Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2025, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
AppSetup(Val0Updated).rar
Resource
win10v2004-20250129-en
General
-
Target
AppSetup(Val0Updated).rar
-
Size
79.7MB
-
MD5
b254b2593bebe886a63cb85f852d0e68
-
SHA1
0de3dd2f71ad561f35e790aeb875af584a4535fa
-
SHA256
52ee0e34f2e2c814ceb5b59b6fdf9b6f7a86d097e76e73a92085304f62044678
-
SHA512
45b79a11fb6b96ce0f5243d50cd9287dc80c73d8f9d3875fcc06908ad069ac310aacd992d13347ebcdc067c6e36ce329216fb7a5a509e7bd8fbc94416696cdd2
-
SSDEEP
1572864:MVieG6yP2+5w0fZJVHO5nhVKGPQWtDrKwCn0wZaeAfRvDPi51tfcQFIMQ:0ieG6ypu0fjVHuVnRDrKfHVAfBDPiLib
Malware Config
Signatures
-
Detects Rhadamanthys payload 2 IoCs
resource yara_rule behavioral1/memory/3300-244-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral1/memory/3300-245-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3300 created 2688 3300 MSBuild.exe 47 -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation App_Setup.tmp Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation App_Setup.tmp Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation App_Setup.tmp Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation scanner.exe -
Executes dropped EXE 15 IoCs
pid Process 2856 App_Setup.exe 3108 App_Setup.tmp 4848 App_Setup.exe 3068 App_Setup.tmp 3052 App_Setup.exe 2364 App_Setup.tmp 1456 App_Setup.exe 3616 App_Setup.tmp 3664 App_Setup.exe 3988 App_Setup.tmp 1636 App_Setup.exe 4992 App_Setup.tmp 3288 scanner.exe 888 scanner.exe 3612 scanner.exe -
Loads dropped DLL 12 IoCs
pid Process 3108 App_Setup.tmp 3108 App_Setup.tmp 3068 App_Setup.tmp 3068 App_Setup.tmp 2364 App_Setup.tmp 2364 App_Setup.tmp 3616 App_Setup.tmp 3616 App_Setup.tmp 3988 App_Setup.tmp 3988 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp -
Enumerates processes with tasklist 1 TTPs 12 IoCs
pid Process 1988 tasklist.exe 2872 tasklist.exe 1828 tasklist.exe 1128 tasklist.exe 2968 tasklist.exe 392 tasklist.exe 64 tasklist.exe 5076 tasklist.exe 3048 tasklist.exe 1764 tasklist.exe 2548 tasklist.exe 3860 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3612 set thread context of 3300 3612 scanner.exe 170 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4232 3300 WerFault.exe 170 -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scanner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scanner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scanner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language App_Setup.tmp -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4752 cmd.exe 4528 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 scanner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString scanner.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4528 PING.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4368 7zFM.exe 4368 7zFM.exe 3068 App_Setup.tmp 3068 App_Setup.tmp 3616 App_Setup.tmp 3616 App_Setup.tmp 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4992 App_Setup.tmp 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3300 MSBuild.exe 3300 MSBuild.exe 3300 MSBuild.exe 3300 MSBuild.exe 1112 svchost.exe 1112 svchost.exe 1112 svchost.exe 1112 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4368 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeRestorePrivilege 4368 7zFM.exe Token: 35 4368 7zFM.exe Token: SeSecurityPrivilege 4368 7zFM.exe Token: SeSecurityPrivilege 4368 7zFM.exe Token: SeDebugPrivilege 2872 tasklist.exe Token: SeDebugPrivilege 1828 tasklist.exe Token: SeDebugPrivilege 1128 tasklist.exe Token: SeSecurityPrivilege 4368 7zFM.exe Token: SeDebugPrivilege 2968 tasklist.exe Token: SeDebugPrivilege 392 tasklist.exe Token: SeDebugPrivilege 5076 tasklist.exe Token: SeDebugPrivilege 3048 tasklist.exe Token: SeDebugPrivilege 1764 tasklist.exe Token: SeDebugPrivilege 2548 tasklist.exe Token: SeDebugPrivilege 3860 tasklist.exe Token: SeDebugPrivilege 1988 tasklist.exe Token: SeDebugPrivilege 64 tasklist.exe Token: SeDebugPrivilege 3088 taskmgr.exe Token: SeSystemProfilePrivilege 3088 taskmgr.exe Token: SeCreateGlobalPrivilege 3088 taskmgr.exe Token: 33 3088 taskmgr.exe Token: SeIncBasePriorityPrivilege 3088 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 4368 7zFM.exe 4368 7zFM.exe 3068 App_Setup.tmp 4368 7zFM.exe 4368 7zFM.exe 4368 7zFM.exe 3616 App_Setup.tmp 4992 App_Setup.tmp 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe 3088 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4368 wrote to memory of 2856 4368 7zFM.exe 94 PID 4368 wrote to memory of 2856 4368 7zFM.exe 94 PID 4368 wrote to memory of 2856 4368 7zFM.exe 94 PID 2856 wrote to memory of 3108 2856 App_Setup.exe 97 PID 2856 wrote to memory of 3108 2856 App_Setup.exe 97 PID 2856 wrote to memory of 3108 2856 App_Setup.exe 97 PID 3108 wrote to memory of 4848 3108 App_Setup.tmp 98 PID 3108 wrote to memory of 4848 3108 App_Setup.tmp 98 PID 3108 wrote to memory of 4848 3108 App_Setup.tmp 98 PID 4848 wrote to memory of 3068 4848 App_Setup.exe 99 PID 4848 wrote to memory of 3068 4848 App_Setup.exe 99 PID 4848 wrote to memory of 3068 4848 App_Setup.exe 99 PID 3068 wrote to memory of 588 3068 App_Setup.tmp 102 PID 3068 wrote to memory of 588 3068 App_Setup.tmp 102 PID 588 wrote to memory of 2872 588 cmd.exe 104 PID 588 wrote to memory of 2872 588 cmd.exe 104 PID 588 wrote to memory of 1692 588 cmd.exe 105 PID 588 wrote to memory of 1692 588 cmd.exe 105 PID 3068 wrote to memory of 2812 3068 App_Setup.tmp 107 PID 3068 wrote to memory of 2812 3068 App_Setup.tmp 107 PID 2812 wrote to memory of 1828 2812 cmd.exe 109 PID 2812 wrote to memory of 1828 2812 cmd.exe 109 PID 2812 wrote to memory of 3140 2812 cmd.exe 110 PID 2812 wrote to memory of 3140 2812 cmd.exe 110 PID 3068 wrote to memory of 2884 3068 App_Setup.tmp 111 PID 3068 wrote to memory of 2884 3068 App_Setup.tmp 111 PID 4368 wrote to memory of 3052 4368 7zFM.exe 106 PID 4368 wrote to memory of 3052 4368 7zFM.exe 106 PID 4368 wrote to memory of 3052 4368 7zFM.exe 106 PID 2884 wrote to memory of 1128 2884 cmd.exe 113 PID 2884 wrote to memory of 1128 2884 cmd.exe 113 PID 2884 wrote to memory of 2320 2884 cmd.exe 114 PID 2884 wrote to memory of 2320 2884 cmd.exe 114 PID 3052 wrote to memory of 2364 3052 App_Setup.exe 115 PID 3052 wrote to memory of 2364 3052 App_Setup.exe 115 PID 3052 wrote to memory of 2364 3052 App_Setup.exe 115 PID 3068 wrote to memory of 2408 3068 App_Setup.tmp 116 PID 3068 wrote to memory of 2408 3068 App_Setup.tmp 116 PID 2364 wrote to memory of 1456 2364 App_Setup.tmp 119 PID 2364 wrote to memory of 1456 2364 App_Setup.tmp 119 PID 2364 wrote to memory of 1456 2364 App_Setup.tmp 119 PID 2408 wrote to memory of 2968 2408 cmd.exe 120 PID 2408 wrote to memory of 2968 2408 cmd.exe 120 PID 2408 wrote to memory of 1112 2408 cmd.exe 121 PID 2408 wrote to memory of 1112 2408 cmd.exe 121 PID 1456 wrote to memory of 3616 1456 App_Setup.exe 122 PID 1456 wrote to memory of 3616 1456 App_Setup.exe 122 PID 1456 wrote to memory of 3616 1456 App_Setup.exe 122 PID 4368 wrote to memory of 3664 4368 7zFM.exe 118 PID 4368 wrote to memory of 3664 4368 7zFM.exe 118 PID 4368 wrote to memory of 3664 4368 7zFM.exe 118 PID 3664 wrote to memory of 3988 3664 App_Setup.exe 123 PID 3664 wrote to memory of 3988 3664 App_Setup.exe 123 PID 3664 wrote to memory of 3988 3664 App_Setup.exe 123 PID 3068 wrote to memory of 748 3068 App_Setup.tmp 124 PID 3068 wrote to memory of 748 3068 App_Setup.tmp 124 PID 3988 wrote to memory of 1636 3988 App_Setup.tmp 126 PID 3988 wrote to memory of 1636 3988 App_Setup.tmp 126 PID 3988 wrote to memory of 1636 3988 App_Setup.tmp 126 PID 748 wrote to memory of 392 748 cmd.exe 127 PID 748 wrote to memory of 392 748 cmd.exe 127 PID 748 wrote to memory of 1848 748 cmd.exe 128 PID 748 wrote to memory of 1848 748 cmd.exe 128 PID 1636 wrote to memory of 4992 1636 App_Setup.exe 129
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2688
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1112
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AppSetup(Val0Updated).rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\is-TDVQU.tmp\App_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TDVQU.tmp\App_Setup.tmp" /SL5="$80206,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\is-S7J0O.tmp\App_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-S7J0O.tmp\App_Setup.tmp" /SL5="$90206,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"7⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"7⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"7⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"7⤵PID:1112
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"7⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"6⤵PID:2100
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"7⤵PID:2292
-
-
-
C:\Users\Admin\AppData\Roaming\mkvtoolnix\scanner.exe"C:\Users\Admin\AppData\Roaming\mkvtoolnix\\scanner.exe" "C:\Users\Admin\AppData\Roaming\mkvtoolnix\\deambulatory.eml"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && scanner.exe C:\ProgramData\\1nfdXZ.a3x && del C:\ProgramData\\1nfdXZ.a3x7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4752 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4528
-
-
C:\Users\Admin\AppData\Roaming\mkvtoolnix\scanner.exescanner.exe C:\ProgramData\\1nfdXZ.a3x8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe9⤵PID:4544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 38810⤵
- Program crash
PID:4232
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\is-ETM9E.tmp\App_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-ETM9E.tmp\App_Setup.tmp" /SL5="$40210,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\is-OIVS6.tmp\App_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OIVS6.tmp\App_Setup.tmp" /SL5="$7026E,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3616 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"6⤵PID:760
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"7⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"6⤵PID:3612
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"7⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"6⤵PID:1940
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"7⤵PID:4688
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"6⤵PID:4484
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"7⤵PID:3168
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"6⤵PID:4548
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"7⤵PID:648
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"6⤵PID:4884
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"7⤵PID:4268
-
-
-
