Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 17:20 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
Resource
win10v2004-20250129-en
General
-
Target
ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
-
Size
962KB
-
MD5
2626b7755d40d743f55c7580a1beb8b0
-
SHA1
e3771299ec9da3c6ed2ee23ebf509e08fbd1237f
-
SHA256
ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0
-
SHA512
1a5df2f2c182601716575f12ea0bc6a677500e9c8a962b442bd1d31c35a6a287c790061b2071ffac31ebf94a138b0e3d6c8ef53b0cd424faa5a7e63259732e05
-
SSDEEP
24576:Jt24wfvf7a8DPw67oc1xuzoVF5r5QAwFv0XcI:1ef7aD6Ffuw7B2fI
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/2760-30-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/2760-50-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/2760-51-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Isrstealer family
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" java.com -
Detected Nirsoft tools 5 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Executes dropped EXE 9 IoCs
pid Process 2260 java.com 2900 java.com 2104 java.com 1656 java.com 2528 java.com 2344 java.com 1072 java.com 1108 java.com 796 java.com -
Loads dropped DLL 12 IoCs
pid Process 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 1688 WScript.exe 3044 WScript.exe 1256 WScript.exe 2612 WScript.exe 2952 WScript.exe 2416 WScript.exe 1584 WScript.exe 1700 WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs" java.com -
Checks whether UAC is enabled 1 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.com -
Suspicious use of SetThreadContext 21 IoCs
description pid Process procid_target PID 2260 set thread context of 2760 2260 java.com 31 PID 2760 set thread context of 1092 2760 RegSvcs.exe 33 PID 2760 set thread context of 1552 2760 RegSvcs.exe 35 PID 2104 set thread context of 2320 2104 java.com 41 PID 2320 set thread context of 2276 2320 RegSvcs.exe 42 PID 2320 set thread context of 1436 2320 RegSvcs.exe 43 PID 1656 set thread context of 2544 1656 java.com 47 PID 2544 set thread context of 812 2544 RegSvcs.exe 48 PID 2544 set thread context of 1752 2544 RegSvcs.exe 49 PID 2528 set thread context of 3028 2528 java.com 53 PID 3028 set thread context of 3024 3028 RegSvcs.exe 54 PID 3028 set thread context of 2856 3028 RegSvcs.exe 55 PID 2344 set thread context of 876 2344 java.com 59 PID 876 set thread context of 656 876 RegSvcs.exe 60 PID 876 set thread context of 1240 876 RegSvcs.exe 61 PID 1072 set thread context of 2260 1072 java.com 64 PID 2260 set thread context of 1844 2260 RegSvcs.exe 65 PID 2260 set thread context of 2932 2260 RegSvcs.exe 66 PID 1108 set thread context of 1560 1108 java.com 70 PID 1560 set thread context of 2276 1560 RegSvcs.exe 71 PID 1560 set thread context of 984 1560 RegSvcs.exe 72 -
resource yara_rule behavioral1/memory/1092-36-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1092-39-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1092-38-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1092-37-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1552-46-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1552-48-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1552-47-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2276-68-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2276-69-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2276-70-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1436-75-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1436-74-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/812-88-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/812-89-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/812-90-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1752-95-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/3024-107-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/3024-108-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/3024-109-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2856-114-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1240-126-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1240-127-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 37 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language java.com -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2260 java.com 2900 java.com 2900 java.com 2900 java.com 2900 java.com 2900 java.com 2900 java.com -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2260 java.com Token: SeDebugPrivilege 2900 java.com Token: SeDebugPrivilege 2900 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 2104 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com Token: SeDebugPrivilege 1656 java.com -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2760 RegSvcs.exe 2320 RegSvcs.exe 2544 RegSvcs.exe 3028 RegSvcs.exe 876 RegSvcs.exe 2260 RegSvcs.exe 1560 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2260 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 30 PID 1664 wrote to memory of 2260 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 30 PID 1664 wrote to memory of 2260 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 30 PID 1664 wrote to memory of 2260 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 30 PID 1664 wrote to memory of 2260 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 30 PID 1664 wrote to memory of 2260 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 30 PID 1664 wrote to memory of 2260 1664 ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe 30 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2260 