Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 19:09
Static task
static1
Behavioral task
behavioral1
Sample
1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe
Resource
win10v2004-20240802-en
General
-
Target
1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe
-
Size
540KB
-
MD5
5f892efbbce2a28d2c358c7b47b9d444
-
SHA1
7ab014e42aa490e4c26e8f4b3020b7bb8295dc1c
-
SHA256
1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648
-
SHA512
5bbbc771b7a35fa5083a82ee65dcaa0f8f7beb7d76f39897c47537a4e90eb7a0138f3b722e2364347fd4942cc77db89444cdedbe1c51ca84850030f358600d93
-
SSDEEP
12288:xHaXEVCo4QGycLS+9bPw9xBBgBbskxo0QEl1ayB6qfm:xHaQCo4Qn+9bPw9xclxxxlI4Xf
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.252.232.158:7812
64.23.232.116:7812
vsvf
-
delay
1
-
install
true
-
install_file
Windows Security Health Service.exe
-
install_folder
%AppData%
Extracted
xworm
5.0
185.252.232.158:7812
b0c5WZixE6SqaTDD
-
Install_directory
%AppData%
-
install_file
Windows Defender Security Service.exe
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7308504158:AAGvjg5ZWkkItSzfmQZs_qu73xKZ_gWVkJI/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023437-38.dat family_xworm behavioral2/memory/624-47-0x00000000003F0000-0x0000000000400000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023435-16.dat family_stormkitty behavioral2/memory/1100-50-0x00000000008C0000-0x00000000008F0000-memory.dmp family_stormkitty -
Async RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023435-16.dat family_asyncrat behavioral2/files/0x0007000000023436-26.dat family_asyncrat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation Microsoft .NET Assembly Registration Utility.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Security Service.lnk Microsoft .NET Assembly Registration Utility.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Security Service.lnk Microsoft .NET Assembly Registration Utility.exe -
Executes dropped EXE 7 IoCs
pid Process 748 crack.exe 1100 svchost.exe 3300 Cracked.exe 624 Microsoft .NET Assembly Registration Utility.exe 4508 Windows Security Health Service.exe 1532 Windows Defender Security Service.exe 1956 Windows Defender Security Service.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Security Service = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Security Service.exe" Microsoft .NET Assembly Registration Utility.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4044 netsh.exe 4616 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2428 timeout.exe 1864 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2552 schtasks.exe 3040 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 624 Microsoft .NET Assembly Registration Utility.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 3300 Cracked.exe 624 Microsoft .NET Assembly Registration Utility.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe 4508 Windows Security Health Service.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 624 Microsoft .NET Assembly Registration Utility.exe Token: SeDebugPrivilege 3300 Cracked.exe Token: SeDebugPrivilege 1100 svchost.exe Token: SeDebugPrivilege 3300 Cracked.exe Token: SeDebugPrivilege 748 crack.exe Token: SeDebugPrivilege 4508 Windows Security Health Service.exe Token: SeDebugPrivilege 4508 Windows Security Health Service.exe Token: SeDebugPrivilege 1532 Windows Defender Security Service.exe Token: SeDebugPrivilege 1956 Windows Defender Security Service.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 624 Microsoft .NET Assembly Registration Utility.exe 4508 Windows Security Health Service.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 5076 wrote to memory of 748 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 84 PID 5076 wrote to memory of 748 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 84 PID 5076 wrote to memory of 748 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 84 PID 5076 wrote to memory of 1100 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 85 PID 5076 wrote to memory of 1100 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 85 PID 5076 wrote to memory of 1100 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 85 PID 5076 wrote to memory of 3300 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 86 PID 5076 wrote to memory of 3300 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 86 PID 5076 wrote to memory of 624 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 87 PID 5076 wrote to memory of 624 5076 1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe 87 PID 3300 wrote to memory of 1648 3300 Cracked.exe 91 PID 3300 wrote to memory of 1648 3300 Cracked.exe 91 PID 3300 wrote to memory of 4048 3300 Cracked.exe 93 PID 3300 wrote to memory of 4048 3300 Cracked.exe 93 PID 4048 wrote to memory of 2428 4048 cmd.exe 95 PID 4048 wrote to memory of 2428 4048 cmd.exe 95 PID 1648 wrote to memory of 2552 1648 cmd.exe 96 PID 1648 wrote to memory of 2552 1648 cmd.exe 96 PID 748 wrote to memory of 4324 748 crack.exe 99 PID 748 wrote