Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10SpyNote v7...��.zip
windows10-ltsc 2021-x64
8Software U...rol.7z
windows10-ltsc 2021-x64
1DefenderControl.exe
windows10-ltsc 2021-x64
3SpyNote v7...ib.dll
windows10-ltsc 2021-x64
1SpyNote v7...pi.dll
windows10-ltsc 2021-x64
1SpyNote v7...ib.dll
windows10-ltsc 2021-x64
1SpyNote v7...nt.jar
windows10-ltsc 2021-x64
1SpyNote v7...IP.dat
windows10-ltsc 2021-x64
3SpyNote v7...BU.inf
windows10-ltsc 2021-x64
1SpyNote v7...ld.exe
windows10-ltsc 2021-x64
1SpyNote v7...xe.xml
windows10-ltsc 2021-x64
3SpyNote v7...ol.zip
windows10-ltsc 2021-x64
1apktool/apktool.bat
windows10-ltsc 2021-x64
1apktool/apktool.jar
windows10-ltsc 2021-x64
1apktool/signapk.jar
windows10-ltsc 2021-x64
1SpyNote v7...ub.apk
windows10-ltsc 2021-x64
3SpyNote v7...va.jar
windows10-ltsc 2021-x64
1platform-t...pi.dll
windows10-ltsc 2021-x64
3platform-t...pi.dll
windows10-ltsc 2021-x64
3platform-t...db.exe
windows10-ltsc 2021-x64
3platform-t...ns.zip
windows10-ltsc 2021-x64
1SpyNote v7...in.exe
windows10-ltsc 2021-x64
1SpyNote v7...��.exe
windows10-ltsc 2021-x64
8SpyNote v7...co.scr
windows10-ltsc 2021-x64
10SpyNote v7...pk.jar
windows10-ltsc 2021-x64
1软件使�...rol.7z
windows10-ltsc 2021-x64
1软件使�...ol.exe
windows10-ltsc 2021-x64
3Analysis
-
max time kernel
96s -
max time network
152s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20/12/2024, 13:39
Behavioral task
behavioral1
Sample
SpyNote v7.0.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Software Usage Tutorial/DefenderControl.7z
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
DefenderControl.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
SpyNote v7.0/AxInterop.WMPLib.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral5
Sample
SpyNote v7.0/CoreAudioApi.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral6
Sample
SpyNote v7.0/Interop.WMPLib.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral7
Sample
SpyNote v7.0/Resources/Clint.jar
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
SpyNote v7.0/Resources/Imports/GeoIP/GeoIP.dat
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral9
Sample
SpyNote v7.0/Resources/Imports/OBU.inf
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral10
Sample
SpyNote v7.0/Resources/Imports/Payload/Build.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral11
Sample
SpyNote v7.0/Resources/Imports/Payload/Build.exe.xml
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
SpyNote v7.0/Resources/Imports/Payload/apktool.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral13
Sample
apktool/apktool.bat
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral14
Sample
apktool/apktool.jar
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral15
Sample
apktool/signapk.jar
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral16
Sample
SpyNote v7.0/Resources/Imports/Payload/stub.apk
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral17
Sample
SpyNote v7.0/Resources/Imports/PlayerJava/PlayerJava.jar
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral18
Sample
platform-tools/AdbWinApi.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral19
Sample
platform-tools/AdbWinUsbApi.dll
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral20
Sample
platform-tools/adb.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral21
Sample
platform-tools/api/annotations.zip
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral22
Sample
SpyNote v7.0/Resources/Imports/platform-tools/plwin.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral23
Sample
