Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
239s -
max time network
245s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/02/2025, 13:26
Static task
static1
Behavioral task
behavioral1
Sample
рат 3 стадия.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
рат 3 стадия.exe
Resource
win10v2004-20250129-en
General
-
Target
рат 3 стадия.exe
-
Size
11.3MB
-
MD5
27d9f65b4d7ea7f8dc76517c634be635
-
SHA1
4baa5a473b5780ba33e749e43ef7363464bf6968
-
SHA256
4012e6a5c71823bebc6e0992ff1415cf04ef4a5ddb93233dd6b867fc1a907c6f
-
SHA512
b90fd210c34da79d1d7d526b1e8178c1e7fb0e5a1550eacec3492bf5843073edaa0369f7a0c81ab0996c88a20c742e385bace606b404caa5c513cbf1af68f9cc
-
SSDEEP
196608:Zqwdlup6/j7AGXyaP+RtZoPlbxfxKLZtz4uIZoGSV1gJCUepeNxJvLW7snujIvgB:xup6lXeY5ol4uIZoG0dUQeN71ucvgB99
Malware Config
Signatures
-
Njrat family
-
Stops running service(s) 4 TTPs
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0df0fb8528c3682ecb940bc2e38a6ae.exe ASIO Plugin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0df0fb8528c3682ecb940bc2e38a6ae.exe ASIO Plugin.exe -
Executes dropped EXE 7 IoCs
pid Process 2528 SCAN_MINECRAFT_F.exe 2948 RTP_Launcher.exe 2780 Payload.sfx.exe 2316 Payload.exe 3008 SCAN_MINECRAFT_F.exe 1992 ASIO Plugin.exe 3032 5b8f934b5e454649be5c76f6e9222c0c.exe -
Loads dropped DLL 17 IoCs
pid Process 2320 рат 3 стадия.exe 2832 Process not Found 2320 рат 3 стадия.exe 2948 RTP_Launcher.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 3008 SCAN_MINECRAFT_F.exe 2316 Payload.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\d0df0fb8528c3682ecb940bc2e38a6ae = "\"C:\\Users\\Admin\\AppData\\Roaming\\ASIO Plugin.exe\" .." ASIO Plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d0df0fb8528c3682ecb940bc2e38a6ae = "\"C:\\Users\\Admin\\AppData\\Roaming\\ASIO Plugin.exe\" .." ASIO Plugin.exe -
pid Process 2276 powershell.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2376 sc.exe 1744 sc.exe 1712 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0008000000019470-5.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ASIO Plugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2456 cmd.exe 2292 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2292 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1328 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2276 powershell.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe 1992 ASIO Plugin.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2264 taskmgr.exe 1992 ASIO Plugin.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 2264 taskmgr.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe Token: 33 1992 ASIO Plugin.exe Token: SeIncBasePriorityPrivilege 1992 ASIO Plugin.