Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/10/2024, 07:33
241011-jd1fbaxerm 1011/10/2024, 07:29
241011-jbkl3sxdpr 1011/10/2024, 07:11
241011-h1ddma1ejb 1011/10/2024, 07:00
241011-hs54nswcrj 10Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/10/2024, 07:29
General
-
Target
malw.exe
-
Size
724KB
-
MD5
208a7cf0646365f76dd6e381e96cf6f3
-
SHA1
21d89072373999a525a29882802eb639c6850c03
-
SHA256
8a33c8b3367ce89f7b0a54accfb415c98f1c6ebadf1fb72d150c575fa85b7b5d
-
SHA512
05b980d8c72289a5d3e8d4134a9b285c82dea833c5f3016ea627649bfea5def48ddb136e3909b77b37a8b2d017965ac123a023e5439cd1319cda339f94d6a681
-
SSDEEP
12288:MjqZqdLyerVbCx3YNo18QAulSOfiH93n5N2Ia5oMsn3+wQBBQA6AfwBhptfO5ItE:+qZq5rVbCx3YNdQ1xw5cIhKlBH6EwDzC
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 36 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 12 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 50 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffef732cc40,0x7ffef732cc4c,0x7ffef732cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2212,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3700 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4892,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,13866410014842965089,9410702658820296137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StopUnblock.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SkipPop.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD521804f6e56a5d7f7198742e1f17336cc
SHA1e60814379f1210fdd84f95ce8efca329e6c15b92
SHA256463f826c9956af1471374fa0ed2f72d2c9f55637a706f2673b8957c8c833df2c
SHA512e5573ec168e4c37b94b20e0d2f313408be7817ffad7c0361806adf0dda0966cf01d4f56e9b81a6893713dfad849c49d03d2d9d76208405833c976ad79689845b
-
Filesize
8KB
MD56a45d9e257a910af01def29a53213a6d
SHA13404709ca493a2be2b3657fd7ade3b1742526f5b
SHA256d17a502cd82a2eb73089216550b51409c8a52719ba9261b943e7217a606d0bc0
SHA51285e969ef7d9d644fd662afdd5a6fe3609e39dbe7b40b731e7833bbf8a762f638853a7723027f59414c57562d181b11d96b07c72a94f86bf766eaf7aaa6d791fc
-
Filesize
15KB
MD5d89f3772d72b8704cb64f751660ac7b5
SHA1ec86f6c807c8ae5dced0ac37a64dfc8a2111de5c
SHA256c5d583817d9af82cbefca0ad97ee09f1f36c214ac6831e8ca722dd5d7b4fbf2b
SHA51237ddbf4714755002485ff376197a18f4fe9ae6f43f8f41910b97725784a0d2b76688c7956591164f0da86c7168fc4b02473a981b92574c1a24510a00c97d8186
-
Filesize
227KB
MD5d69878cae067a5971bbeed000fae85d3
SHA1fb61c7b92364f59a9860a8a4616151ec71df29e0
SHA25634b8242acc7f24ba4410bb995b1561894efd9d9efb26b5321a8f8bf83a94e756
SHA51270ac62bb36f45608a83fa46dfe87690e00a953ea05c5bb2c810f7eb0e6b29d2e9f236388f3141b8a5f36944334e7fc3da274997b833e66815c4c7bca68d6887e