wrote to memory of 2760 2260 java.com 31 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1092 2760 RegSvcs.exe 33 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2760 wrote to memory of 1552 2760 RegSvcs.exe 35 PID 2260 wrote to memory of 1688 2260 java.com 36 PID 2260 wrote to memory of 1688 2260 java.com 36 PID 2260 wrote to memory of 1688 2260 java.com 36 PID 2260 wrote to memory of 1688 2260 java.com 36 PID 2260 wrote to memory of 1688 2260 java.com 36 PID 2260 wrote to memory of 1688 2260 java.com 36 PID 2260 wrote to memory of 1688 2260 java.com 36 PID 1688 wrote to memory of 2900 1688 WScript.exe 37 PID 1688 wrote to memory of 2900 1688 WScript.exe 37 PID 1688 wrote to memory of 2900 1688 WScript.exe 37 PID 1688 wrote to memory of 2900 1688 WScript.exe 37 PID 1688 wrote to memory of 2900 1688 WScript.exe 37 PID 1688 wrote to memory of 2900 1688 WScript.exe 37 PID 1688 wrote to memory of 2900 1688 WScript.exe 37 PID 2900 wrote to memory of 2932 2900 java.com 38 PID 2900 wrote to memory of 2932 2900 java.com 38 PID 2900 wrote to memory of 2932 2900 java.com 38 PID 2900 wrote to memory of 2932 2900 java.com 38 PID 2900 wrote to memory of 2932 2900 java.com 38 PID 2900 wrote to memory of 2932 2900 java.com 38 PID 2900 wrote to memory of 2932 2900 java.com 38 PID 2900 wrote to memory of 3044 2900 java.com 39 PID 2900 wrote to memory of 3044 2900 java.com 39 PID 2900 wrote to memory of 3044 2900 java.com 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe"C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2IcmWcXXue.ini"4⤵
- System Location Discovery: System Language Discovery
PID:1092
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\OXZweVZVa6.ini"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1552
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵PID:2932
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\uebhBN5X4e.ini"8⤵
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\FQSdUFcQTR.ini"8⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG8⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"9⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\G0HJNgQeIQ.ini"10⤵
- System Location Discovery: System Language Discovery
PID:812
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\8U6ATX7tA5.ini"10⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1752
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"9⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG10⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"11⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\5PLH0CfaVf.ini"12⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\fljrbSLKZh.ini"12⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"11⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG12⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"13⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ORPg2Il7PP.ini"14⤵PID:656
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\VdvyJGCwHx.ini"14⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1240
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG14⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"15⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2260 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ULEa6mMFIu.ini"16⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\lVPG7j6FKy.ini"16⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2932
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"15⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG16⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"17⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1560 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Swpbkr1YZd.ini"18⤵PID:2276
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\nlaq7a1444.ini"18⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:984
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"17⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Users\Admin\2j3ttgc8z87nhh\java.com"C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD58f44d5f1c08fd7351d73a3daca2bbfd0
SHA1e8e669b9fa500019b7b87fdb363e9036f8417531
SHA2560a90c52851b8e20c3fb985c7ab763a61b9b94d9423ad893132ec0f794fe6faf1
SHA512fc610f4be75b452a1e146e8d166f25a8c74402b2abac15206a61c53b1eb2d64eb6dcae56da02388581fbaeac965f9144ff23dcec863415dd5f6eeebb7d7fbca0
-
Filesize
260KB
MD5887bfe186323191177fcc1d92fe45aba
SHA107edd3c86a74c0a96d4a715761bd35531d716c92
SHA2560c0d3f3782b615900301db24caa9351ff7decf3f9ce3eb1577c17dda4ab59d1e
SHA512d9483090b49afc0ab4ec60aac56500fcb60411759d0b94db199e586b530939891f321390c99efddd518d4b873391e144bcb26deb7ea672aec5f1882ae4d3c2b4
-
Filesize
90B
MD5b67f9f21ffe6ce14e34a3faa763e3d7e
SHA1283811a92820f5558632e2f7eabf4deb198fd131
SHA2563baee1be372ff258064ab7fd2f72b7330d933160ad3829bcc51782b9d82a5b0c
SHA512445e9ab432136848c4df6d085899336e89b171bd0497fe08aac49e955be24807a5497682d97169f2d0d785c5d93d75da338c70fc7657f5775d3efbcc83c70c9e
-
Filesize
30.9MB
MD5b809efdf2ec2751251cb835183d82bb5
SHA132cd37d5bbe861d9d7c7044b98c1c2e9312128f6
SHA256887b5699fc70c681821d92f2e2937696ce68b98277771e9057320278d24aa931
SHA512752b1ef10868105741d94c32e8053e6131ee4f3a37feda8453b5fd9e35649fd0f400848cfda665c230d81d7a6141313b6035bc5f46d8086e33cb6ac863e97be6
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
912KB
MD56a93a4071cc7c22628af40a4d872f49b
SHA1ba916e686aa0cae19ab907bdab94924ada92b5f4
SHA2568465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01
SHA5125a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd