Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

Wave Launcher.exe

windows10-ltsc 2021-x64

8

$PLUGINSDI...er.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ls.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...em.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ll.dll

windows10-ltsc 2021-x64

3

$PLUGINSDIR/app-64.7z

windows10-ltsc 2021-x64

7

resources/...dex.js

windows10-ltsc 2021-x64

3

resources/...pi.dll

windows10-ltsc 2021-x64

1

resources/...ry.dll

windows10-ltsc 2021-x64

1

resources/...dex.js

windows10-ltsc 2021-x64

3

resources/...try.js

windows10-ltsc 2021-x64

3

resources/...e3.dll

windows10-ltsc 2021-x64

1

resources/...act.js

windows10-ltsc 2021-x64

3

resources/...ing.js

windows10-ltsc 2021-x64

3

resources/...te3.js

windows10-ltsc 2021-x64

3

resources/...ace.js

windows10-ltsc 2021-x64

3

resources/...kup.js

windows10-ltsc 2021-x64

3

resources/...bin.js

windows10-ltsc 2021-x64

3

resources/...dex.js

windows10-ltsc 2021-x64

3

resources/...pi.dll

windows10-ltsc 2021-x64

3

resources/...pi.dll

windows10-ltsc 2021-x64

1

resources/...kip.js

windows10-ltsc 2021-x64

3

resources/elevate.exe

windows10-ltsc 2021-x64

3

vk_swiftshader.dll

windows10-ltsc 2021-x64

1

vulkan-1.dll

windows10-ltsc 2021-x64

1

$PLUGINSDI...ec.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...7z.dll

windows10-ltsc 2021-x64

3

$R0/Uninst...fu.exe

windows10-ltsc 2021-x64

7

$PLUGINSDI...ls.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...em.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ll.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ec.dll

windows10-ltsc 2021-x64

3

Analysis

  • max time kernel
    97s
  • max time network
    137s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03/01/2025, 08:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/nsExec.dll

  • Size

    6KB

  • MD5

    ec0504e6b8a11d5aad43b296beeb84b2

  • SHA1

    91b5ce085130c8c7194d66b2439ec9e1c206497c

  • SHA256

    5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

  • SHA512

    3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

  • SSDEEP

    96:YjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNq3m+s:JbogRtJzTlNR8qD85uGgmkNr

Score
3/10
discovery

Malware Config

Signatures

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 616
        3⤵
        • Program crash
        PID:4752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4744 -ip 4744
    1⤵
      PID:220

    Network

    • flag-us
      DNS
      73.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      60.153.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      60.153.16.2.in-addr.arpa
      IN PTR
      Response
      60.153.16.2.in-addr.arpa
      IN PTR
      a2-16-153-60deploystaticakamaitechnologiescom
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      fd.api.iris.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fd.api.iris.microsoft.com
      IN A
      Response
      fd.api.iris.microsoft.com
      IN CNAME
      fd-api-iris.trafficmanager.net
      fd-api-iris.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com
      IN A
      20.103.156.88
    • flag-nl
      GET
      https://fd.api.iris.microsoft.com/v4/api/selection?&asid=61820CAE087E4A17913C2243DEE3F89C&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204329&lo=32759&tsu=32759
      Remote address:
      20.103.156.88:443
      Request
      GET /v4/api/selection?&asid=61820CAE087E4A17913C2243DEE3F89C&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204329&lo=32759&tsu=32759 HTTP/2.0
      host: fd.api.iris.microsoft.com
      accept-encoding: gzip, deflate
      x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAe2HvtvmKTDFVylzQol5BX7SUmIrKTGWZJZ1NLi+y0gh7ugfjrfeuO4n9QUjzWABrvkppgJf2yJYXavEp/oMcJb27wp1W1ERSbjVAs6tDkyJ44GQvosoRjQDnfRA7orHy6PTCAuCVJU7RwRXOv9ooN7phHJKZDPsDDWDHXm3zVMiY/sYZq9Qh9OjnUiZtSTXB/auyKR1xEC+FOKaix6IhhjuUGgdYhMfCtpv+7tl5lk2Y93Q0S14xp9V94y/CPvJH86ko2un06jpaJGJHP8fUjAar/Uy0UQyfOGLU2GWuaI+hgvVzxyRessdIj88Nm9x8bKFq6K3aGYvNU5uIZDx0E4QZgAAEPk3oLITzdOtgCUheQ8U3mCwAdSTU/6+vv20Je4xQbkhJ2aa5lr8DpnMoiy9SqeJ+KDII6eizEckZRpu6//g1aaPnnlrHhIOmJFLHzEHVexgzPQrYhGH41WeC4SxZMrhwXHJtbj0seGThlY/AfgrV1R3ZEG/O4nKThGy36Z0MsHyHuFen58uz9Gw3cNjMLhWJB4A/5UoIH5ZnrY6VjFMLw5joDzD5yk9Ajc8QAP5rmziTdkhQulkvqKv0KCRfL25zJq8IwM33A8UmD+uKUmJ6REKi0gWcVmIRCPQLG3HjXPygfIs71UE7WvkXzPM+BluI1OAoARNiDTSz3mlxU9l1FiGYkS23avnc5ilosjoWrlACiMOShiEsLy7+YrWxWlna1PJv/zMnL5kkPLwyG/WGc6/Kbg7OhLqpmawlnjxvlpQkbs4U/tEs62fNpocg+ZRnNy1ecDiDV6zTO9LwU/O8/iVpF3UzoKmhBgzisUPpdp5hbPVe8gYKUcHwwH/FOf/OZlKt2/tcAUpJliJeor5/mwtADLoVBjhm1AY+jzpf4x/haSVBkaKjkWE9bhAOx+8VhKzRLuVBzC19Zao7ma3coT2DdoB&p=
      Response
      HTTP/2.0 200
      cache-control: no-store, no-cache
      pragma: no-cache
      content-length: 131
      content-type: application/json; charset=utf-8
      expires: Mon, 01 Jan 0001 00:00:00 GMT
      server: Microsoft-IIS/10.0
      arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
      accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
      x-aspnet-version: 4.0.30319
      x-powered-by: ASP.NET
      strict-transport-security: max-age=31536000; includeSubDomains
      date: Fri, 03 Jan 2025 08:58:12 GMT
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 20.103.156.88:443
      https://fd.api.iris.microsoft.com/v4/api/selection?&asid=61820CAE087E4A17913C2243DEE3F89C&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204329&lo=32759&tsu=32759
      tls, http2
      2.7kB
       7.5kB
       19
      13

      HTTP Request

      GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=61820CAE087E4A17913C2243DEE3F89C&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204329&lo=32759&tsu=32759

      HTTP Response

      200
    • 8.8.8.8:53
      73.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      73.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      60.153.16.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      60.153.16.2.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      fd.api.iris.microsoft.com
      dns
      71 B
       196 B
       1
      1

      DNS Request

      fd.api.iris.microsoft.com

      DNS Response

      20.103.156.88

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.