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
172KB
MD5df093cd3defb03bef2044280b203f3ee
SHA13574b9e59d62526a1b7e0b37ef465f699bf2c1c4
SHA2564be0f6e33c2f371e17b17097980bf5d1f8bcc1cff77dc20b9f1fa7e882a0fea5
SHA512d88c252c2c99e2486dc3bbc50b097c2cb6ac99e9afd9fbbdaef363a00380b1acf661d56989a519369e69f8a258ed82f56ed22beab3640c98f7ea5ebc9a574039
-
Filesize
8KB
MD57bbdf7549dd361ff57f6dcde70c46c5b
SHA1b71be7e0eb43409092bea55f38f50168447b90cf
SHA2569e1a03de7a64c1386fbbf7c6c02a35a11459bd30184d6cd1b64b4155ab3137e5
SHA5127d1c7c8013435404602fc6f650e6fd9db159bcc4182c30fa792f086b060744d70b3d44043c60d82dcf01fbdd18d839c40c501e8d54eda4d96954687f012f016d
-
Filesize
2KB
MD58dfdc5f9a174bbe75900921d968f3b94
SHA1192b5a749c802d96b6865ebd615e9256f7ea57c5
SHA2569615853cd7b7518abc633c0cbf66145b528ba20fc0592c565744efd0d223fd9f
SHA512fab96d658056c2b0c7edde7c7d659e06f6dc6914625436b8235be421bc2476cebb34f69745a8f3e829864c799183f65d28c9d63ed211dc3b5e523f29d49236e0
-
Filesize
2KB
MD58b5c3bad70428a28e6a5d0cf0cad78a4
SHA1bdf20a6d4b082cb69cc7e12604d0a87ad2989549
SHA2566624c32a3c754d25818437fc1a36882720a55ce0d2374bd1fd02810c3f35c6e6
SHA512f5cb060b9af06279fa69c6877695903a27ca9fe0c4253c216a141fd0587afb6dd78486c8a71bce1c0ffb8582f23e0c5dbcc2fc5fd016cf12351350189d3262da
-
Filesize
18KB
MD5341cf7a05d3268e8b4155b640820870a
SHA1fca1afc2ab8341e8f6599c3fd74636561b6d4638
SHA25636c0f3e71b5e69e745a36c3608f38a9639bd89eebd6619bd797ebe4c263b7b68
SHA51218b4acb61cc53d84b83869104c8c69c2df8c95a0a077474ffd6f7c8c75d1bcde8a0711fa3ae61e0d18843977f8e38c52f37d05ed2bf60fbcb3f2623f7631d2fb
-
Filesize
18KB
MD58f132c8f9a5d403d89750d8bee89d4dd
SHA1526a3c058b2ac4f9b8dbd45a15067d26e6b5b246
SHA256b7208240e48e51d6d6ed0c06750fc0151e5e434d5f50e51cadfe99f600fc81ef
SHA512780ea90556f3be5f20f467b49ed458a5ecc41bcf08ab6f4feda2433c5c4e916158a4ef55dd49a59b34033d383eee8b9dc64c1c729a501b8202088b92a9369637
-
Filesize
18KB
MD52177cb5065d89f1c12b9d756410a6dff
SHA164c97bd4c36cbe0c0b3d4b7dd25d0899771b4e93
SHA256a0b18d2b3cc305510b8fc2f0492537c69e252a75d21f0a303e97714a61cb5aed
SHA5127677ce5d2464f971962662e75c6934f0261ba79972ae906f04a2a6661af82deef8e65f4016a0b680b698f8c3c2aaef4f26af9a2e83b5a5773fda0a6eb2301fa4
-
Filesize
18KB
MD5ea2f6d2361b24ccd82cbe43013b54eee
SHA1cbaae89cfdb811321198d0318815e90004d8530f
SHA25616bbb281cce8619886e733b960b3b0f4ea9f03e82b64c7f382779ed75eb28b88
SHA5120ce24a796bc2403ebf635d61637a2c3dc6d4289be80bc5f897ade08bed316c23f58745de8b1411da2d2bd44fcaaf7daf5481e20f71e2d80e67278b1135557474
-
Filesize
18KB
MD56dd536dd2f04096ca8a985626573d3b6
SHA12d8ad2010579192bd54b672d6a8ee879e3cd255b
SHA2569c08a30ad257a5e2a75499f19e69445c173e3fda218db02532d57c6fcd4699ce