C:\Users\Admin\AppData\Roaming\mkvtoolnix\scanner.exe"C:\Users\Admin\AppData\Roaming\mkvtoolnix\\scanner.exe" "C:\Users\Admin\AppData\Roaming\mkvtoolnix\\deambulatory.eml"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\is-5F99N.tmp\App_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-5F99N.tmp\App_Setup.tmp" /SL5="$202CC,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\is-14O7O.tmp\App_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-14O7O.tmp\App_Setup.tmp" /SL5="$302CC,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4992
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3300 -ip 33001⤵PID:3168
Network
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5e4211d6d009757c078a9fac7ff4f03d4
SHA1019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA51217257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
3.2MB
MD5830f17248f7dd32c54a7bfd9c16a404d
SHA18b04ea9041784a2d4a902f4e615cf4bdb9f3d995
SHA256424b7e90cac9245dd0175f0566acd597fd6f89579154c6f080c24a97aa3c7f96
SHA512678d2117963e0cd56e25988b521e434861b3e26aacaddd0616add26c524223e3a9f2012f5ab3a7d065be79a9dcecca4edabea6d574bce9deee17174c1ff7547b
-
Filesize
53KB
MD54e1d7df7612e1efb030592c5ae992bde
SHA11df24c667f581e49a7b3cb92db6263b5039eb9cb
SHA25648d91cd358e37d57e43a58c992b5454f2a249e924ac2a13293e4105c102608a7
SHA5121cca901df70e3887a4ceee6600e740d9b57e6573e793a87e501e813b8225ff8364ebaa1e0ae8ad2a69c8ffc691241ce643e02cad152f92868f52a38ac8eaadcf
-
Filesize
572KB
MD5901e5427453f62f2573239b397f51a27
SHA15b1cb06f09f936962989318c0cdd38d5e33b158f
SHA2564668efc64bdc143ccf7fdb7ffe15472a7746394f935989dd75ec5ca204a2415b
SHA512df5131db1b7b7c5d52000097fb64234c3aa944d9b9758b861cd9cf1d6f6963c474716a1f6a75f6f8d7ccd53113bbd20ee1cc597ee8ce51240781b94eebb8d2ad
-
Filesize
2.3MB
MD528355c163de4eed265fc768e856ce492
SHA13795d8bbddeafb1eff6f7930627aa3166d328a3d
SHA256dd7a9fc4dbc3838695f43a5029e02d5e42e7b3fd004f618301afc147bf6338e9
SHA5125e43d5ac084e3cbca8d095d3fabca638b1a8ae0e91d8ff13e70b1b5553dc63bb47d675147d82b0d2883b92b976a4fae109e8415cd502fdd1b6b1bf20233ea136
-
Filesize
4.4MB
MD577abbe9e4f1f4755c698ee7a2ffadc26
SHA1e7b57361291d7665a50f0902c2a2a5b335bf449b
SHA256ed996df1900c71079adc5f210228a1435942ed8c5e13554c26789e07114b65b2
SHA512cc94969ecbb93b8d73af975ad7a506ee80d439e795ae03ce4a2f0228118e6d6957f11d4e5259d2b65623b5c75e2b9584e596aacb648edb9cb7b6cad1114b8f04
-
Filesize
5.4MB
MD5c9edcdbb26a8c972686133f605590b4c
SHA1dc6dc1e155bb418c78dd84b35b16a997c76d9fb7
SHA256a92f762078ec06563481387528ac8548ebbe99793cc86f7cbf0f8448b6fefe64
SHA512702e590f709526c10822b862395ac34de1859645b34cd0b78ebf4960ac9bfd41e92387914c8c14a69015ee548a925c4e41a4c0708f8b8fc1a5197d5832db1e8c
-
Filesize
1002KB
MD59c6c663d391e76136f1644a509a86dce
SHA17189f5ef6f7ade50689b2f67c68d2bdb4ef35bd5
SHA25646640a0c796ac57d5f9339c3a4a2bb6cf7a8435e58581e44fbbda664815c9e76
SHA5127b2c8ec83a37aa69f1a97bb11c4de74a04508b3d58d67f127aa000c32481c54749eb9867affbd3cbadb41fc34d3c19a671b68ff6d9d9414966f2228f791029ef
-
Filesize
60KB
MD59e3e11bdf74bc4ebf2de5062999614f1
SHA118ad9ea3509bb1ae3dba6cc88977530449a0e6d2
SHA2564a64907ec5df11086a99bc27aa07500666f04e6a793a6bd79aa5b6d9d5171cef
SHA51271fcf2afe05dca13382736a935edbd0dcac3caf80013c6d850c00b8c7114fac21018b313da74603d6677812d2d5c1bf7b04b4fd30dc1e4a8da91ee7ba6c094aa
-
Filesize
3.6MB
MD573552f1eabec20c538a98bb67843cd29
SHA1a062f3697ac0fb84bf19a6de2c056bfa3bac2268
SHA25616e54bfa3d687e35be66f8dc3b48cd65f946d1ed80e568207f53de8893120eeb
SHA512fb8fa736c2d4b7b2943b60b71c73268d5e44ea2629f9f5e5611a706287f274314d56766ffd6b759bd29e8a335ceb7e230a22f57a9f6f7bbbdb271c07390485db
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634