Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1008751be484...2d.dll
windows7-x64
100a9f79abd4...51.exe
windows7-x64
30di3x.exe
windows7-x64
102019-09-02...10.exe
windows7-x64
102c01b00772...eb.exe
windows7-x64
731.exe
windows7-x64
103DMark 11 ...on.exe
windows7-x64
342f9729255...61.exe
windows7-x64
105da0116af4...18.exe
windows7-x64
769c56d12ed...6b.exe
windows7-x64
10905d572f23...50.exe
windows7-x64
10948340be97...54.exe
windows7-x64
1095560f1a46...f9.dll
windows7-x64
3Archive.zi...3e.exe
windows7-x64
8DiskIntern...en.exe
windows7-x64
3ForceOp 2....ce.exe
windows7-x64
7HYDRA.exe
windows7-x64
10KLwC6vii.exe
windows7-x64
1Keygen.exe
windows7-x64
10Lonelyscre...ox.exe
windows7-x64
3LtHv0O2KZDK4M637.exe
windows7-x64
10Magic_File...ja.exe
windows7-x64
3OnlineInstaller.exe
windows7-x64
8Remouse.Mi...cg.exe
windows7-x64
3SecuriteIn...dE.exe
windows7-x64
10SecuriteIn...ee.dll
windows7-x64
10SecurityTa...up.exe
windows7-x64
4Treasure.V...ox.exe
windows7-x64
3VyprVPN.exe
windows7-x64
10WSHSetup[1].exe
windows7-x64
3Yard.dll
windows7-x64
10b2bd3de3e5...2).exe
windows7-x64
10Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/02/2025, 00:12
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win7-20240729-en
Behavioral task
behavioral5
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
31.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
42f972925508a82236e8533567487761.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win7-20240729-en
Behavioral task
behavioral11
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win7-20240729-en
Behavioral task
behavioral13
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7-20241010-en
Behavioral task
behavioral17
Sample
HYDRA.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
KLwC6vii.exe
Resource
win7-20240729-en
Behavioral task
behavioral19
Sample
Keygen.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
LtHv0O2KZDK4M637.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
OnlineInstaller.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.dll
Resource
win7-20241010-en
Behavioral task
behavioral27
Sample
SecurityTaskManager_Setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win7-20241010-en
Behavioral task
behavioral29
Sample
VyprVPN.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
WSHSetup[1].exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
Yard.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe
Resource
win7-20240729-en
General
-
Target
HYDRA.exe
-
Size
2.6MB
-
MD5
c52bc39684c52886712971a92f339b23
-
SHA1
c5cb39850affb7ed322bfb0a4900e17c54f95a11
-
SHA256
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
-
SHA512
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
-
SSDEEP
49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S
Malware Config
Extracted
smokeloader
2017
http://92.53.105.14/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs va.exe -
Executes dropped EXE 10 IoCs
pid Process 1868 yaya.exe 2316 va.exe 272 ufx.exe 1584 sant.exe 2724 power.exe 2940 starter.exe 1764 usc.exe 408 services.exe 2116 services.exe 1608 foxcon.exe -
Loads dropped DLL 12 IoCs
pid Process 2088 HYDRA.exe 2088 HYDRA.exe 2088 HYDRA.exe 2088 HYDRA.exe 2088 HYDRA.exe 2088 HYDRA.exe 2088 HYDRA.exe 1868 yaya.exe 2088 HYDRA.exe 272 ufx.exe 272 ufx.exe 272 ufx.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum sant.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 sant.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT foxcon.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT foxcon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sant.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ufx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language power.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HYDRA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yaya.exe -