SHA512b7e0ad7ddce4ee1dab46e53842d141fea7e2102056c2fb168eb9b3fbadc8ff58b40e8e7280d533e6235bd7f70baa5bc37f72b7c3305a8c2139ab8d44982163cf
-
Filesize
18KB
MD5416dc0c7899b4d36900018776fa403b4
SHA1ead47fdd0019f8d56a1d13fe8a5062a6c404eab6
SHA25631ebaa2c608e01f9a6816dc7c38525e8f143f855e142a36340420ba2b67e3147
SHA51203ea54bc6da374ee0ae38d7d290aa340c00c5dc0a656ee9630b73a9d5d6570723e46c013e5316824bf8881412423c585cd5fdc240d333eb0a1684f2131332bdf
-
Filesize
18KB
MD525dc5b410887b79d23736dc874564a70
SHA17d028edd386fa6be9b7234dbdd097daf66fe4c33
SHA2569aa6475b8888323dfb06a01120ad9fe8c7b9a9971273c409e03b670690a8beec
SHA5127c1f98a7825a081f7736d25768718fc5843004149c944279a853cc59abb5d17d1436c8c330e582b3d35bba6473a27c2125b217949296231518a706fdb366c0aa
-
Filesize
18KB
MD5a6e9af4fa0a2054e9a0fca38019a3496
SHA1be3c8d42f86a5fc5d97e799b492a3d949d5f31b0
SHA256a3bb45872e57029486c4de6c9b89ceada8f2131009d574385f437bd7665c5d0b
SHA512dc2cf99ba9a274d3e90b14397e6aa6940bd2f5304175da03b78fb4bb01315533ba9d5f1ebd57997fb25b28336687b1a5d1da946f2800559fb067d7e84df26ff4
-
Filesize
18KB
MD599c5c917a0f061add54cfe444c74c685
SHA1a3e57d25ec95a7908706544b0e317b29679cdf65
SHA25621608bf7310ad62ca85fb6cb1ed57cbece2e4b40d83ffe68b44662cd6f43c9df
SHA512ab958127f7e91e1fdb9f9cbdc6afb51c8041c96931657dabbd63b5f124f535328aa4e58306832067465e2e03acbac8c9473c7d8ca24fbde60b0221ecfe934b41
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
363B
MD5d5c8d1a4b1ea29fcf5c6a3df4ac75c85
SHA1d270ba37905b99790f330f16c54e3a99291ea32b
SHA256177786164349e62d982e6c6dfac6b36263f947fb8f5b7c9b2f7dd7fc2c08cc42
SHA5120f8ddc3aecbfb2f31979a184fd135e6630bf159b9f9bf66aded08f6cb6f05feefaf2393736c6ca359cdbfbcd0a5e06662840793456c17ab0e65949d8d47a35b8
-
Filesize
3KB
MD580d0b4c4b2395b4c5d2ed3f542f3319e
SHA1442de60ec32998b0890d9688121bb5cbee431dfd
SHA25628e463528fb154ca107e88456c9bf7d873e51dd6622fd2b68df376531abc37ea
SHA5122ea89607a84a30e944d35eff812d8c30239d325cceb7f5f03b2d67a13227d6e645260c45a06bbc15204e9a8204670b8df8e3781efbdaeb4f992a8de79fc62618
-
Filesize
3KB
MD5ccfd6a6b4d1656d7987e9ad2ead2c43c
SHA1f8ea57396104d42efb30e3eb983f232372c4da04
SHA256031b81da8173ae0bbb326ee11a068b77ed246c84c69ff074e8d9e4309edc101b
SHA512b5326b62cc5f2b556bfd0810e7ff533d1e19bdefaa8dd2df0bd5575ee0b8085e616670325d83243899b6c014c87647f01e5f008cdaafb9ab13bc32881de739d2
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
496KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
752KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
80KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
1.8MB
-
Filesize
152KB
-
Filesize
320KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
72KB