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2528 2320 рат 3 стадия.exe 29 PID 2320 wrote to memory of 2528 2320 рат 3 стадия.exe 29 PID 2320 wrote to memory of 2528 2320 рат 3 стадия.exe 29 PID 2320 wrote to memory of 2948 2320 рат 3 стадия.exe 31 PID 2320 wrote to memory of 2948 2320 рат 3 стадия.exe 31 PID 2320 wrote to memory of 2948 2320 рат 3 стадия.exe 31 PID 2948 wrote to memory of 2780 2948 RTP_Launcher.exe 32 PID 2948 wrote to memory of 2780 2948 RTP_Launcher.exe 32 PID 2948 wrote to memory of 2780 2948 RTP_Launcher.exe 32 PID 2780 wrote to memory of 2316 2780 Payload.sfx.exe 33 PID 2780 wrote to memory of 2316 2780 Payload.sfx.exe 33 PID 2780 wrote to memory of 2316 2780 Payload.sfx.exe 33 PID 2780 wrote to memory of 2316 2780 Payload.sfx.exe 33 PID 2528 wrote to memory of 3008 2528 SCAN_MINECRAFT_F.exe 34 PID 2528 wrote to memory of 3008 2528 SCAN_MINECRAFT_F.exe 34 PID 2528 wrote to memory of 3008 2528 SCAN_MINECRAFT_F.exe 34 PID 2316 wrote to memory of 1992 2316 Payload.exe 35 PID 2316 wrote to memory of 1992 2316 Payload.exe 35 PID 2316 wrote to memory of 1992 2316 Payload.exe 35 PID 2316 wrote to memory of 1992 2316 Payload.exe 35 PID 1992 wrote to memory of 704 1992 ASIO Plugin.exe 37 PID 1992 wrote to memory of 704 1992 ASIO Plugin.exe 37 PID 1992 wrote to memory of 704 1992 ASIO Plugin.exe 37 PID 1992 wrote to memory of 704 1992 ASIO Plugin.exe 37 PID 1992 wrote to memory of 2636 1992 ASIO Plugin.exe 39 PID 1992 wrote to memory of 2636 1992 ASIO Plugin.exe 39 PID 1992 wrote to memory of 2636 1992 ASIO Plugin.exe 39 PID 1992 wrote to memory of 2636 1992 ASIO Plugin.exe 39 PID 2636 wrote to memory of 2276 2636 cmd.exe 41 PID 2636 wrote to memory of 2276 2636 cmd.exe 41 PID 2636 wrote to memory of 2276 2636 cmd.exe 41 PID 2636 wrote to memory of 2276 2636 cmd.exe 41 PID 1992 wrote to memory of 288 1992 ASIO Plugin.exe 42 PID 1992 wrote to memory of 288 1992 ASIO Plugin.exe 42 PID 1992 wrote to memory of 288 1992 ASIO Plugin.exe 42 PID 1992 wrote to memory of 288 1992 ASIO Plugin.exe 42 PID 288 wrote to memory of 2376 288 cmd.exe 44 PID 288 wrote to memory of 2376 288 cmd.exe 44 PID 288 wrote to memory of 2376 288 cmd.exe 44 PID 288 wrote to memory of 2376 288 cmd.exe 44 PID 1992 wrote to memory of 688 1992 ASIO Plugin.exe 45 PID 1992 wrote to memory of 688 1992 ASIO Plugin.exe 45 PID 1992 wrote to memory of 688 1992 ASIO Plugin.exe 45 PID 1992 wrote to memory of 688 1992 ASIO Plugin.exe 45 PID 688 wrote to memory of 1744 688 cmd.exe 47 PID 688 wrote to memory of 1744 688 cmd.exe 47 PID 688 wrote to memory of 1744 688 cmd.exe 47 PID 688 wrote to memory of 1744 688 cmd.exe 47 PID 1992 wrote to memory of 1760 1992 ASIO Plugin.exe 48 PID 1992 wrote to memory of 1760 1992 ASIO Plugin.exe 48 PID 1992 wrote to memory of 1760 1992 ASIO Plugin.exe 48 PID 1992 wrote to memory of 1760 1992 ASIO Plugin.exe 48 PID 1760 wrote to memory of 1712 1760 cmd.exe 50 PID 1760 wrote to memory of 1712 1760 cmd.exe 50 PID 1760 wrote to memory of 1712 1760 cmd.exe 50 PID 1760 wrote to memory of 1712 1760 cmd.exe 50 PID 1992 wrote to memory of 1656 1992 ASIO Plugin.exe 51 PID 1992 wrote to memory of 1656 1992 ASIO Plugin.exe 51 PID 1992 wrote to memory of 1656 1992 ASIO Plugin.exe 51 PID 1992 wrote to memory of 1656 1992 ASIO Plugin.exe 51 PID 1992 wrote to memory of 1328 1992 ASIO Plugin.exe 53 PID 1992 wrote to memory of 1328 1992 ASIO Plugin.exe 53 PID 1992 wrote to memory of 1328 1992 ASIO Plugin.exe 53 PID 1992 wrote to memory of 1328 1992 ASIO Plugin.exe 53 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 704 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\рат 3 стадия.exe"C:\Users\Admin\AppData\Local\Temp\рат 3 стадия.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008