SpyNote v7.0/SpyNote v7.0.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral24
Sample
SpyNote v7.0/ico.scr
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral25
Sample
SpyNote v7.0/signapk.jar
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral26
Sample
软件使用教程/DefenderControl.7z
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral27
Sample
软件使用教程/DefenderControl.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
SpyNote v7.0/ico.scr
-
Size
236KB
-
MD5
4abcadf52f11d5db53bd15b30e0e7e70
-
SHA1
25b0ffaae418147757a285bbb133b1d5126680fc
-
SHA256
e97beacff7ed7401d4a0563c06af3f25047775948b2ed2796ae7a8711d3350d3
-
SHA512
996e3dfef22a358ee5a1b4c4bdc75507f683c06a22e507e7289dcff0eb0143adaacc70b518fdf8bc32625b624d4887a64c579e8eacee853222aee992543eb6d9
-
SSDEEP
3072:GVr3lajQFISWejg61Pzjj43o5GYi5h6A/QBaRd9TrxTzY:GVr3YceSW8gybiYiivudP
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral24/files/0x002600000004648f-28.dat disable_win_def behavioral24/memory/2280-52-0x0000000000020000-0x0000000000028000-memory.dmp disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Disable-Windows-Defender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Disable-Windows-Defender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Disable-Windows-Defender.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Disable-Windows-Defender.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation Disable-Windows-Defender.exe Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation ico.scr Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation LocalpVxfUiqNiq.exe -
Executes dropped EXE 3 IoCs
pid Process 2960 LocalpVxfUiqNiq.exe 2280 Disable-Windows-Defender.exe 2084 svchost.exe -
pid Process 3856 powershell.exe 2176 powershell.exe 4464 powershell.exe 3452 powershell.exe 1300 powershell.exe 4924 powershell.exe 2260 powershell.exe 4820 powershell.exe 4708 powershell.exe 3196 powershell.exe 3880 powershell.exe 3832 powershell.exe 3936 powershell.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Disable-Windows-Defender.exe LocalpVxfUiqNiq.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\svchost.exe LocalpVxfUiqNiq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2212 2084 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LocalpVxfUiqNiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings ico.scr -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3788 mspaint.exe 3788 mspaint.exe 8 powershell.exe 8 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 1300 powershell.exe 1300 powershell.exe 3880 powershell.exe 3880 powershell.exe 3832 powershell.exe 3832 powershell.exe 4924 powershell.exe 4924 powershell.exe 3936 powershell.exe 3936 powershell.exe 2260 powershell.exe 2260 powershell.exe 1300 powershell.exe 1300 powershell.exe 4820 powershell.exe 4820 powershell.exe 3880 powershell.exe 3880 powershell.exe 4924 powershell.exe 4708 powershell.exe 4708 powershell.exe 3832 powershell.exe 3832 powershell.exe 3936 powershell.exe 3856 powershell.exe 3856 powershell.exe 2176 powershell.exe 2176 powershell.exe 3196 powershell.exe 3196 powershell.exe 2260 powershell.exe 4820 powershell.exe 4708 powershell.exe 4464 powershell.exe 4464 powershell.exe 3196 powershell.exe 3856 powershell.exe 2176 powershell.exe 4464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 8 powershell.exe Token: SeIncreaseQuotaPrivilege 8 powershell.exe Token: SeSecurityPrivilege 8 powershell.exe Token: SeTakeOwnershipPrivilege 8 powershell.exe Token: SeLoadDriverPrivilege 8 powershell.exe Token: SeSystemProfilePrivilege 8 powershell.exe Token: SeSystemtimePrivilege 