b5c8454969e5b892954aa64088eae96778bf28756d270f234
SHA5126d01015a44acd7de9c0f637a82eba9808b41a65790b42f8ae2ed45ed54b2dec0f9c25cccbe962902b6050a97834048520c36d7f712e5cac0a80a379ba5c5ecfc
-
Filesize
4KB
MD5af5dfe76f6e368379cd75d7a76842b1a
SHA19134720d6285ddc7fc937f604732ee9b1577cdaf
SHA256fa183c0fb68377ae125e26bf2c7c60a30d147e7c3579f61446e5bb772d6deed0
SHA512357d52ccc7b520fd083784c27cc3a01b52160fb1057dd5c8a62373c2545e16523ea17e3e7182970de063d4c557db2a11e2a5ef9042aae976f925d507a7237f2c
-
Filesize
366B
MD58f57d21c46e77737df18c4bda6fdc53b
SHA175e7e240617e60779e56272ee2b155fe24d93fbf
SHA256aececcfa6c4f45068138f3f5e67c72a1a228dbb03a08026a78e1614ceb05cf96
SHA51241c185a2b98022f62630ab5980dc15b632199367477c88d1620a32a65305e6e124a1bf5a81deebe46238e5ce2ba153a5a3440079f0710db47ead8fdd25b546bf
-
Filesize
235B
MD597d312d17be46078f090d842aeebe596
SHA152e5ded315ee8f541f3b97ece65820d7c5a616b3
SHA256642947ae658dcb405840d3f6f3696ffd8e1d53f952cff79e687ce65021b9209c
SHA5121a8be194177d6b010ce30fa9b67264bc7faf1a83caaf72f984c1f356dcb9ac71bdba4250dfab7f9fa47b2491f64e2f982fbc8e7336ac9d1acc0c0840d6d86052
-
Filesize
1KB
MD535d2029ed56d02bdd5f6f26e72234b06
SHA1e3fcc132b8af4e099a5e614d8736689d87e1b83a
SHA256e0ffde280f68e8f5f0059b987cf1e49557fc03f02e901fc3d1596e0f7f5d8881
SHA512e3044d3870dec2c132d936394b255eabe771c568abf1dd344530f48233d3f8b0266d2fcdbfc2dd88941c94c1d761a39227dff41673fe2b1d1aa371ace8a7a0df
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
320KB
-
Filesize
48KB
-
Filesize
96KB