-
-
-
C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Roaming\Payload.sfx.exe"C:\Users\Admin\AppData\Roaming\Payload.sfx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:704
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\sc.exesc query windefend7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\sc.exesc stop windefend7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\sc.exesc delete windefend7⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1712
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f6⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe"C:\Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe"6⤵
- Executes dropped EXE
PID:3032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f6⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2456 -
C:\Windows\SysWOW64\PING.EXEping 0 -n 27⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2292
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:556
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵PID:1928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb9c9758,0x7fefb9c9768,0x7fefb9c97782⤵PID:1044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵PID:2688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c69758,0x7fef7c69768,0x7fef7c697782⤵PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5cc228ff8d86b608e73026b1e9960b2f8
SHA1cef0705aee1e8702589524879a49e859505d6fe0
SHA2564cadbc0c39da7c6722206fdcebd670abe5b8d261e7b041dd94f9397a89d1990d
SHA51217abd9e0ec20b7eb686e3c0f41b043d0742ab7f9501a423b2d2922d44af660379792d1cc6221effbd7e856575d5babf72657ae9127c87cc5cf678bd2ceb1228f
-
Filesize
21KB
MD5e368a236f5676a3da44e76870cd691c9
SHA1e4f1d2c6f714a47f0dc29021855c632ef98b0a74
SHA25693c624b366ba16c643fc8933070a26f03b073ad0cf7f80173266d67536c61989
SHA512f5126498a8b65ab20afaaf6b0f179ab5286810384d44638c35f3779f37e288a51c28bed3c3f8125d51feb2a0909329f3b21273cb33b3c30728b87318480a9ef8
-
Filesize
21KB
MD50c1cc0a54d4b38885e1b250b40a34a84
SHA124400f712bbe1dd260ed407d1eb24c35dcb2ecac
SHA256a9b13a1cd1b8c19b0c6b4afcd5bb0dd29c0e2288231ac9e6db8510094ce68ba6
SHA51271674e7ed8650cac26b6f11a05bfc12bd7332588d21cf81d827c1d22df5730a13c1e6b3ba797573bb05b3138f8d46091402e63c059650c7e33208d50973dde39
-
Filesize
21KB
MD55241df2e95e31e73ccfd6357ad309df0
SHA12644cc5e86dfad1ad2140181ab2ca79725f95411
SHA2566ee44dd0d8510dc024c9f7c79b1b9fa88c987b26b6beb6653ddd11751c34e5dc
SHA51252cccd1dd237e764e34996c0c5f7a759a7f0eff29b61befeaf96a16d80df2ba9ee2c3615f875153198a145d68f275aea6d02187e6eee5a129e3e2ab81aaceb16
-
Filesize
21KB
MD5385f562bdc391ccd4f81aca3719f3236
SHA1f6633e1dac227ba3cd14d004748ef0c1c4135e67
SHA2564ad565a8ba3ef0ea8ab87221ad11f83ee0bc844ce236607958406663b407333e