Modifies data under HKEY_USERS 21 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\FoxCond\{1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E} = "C:\\Windows\\Temp\\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\\services.exe" services.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" services.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run foxcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System services.exe Key created \REGISTRY\USER\.DEFAULT\Software services.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion services.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies services.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\FoxCond\{1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E} = "C:\\Windows\\Temp\\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\\services.exe" services.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows services.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ services.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus foxcon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Foxcon Service Control = "C:\\Windows\\TEMP\\foxcon.exe" foxcon.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" services.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" foxcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft services.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key created \REGISTRY\USER\.DEFAULT\Software\FoxCond services.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2872 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 2940 starter.exe 2940 starter.exe 2940 starter.exe 1584 sant.exe 1584 sant.exe 2940 starter.exe 2940 starter.exe 2940 starter.exe 1584 sant.exe 2116 services.exe 2940 starter.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1608 foxcon.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe 1584 sant.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1584 sant.exe 1584 sant.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1764 usc.exe Token: SeDebugPrivilege 2940 starter.exe Token: SeDebugPrivilege 408 services.exe Token: SeDebugPrivilege 2116 services.exe Token: SeDebugPrivilege 1608 foxcon.exe Token: SeDebugPrivilege 2356 powershell.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 2088 wrote to memory of 1868 2088 HYDRA.exe 30 PID 2088 wrote to memory of 1868 2088 HYDRA.exe 30 PID 2088 wrote to memory of 1868 2088 HYDRA.exe 30 PID 2088 wrote to memory of 1868 2088 HYDRA.exe 30 PID 2088 wrote to memory of 2316 2088 HYDRA.exe 31 PID 2088 wrote to memory of 2316 2088 HYDRA.exe 31 PID 2088 wrote to memory of 2316 2088 HYDRA.exe 31 PID 2088 wrote to memory of 2316 2088 HYDRA.exe 31 PID 2088 wrote to memory of 272 2088 HYDRA.exe 32 PID 2088 wrote to memory of 272 2088 HYDRA.exe 32 PID 2088 wrote to memory of 272 2088 HYDRA.exe 32 PID 2088 wrote to memory of 272 2088 HYDRA.exe 32 PID 2088 wrote to memory of 272 2088 HYDRA.exe 32 PID 2088 wrote to memory of 272 2088 HYDRA.exe 32 PID 2088 wrote to memory of 272 2088 HYDRA.exe 32 PID 2088 wrote to memory of 1584 2088 HYDRA.exe 33 PID 2088 wrote to memory of 1584 2088 HYDRA.exe 33 PID 2088 wrote to memory of 1584 2088 HYDRA.exe 33 PID 2088 wrote to memory of 1584 2088 HYDRA.exe 33 PID 1868 wrote to memory of 2940 1868 yaya.exe 35 PID 1868 wrote to memory of 2940 1868 yaya.exe 35 PID 1868 wrote to memory of 2940 1868 yaya.exe 35 PID 1868 wrote to memory of 2940 1868 yaya.exe 35 PID 2088 wrote to memory of 2724 2088 HYDRA.exe 34 PID 2088 wrote to memory of 2724 2088 HYDRA.exe 34 PID 2088 wrote to memory of 2724 2088 HYDRA.exe 34 PID 2088 wrote to memory of 2724 2088 HYDRA.exe 34 PID 272 wrote to memory of 1764 272 ufx.exe 37 PID 272 wrote to memory of 1764 272 ufx.exe 37 PID 272 wrote to memory of 1764 272 ufx.exe 37 PID 272 wrote to memory of 1764 272 ufx.exe 37 PID 272 wrote to memory of 1764 272 ufx.exe 37 PID 272 wrote to memory of 1764 272 ufx.exe 37 PID 272 wrote to memory of 1764 272 ufx.exe 37 PID 1764 wrote to memory of 2872 1764 usc.exe 38 PID 1764 wrote to memory of 2872 1764 usc.exe 38 PID 1764 wrote to memory of 2872 1764 usc.exe 38 PID 1764 wrote to memory of 2872 1764 usc.exe 38 PID 1764 wrote to memory of 2872 1764 usc.exe 38 PID 1764 wrote to memory of 2872 1764 usc.exe 38 PID 1764 wrote to memory of 2872 1764 usc.exe 38 PID 2940 wrote to memory of 2612 2940 starter.exe 40 PID 2940 wrote to memory of 2612 2940 starter.exe 40 PID 2940 wrote to memory of 2612 2940 starter.exe 40 PID 2612 wrote to memory of 2152 2612 csc.exe 42 PID 2612 wrote to memory of 2152 2612 csc.exe 42 PID 2612 wrote to memory of 2152 2612 csc.exe 42 PID 572 wrote to memory of 408 572 cmd.exe 48 PID 572 wrote to memory of 408 572 cmd.exe 48 PID 572 wrote to memory of 408 572 cmd.exe 48 PID 2116 wrote to memory of 1608 2116 services.exe 53 PID 2116 wrote to memory of 1608 2116 services.exe 53 PID 2116 wrote to memory of 1608 2116 services.exe 53 PID 2724 wrote to memory of 2356 2724 power.exe 56 PID 2724 wrote to memory of 2356 2724 power.exe 56 PID 2724 wrote to memory of 2356 2724 power.exe 56 PID 2724 wrote to memory of 2356 2724 power.exe 56 PID 1584 wrote to memory of 1536 1584 sant.exe 58 PID 1584 wrote to memory of 1536 1584 sant.exe 58 PID 1584 wrote to memory of 1536 1584 sant.exe 58 PID 1584 wrote to memory of 1536 1584 sant.exe 58
Processes
-
C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Roaming\yaya.exeC:\Users\Admin\AppData\Roaming\yaya.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lo7wkema.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA71.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCA70.tmp"5⤵PID:2152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:956
-
-
C:\Windows\System32\cmd.exe/K services.exe && clear4⤵PID:2964
-
-
C:\Windows\System32\cmd.exe/K services.exe && clear4⤵PID:2492
-
-
C:\Windows\System32\cmd.exe/K services.exe && clear4⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exeservices.exe5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1960
-
-
C:\Windows\System32\cmd.exenet localgroup administrators %username% /add4⤵PID:1544
-
-
-
-
C:\Users\Admin\AppData\Roaming\va.exeC:\Users\Admin\AppData\Roaming\va.exe2⤵
- Drops startup file
- Executes dropped EXE
PID:2316
-
-
C:\Users\Admin\AppData\Roaming\ufx.exeC:\Users\Admin\AppData\Roaming\ufx.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:272 -
C:\ProgramData\ucp\usc.exe"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2872
-
-
-
-
C:\Users\Admin\AppData\Roaming\sant.exeC:\Users\Admin\AppData\Roaming\sant.exe2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1536
-
-
-
C:\Users\Admin\AppData\Roaming\power.exeC:\Users\Admin\AppData\Roaming\power.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exeC:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\TEMP\foxcon.exe"C:\Windows\TEMP\foxcon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee70e29d2db096c98276d191b6d1a07b
SHA11b265e31adcd3c50b350b8b83402eab7c71a5cb5
SHA2566983a61384cc010764de1c98b644a7012c7199c861d762978feb37d85129b7bc
SHA512404d23d3228ca7cba8cc94ff703a9881e8cbe953dcae49e219ddd483020ba2fd13aa78713b28f74b03716f72c8e330718cf401bc05494739e6b56d82672369dc
-
Filesize
5KB
MD54c677c4422b66ce1a4f27eef782f0b08
SHA1c12639c1f4f76dafd4eb06a01fa46f02879923fc
SHA256ce75548f540236f910d1af78965d8edfc0f3c9086b84a2dd43c104570adb7bd6