to memory of 4324 748 crack.exe 99 PID 748 wrote to memory of 4324 748 crack.exe 99 PID 4324 wrote to memory of 1864 4324 cmd.exe 101 PID 4324 wrote to memory of 1864 4324 cmd.exe 101 PID 4324 wrote to memory of 1864 4324 cmd.exe 101 PID 624 wrote to memory of 3040 624 Microsoft .NET Assembly Registration Utility.exe 104 PID 624 wrote to memory of 3040 624 Microsoft .NET Assembly Registration Utility.exe 104 PID 4048 wrote to memory of 4508 4048 cmd.exe 106 PID 4048 wrote to memory of 4508 4048 cmd.exe 106 PID 1100 wrote to memory of 4616 1100 svchost.exe 110 PID 1100 wrote to memory of 4616 1100 svchost.exe 110 PID 1100 wrote to memory of 4616 1100 svchost.exe 110 PID 4616 wrote to memory of 1640 4616 cmd.exe 112 PID 4616 wrote to memory of 1640 4616 cmd.exe 112 PID 4616 wrote to memory of 1640 4616 cmd.exe 112 PID 4616 wrote to memory of 4044 4616 cmd.exe 113 PID 4616 wrote to memory of 4044 4616 cmd.exe 113 PID 4616 wrote to memory of 4044 4616 cmd.exe 113 PID 4616 wrote to memory of 4084 4616 cmd.exe 114 PID 4616 wrote to memory of 4084 4616 cmd.exe 114 PID 4616 wrote to memory of 4084 4616 cmd.exe 114 PID 1100 wrote to memory of 2592 1100 svchost.exe 115 PID 1100 wrote to memory of 2592 1100 svchost.exe 115 PID 1100 wrote to memory of 2592 1100 svchost.exe 115 PID 2592 wrote to memory of 1392 2592 cmd.exe 117 PID 2592 wrote to memory of 1392 2592 cmd.exe 117 PID 2592 wrote to memory of 1392 2592 cmd.exe 117 PID 2592 wrote to memory of 2336 2592 cmd.exe 118 PID 2592 wrote to memory of 2336 2592 cmd.exe 118 PID 2592 wrote to memory of 2336 2592 cmd.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe"C:\Users\Admin\AppData\Local\Temp\1229ffe79bd02279c46b45bb6766bcd02854656208b5a5a1fc3fa254c7790648.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DD8.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1864
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:1640
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4044
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:1392
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
-
C:\Users\Admin\AppData\Roaming\Cracked.exe"C:\Users\Admin\AppData\Roaming\Cracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:2552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8889.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2428
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4508
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft .NET Assembly Registration Utility.exe"C:\Users\Admin\AppData\Roaming\Microsoft .NET Assembly Registration Utility.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Security Service" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3040
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\9d2c3c58d0a40fde24d179db34871046\Admin@ZEUYFSYD_en-US\System\Process.txt
Filesize4KB
MD5b6f9238c18f39bde7679358b87ff3391
SHA172263428248d0860ea1d6366e22d5d385ac64616
SHA256553c8a41a833f8af83abb1387201b9b5b5cb45fed9ca3694a445b8f43c200a36
SHA51201fb360f293e61fc3bfaaf681a2b831fea6dfaeeb51e1f9f20443986bef3e2e5936215c9d1803ce35fdc0328f5be3a5191fdbf2dfe0d9660ffd473d5343f8ac1
-
Filesize
5B
MD5f428ed8209a04774dd294d6dc12ae201
SHA159dc43d8813f621258c0268752575596f563a832
SHA2562e0344265d2a31f5762eca4df9335704c37674a75a727202973e14c0b9f9aabe
SHA5129f6b1653fc2fc50428876fcca94864583217a17bece41e5246daf40d3553d3e23eb90eced9a4dc7878407b63a0d5d1afb32361293c1514b20f5cddebd74437d6
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
175B
MD55066807af677890e26cca55ce98da3b0
SHA10e44dd021544b51641051eb008a05a78f43d36d2
SHA256471185e585cc3e15d87875c38818f346089d4cd7b43f70e6b143a5ef0f3a9473
SHA51276223fa36c2fb40d1df254dcea135c3064205408b95e7dabe397e2e8bfa4d5fb019b9eea9a555583bba1ed8ac973eb8b5599b191f0c95728a535ed0fe2342af5
-
Filesize
151B
MD528e7cdf607e9b1323efefddf1023db45
SHA1597d381b7c3668ef16d932e250df7ca11f46d566
SHA2564aa2217530bc2414f10315accb9e0908d6d45007a8e05e1d3175745cdee6f17d
SHA51248a03d83d9119c6d434dfbd8c34cacbc70c464644dc1722c3c5d93c2e64bf5305662436e2362e484763cc300b25f4d11193fdf52949ad1b4d4128aa6c6b32f2d
-
Filesize
74KB
MD50dfa83a82f6418c73406d78296de61be
SHA1dd7eceef8a434c43e0751e180bf714e08771d336
SHA2568d27369ffa8b29d561fa9daf485be14d2fc00287bb1c69d4c84d514891c8db5e
SHA5129a4b026250b18c29ab7dd48203f321c2ef2f12695bd2dcb52ebbc15001c8ddf019d5a7e04da056c50c1881ce269d1810259bf6d04b61f471e8751b7192fc73d4
-
Filesize
42KB
MD57a5ea6a11fdb03f789a2246aa8ff1501
SHA15e1289096418c7f8b5901963c34c89f9902cbbba
SHA256bde45f854d6c434717ea7b59587e020c2403123728c49deb56cba8132de5e96a
SHA512cfca94f3d78675bbe56f02119e3943f7067898d7b7d14e91bca7220a235665363f69930acdeb9f7df388a49a6b62812bcf74bbffad20a96915257b54c4e78a73
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
170KB
MD56cbe3de085baa7ffcc6194a34746538a
SHA1986e6523294c5d3835af38a56c03239ca0f3a007
SHA2561aad9660ae1dcfada6ea39fc441f1b06fdab9b7fd71b71342f006e2d779cdf8b
SHA51250d73b171adb7dbf12f00267ea3501a676f757980a0ab6ba3ae64f7ca1666394dbb008b80faa51beecd9546e224425df4c48d08c0dbf69915ed07eda04e8aeeb