SHA512b72ed1a02d4a02791ca5490b35f7e2cb6cb988e4899eda78134a34fb28964ea573d3289b69d5db1aac2289d1f24fd0a432b8187f7ae8147656d38691ae923f27
-
Filesize
21KB
MD5fc9fc5f308ffc2d2d71814df8e2ae107
SHA124d7477f2a7dc2610eb701ed683108cd57eca966
SHA2562703635d835396afd0f138d7c73751afe7e33a24f4225d08c1690b0a371932c0
SHA512490fa6dc846e11c94cfe2f80a781c1bd1943cddd861d8907de8f05d9dc7a6364a777c6988c58059e435ac7e5d523218a597b2e9c69c9c34c50d82cac4400fe01
-
Filesize
21KB
MD543d8d2fb8801c5bd90d9482ddf3ea356
SHA1d582b55cd58531e726141c63ba9910ff185d72e0
SHA25633f4fddc181066fce06b2227bded813f95e94ed1f3d785e982c6b6b56c510c57
SHA5120e073381a340db3f95165dbcceb8dfbf1ed1b4343e860446032400a7b321b7922c42ee5d9a881e28e69a3f55d56d63663adb9bb5abb69c5306efbf116cc5e456
-
Filesize
5.8MB
MD53aad23292404a7038eb07ce5a6348256
SHA135cac5479699b28549ebe36c1d064bfb703f0857
SHA25678b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25
SHA512f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b
-
Filesize
1.3MB
MD5286b308df8012a5dfc4276fb16dd9ccc
SHA18ae9df813b281c2bd7a81de1e4e9cef8934a9120
SHA2562e5fb14b7bf8540278f3614a12f0226e56a7cc9e64b81cbd976c6fcf2f71cbfb
SHA51224166cc1477cde129a9ab5b71075a6d935eb6eebcae9b39c0a106c5394ded31af3d93f6dea147120243f7790d0a0c625a690fd76177dddab2d2685105c3eb7b2
-
Filesize
54KB
MD568e6ef21250dd5d0bce5dfbd201da418
SHA18f5ac5472ef190644b551982c221aecfdeb13e24
SHA256914ba72a2c19e2c962e6a210810a8d991c16603e84d29b8fe3e1efc41586715b
SHA51208b6a7ea071a7f8354b3d255ab16d8748915ec5d350dea6a9ea414aa00445720984c8c4a293ddab623cbd193b0b0ec89494182f9c07032d849ef0ec2f8a2196f
-
Filesize
668KB
MD5f201d301882f32db22068608558a4bab
SHA193e1399172ce45361e4fa053fb6547261f465c34
SHA2569812c226b300a5ee0e516214bca4e972af80249844d7212d34a532674a6d2039
SHA512db79f67fafc9a5fd7c68a9767b4964aa214168a347bd8692976ac4e6b85a18a17133827dd3f10438a1760121c9c3dc430343c416ee9a8a6c36d381ed0fa3fef0
-
Filesize
22.6MB
MD5d3b70fa0711ad4e8e8a43e8a4ba6cdfb
SHA164b2e064abcee7b04caccd315a2d2994ba4df125
SHA256da298b13fc28e0a326de0138130584201e0b6dd4859e74615781e48c099010a8
SHA5124a564a51fe2d44645df6651804581c429b560f111190a585ce6508572ecba72b21ecf47e5763ec65500453cd2498519e9c55ec96a94b8c560b81520398346aff
-
Filesize
21KB
MD5050a30a687e7a2fa6f086a0db89aa131
SHA11484322caaf0d71cbb873a2b87bdd8d456da1a3b
SHA256fc9d86cec621383eab636ebc87ddd3f5c19a3cb2a33d97be112c051d0b275429
SHA51207a15aa3b0830f857b9b9ffeb57b6593ae40847a146c5041d38be9ce3410f58caa091a7d5671cc1bc7285b51d4547e3004cf0e634ae51fe3da0051e54d8759e1
-
Filesize
460KB
MD5fc66d6dda75572e180f725e173594e7e
SHA10bd79afc46ad1c911749ddf1222f3d3335281323
SHA256096ab73539ab3a204fc9d867a06ef3e076e880dd51c612d9eeee3b15bc81111f
SHA5123d4d1100f4ccde9debe08775623c5f70c561e03751fd66389c96c61cdbe7b153a5addd53a04a4b602a0999de4ae74b2127b4be17e4b28ceb54534977e9a28d2a
-
Filesize
10.8MB
MD50ebcd0bb555e8ab1672a1ffb2793151f
SHA1bc1b85846c5d67b6b3fe1d8b7a4d94238378a673
SHA2565f7507a45a6380116220fa730f521df31b7497591ca2d1167ca0f507c8c4d634
SHA5128bd4b0c68966c2127c4f25045faeddb44ba6558c67af5ba459529110ee7ed427f148bac27f04d4d4567d533ed0ecd315b208fb1845451d11ced3d1e6804958ea