8 powershell.exe Token: SeProfSingleProcessPrivilege 8 powershell.exe Token: SeIncBasePriorityPrivilege 8 powershell.exe Token: SeCreatePagefilePrivilege 8 powershell.exe Token: SeBackupPrivilege 8 powershell.exe Token: SeRestorePrivilege 8 powershell.exe Token: SeShutdownPrivilege 8 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeSystemEnvironmentPrivilege 8 powershell.exe Token: SeRemoteShutdownPrivilege 8 powershell.exe Token: SeUndockPrivilege 8 powershell.exe Token: SeManageVolumePrivilege 8 powershell.exe Token: 33 8 powershell.exe Token: 34 8 powershell.exe Token: 35 8 powershell.exe Token: 36 8 powershell.exe Token: SeDebugPrivilege 3452 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeIncreaseQuotaPrivilege 3452 powershell.exe Token: SeSecurityPrivilege 3452 powershell.exe Token: SeTakeOwnershipPrivilege 3452 powershell.exe Token: SeLoadDriverPrivilege 3452 powershell.exe Token: SeSystemProfilePrivilege 3452 powershell.exe Token: SeSystemtimePrivilege 3452 powershell.exe Token: SeProfSingleProcessPrivilege 3452 powershell.exe Token: SeIncBasePriorityPrivilege 3452 powershell.exe Token: SeCreatePagefilePrivilege 3452 powershell.exe Token: SeBackupPrivilege 3452 powershell.exe Token: SeRestorePrivilege 3452 powershell.exe Token: SeShutdownPrivilege 3452 powershell.exe Token: SeDebugPrivilege 3452 powershell.exe Token: SeSystemEnvironmentPrivilege 3452 powershell.exe Token: SeRemoteShutdownPrivilege 3452 powershell.exe Token: SeUndockPrivilege 3452 powershell.exe Token: SeManageVolumePrivilege 3452 powershell.exe Token: 33 3452 powershell.exe Token: 34 3452 powershell.exe Token: 35 3452 powershell.exe Token: 36 3452 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeIncreaseQuotaPrivilege 1300 powershell.exe Token: SeSecurityPrivilege 1300 powershell.exe Token: SeTakeOwnershipPrivilege 1300 powershell.exe Token: SeLoadDriverPrivilege 1300 powershell.exe Token: SeSystemProfilePrivilege 1300 powershell.exe Token: SeSystemtimePrivilege 1300 powershell.exe Token: SeProfSingleProcessPrivilege 1300 powershell.exe Token: SeIncBasePriorityPrivilege 1300 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3788 mspaint.exe 3788 mspaint.exe 3788 mspaint.exe 3788 mspaint.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 584 wrote to memory of 2960 584 ico.scr 81 PID 584 wrote to memory of 2960 584 ico.scr 81 PID 584 wrote to memory of 2960 584 ico.scr 81 PID 584 wrote to memory of 3788 584 ico.scr 82 PID 584 wrote to memory of 3788 584 ico.scr 82 PID 2960 wrote to memory of 2280 2960 LocalpVxfUiqNiq.exe 86 PID 2960 wrote to memory of 2280 2960 LocalpVxfUiqNiq.exe 86 PID 2960 wrote to memory of 2084 2960 LocalpVxfUiqNiq.exe 87 PID 2960 wrote to memory of 2084 2960 LocalpVxfUiqNiq.exe 87 PID 2960 wrote to memory of 2084 2960 LocalpVxfUiqNiq.exe 87 PID 2280 wrote to memory of 8 2280 Disable-Windows-Defender.exe 88 PID 2280 wrote to memory of 8 2280 Disable-Windows-Defender.exe 88 PID 2280 wrote to memory of 3452 2280 Disable-Windows-Defender.exe 94 PID 2280 wrote to memory of 3452 2280 Disable-Windows-Defender.exe 94 PID 2280 wrote to memory of 1300 2280 Disable-Windows-Defender.exe 96 PID 2280 wrote to memory of 1300 2280 Disable-Windows-Defender.exe 96 PID 2280 wrote to memory of 3880 2280 Disable-Windows-Defender.exe 98 PID 2280 wrote to memory of 3880 2280 Disable-Windows-Defender.exe 98 PID 2280 wrote to memory of 3832 2280 Disable-Windows-Defender.exe 100 PID 2280 wrote to memory of 3832 2280 Disable-Windows-Defender.exe 100 PID 2280 wrote to memory of 4924 2280 Disable-Windows-Defender.exe 102 