SHA51202ce411bfd5225597b96fb874bd81e98181e2381ca298355a36d6a915a0990c43d8e037c8955d466e4edc0b8acb5cdf6689d0180c41624db912779c4372e375c
-
Filesize
7KB
MD5c334a405811d946e88234b5c70189b6f
SHA113707d185bd770776d1cced87d5c9aa3a07dc8e8
SHA256a25dcd641a483541cb40c83647fb00a888804b42df3ebec9453acd725318298a
SHA512df31c041054ed9d2698c77135323af0c83ba6790d9cbfc2c3366a5ead8be5ba69c7fe5698faca94f60375bcfe0f51f50069ccccd265680be5676136278049628
-
Filesize
960KB
MD522e088012519e1013c39a3828bda7498
SHA13a8a87cce3f6aff415ee39cf21738663c0610016
SHA2569e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973
SHA5125559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8
-
Filesize
487KB
MD50c33e2f116aaa66d0012a8376d82ce29
SHA181cd6b87a9f7b4a174138312986d682f464067f4
SHA2569a19ef049430af9ac49ff719cbfb73dc6c6b0d0ef53914479dd282260771518b
SHA512b19dceb47d943bcb40f185e232eb1a0f665f6b6107e6c83c0f0a1aa80013b2756c5a831f3413a4c57ca37f7ec4a95a173e1f3d67e49f1fff2071273acc538317
-
Filesize
15KB
MD57b07728b813d26228f10f6cdb7ac8471
SHA148418d83ac372c1398753f7a766076750a03a725
SHA2567e5a9baf4d9ead35e1d9a3b3dda6ee05e670bd721500d82fbf08e1e8091fa911
SHA512f8a1070d4a0297151c6d55e60bc953a985b82159920e5a6a3a40270f0ad7e06edb1815b6fed1313076f7f6bbf32155d22a5a0e605378525aa3a9055a2c7128aa
-
Filesize
27KB
MD563602f11993c01a4b36f42187a797128
SHA1d6c761942dcb32190f924ea7490acc38865f7300
SHA2562c926cd6c980ff89ced8de49a8d0e7fb7247f58b1face21a1e9883a58b822b84
SHA5121a13649d6d5917d132f85cae9af206b1959578134db392afd6fec0c68ff1828c87daa2a537678ad1a83c0e273fed7f154f6f6f6f72102733fa6626bcd57ded0e
-
Filesize
652B
MD5d7fb0e5b7dd62f24ca8f194d0e7dc9de
SHA1497dd0661ebf99bd53d1b7824d4a478c49a5ba8b
SHA2564b90cf73cdd38f6645e1f1d3ee804c896066ab0aa372744a5af8565952c67e98
SHA512cd9424e09c85b6773596dc6810387c393a616c8bd471b179d6ed2d434d5e28eff5631ba1a559dc485ee572998d868f2be2a2ff6e9b153db9ab1cb83f460a907e
-
Filesize
4KB
MD5a0d1b6f34f315b4d81d384b8ebcdeaa5
SHA1794c1ff4f2a28e0c631a783846ecfffdd4c7ae09
SHA2560b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0
SHA5120a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e
-
Filesize
309B
MD598febffda4606c2b26956277670cfe12
SHA1af91d5bfea475edafab826c589448ff682a7008e
SHA256afcc6168e351a2a69dccb6012307a0e1ba00ad36347111f5b463c86da40b0f21
SHA5127c62129b293318d1648e001140170cf5e057f02f787891a98e85536e9d637ff035c47ca35c42579e5d33b19abb6df6581b04e11b37b445b7d53b6c82461059cf
-
Filesize
4.0MB
MD5b100b373d645bf59b0487dbbda6c426d
SHA144a4ad2913f5f35408b8c16459dcce3f101bdcc7
SHA25684d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7
SHA51269483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b
-
Filesize
507KB
MD5743f47ae7d09fce22d0a7c724461f7e3
SHA18e98dd1efb70749af72c57344aab409fb927394e
SHA2561bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465
SHA512567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf
-
Filesize
12KB
MD55effca91c3f1e9c87d364460097f8048
SHA128387c043ab6857aaa51865346046cf5dc4c7b49
SHA2563fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907
SHA512b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0
-
Filesize
88KB
MD5c084e736931c9e6656362b0ba971a628
SHA1ef83b95fc645ad3a161a19ccef3224c72e5472bd
SHA2563139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1
SHA512cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f
-
Filesize
1.7MB
MD57d05ab95cfe93d84bc5db006c789a47f
SHA1aa4aa0189140670c618348f1baad877b8eca04a4
SHA2565c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f
SHA51240d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84
-
Filesize
80KB
MD551bf85f3bf56e628b52d61614192359d
SHA1c1bc90be6a4beb67fb7b195707798106114ec332
SHA256990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446
SHA512131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474