PID 2280 wrote to memory of 4924 2280 Disable-Windows-Defender.exe 102 PID 2280 wrote to memory of 3936 2280 Disable-Windows-Defender.exe 104 PID 2280 wrote to memory of 3936 2280 Disable-Windows-Defender.exe 104 PID 2280 wrote to memory of 2260 2280 Disable-Windows-Defender.exe 106 PID 2280 wrote to memory of 2260 2280 Disable-Windows-Defender.exe 106 PID 2280 wrote to memory of 4820 2280 Disable-Windows-Defender.exe 108 PID 2280 wrote to memory of 4820 2280 Disable-Windows-Defender.exe 108 PID 2280 wrote to memory of 4708 2280 Disable-Windows-Defender.exe 110 PID 2280 wrote to memory of 4708 2280 Disable-Windows-Defender.exe 110 PID 2280 wrote to memory of 3196 2280 Disable-Windows-Defender.exe 112 PID 2280 wrote to memory of 3196 2280 Disable-Windows-Defender.exe 112 PID 2280 wrote to memory of 3856 2280 Disable-Windows-Defender.exe 114 PID 2280 wrote to memory of 3856 2280 Disable-Windows-Defender.exe 114 PID 2280 wrote to memory of 2176 2280 Disable-Windows-Defender.exe 116 PID 2280 wrote to memory of 2176 2280 Disable-Windows-Defender.exe 116 PID 2280 wrote to memory of 4464 2280 Disable-Windows-Defender.exe 118 PID 2280 wrote to memory of 4464 2280 Disable-Windows-Defender.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0\ico.scr"C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0\ico.scr" /S1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\LocalpVxfUiqNiq.exe"C:\Users\Admin\AppData\LocalpVxfUiqNiq.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\Disable-Windows-Defender.exe"C:\Windows\Disable-Windows-Defender.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 10564⤵
- Program crash
PID:2212
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\LocalKIirypGzQy.jpg"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3788
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2084 -ip 20841⤵PID:940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD518406451251bfe44fc112d1263581129
SHA10b611355a35fda665d93759565e24b6ca8b21c71
SHA256a991259a9f4044aa1206b0353f8c32a49817a63326b56b89f62fe38e785e3525
SHA51232e4b2d141de151649430f88994ff2449bf7864745b6fbec4d5ea4d0de9dd6fb90886af50a142ef588cab6c9cf109bac55b8cf0869f8b7b1df23fdd043d971a6
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD55e22dd1cda88782a1f52f76e748ef957
SHA13231826619a06fa541e2bfb21da445bd7013b5ac
SHA25673302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec
SHA51275039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498
-
Filesize
1KB
MD50f1bf4207c100442afb6f174495b7e10
SHA177ab64a201e4c57bbda4f0c3306bee76e9513b44
SHA256c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d
SHA51229bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
75KB
MD5b231a878877ea13b2dfe442b406e56c2
SHA1e1fdc12fb480d964de10445a168cb43e74a19903
SHA25696b965ca96aa640a3d68b3084297e82691b43831da30bb7c24cb1939db21515a
SHA5120c429be99c4c359742665875edb4c926c81b64d5b7ac35d96de40ffd7260b5d6d7c85d73207795b03e66d415db3c524e6c0dee2d5e07cb342adcdfd6bffc60e7
-
Filesize
10KB
MD56af766cdaaee7f7ae97d496714d7e0ec
SHA13f8df9b3029a2ab30eb89e5e1c41a45fd68e96bc
SHA25697df8777f75fe050bf23dbe180e3bfa2ee4c36c1f93f209cb319b640e7f02e14
SHA512ad18783a9290b3999a91cbc05d70419b155dbdbcb576fcdd55996cb5ef11f2045fa4d926813a886ecd6b5f8be82d6c58203c0cca70e34f04c6c2d35de511d476
-
Filesize
60KB
MD58a7615bc1f4e0edf735dd4fb9380b099
SHA1c3e7d6fbc8f50000246c84cad624b654d4a96aa8
SHA25627472a405e57519152fdae9db51c457d8b7ba289bc2feefcc5a772dee8664cc7
SHA512dd2da92f96321a28a3e4250f4ec796acb3e89ec97c2b01740d65110bad3d408b73df9db7aecfea1779a8f7ec4770f201df61f963fb0f3028d9be618573d54025