Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3099355d506...eb.exe
windows7-x64
10099355d506...eb.exe
windows10-2004-x64
1023d6f9a120...1e.exe
windows7-x64
823d6f9a120...1e.exe
windows10-2004-x64
83a9efda763...8a.exe
windows7-x64
103a9efda763...8a.exe
windows10-2004-x64
103b49b6c1cc...86.exe
windows7-x64
103b49b6c1cc...86.exe
windows10-2004-x64
104f8799e544...b7.exe
windows7-x64
104f8799e544...b7.exe
windows10-2004-x64
1051bd8c50dd...09.exe
windows7-x64
1051bd8c50dd...09.exe
windows10-2004-x64
1056b7b7798a...0e.exe
windows7-x64
1056b7b7798a...0e.exe
windows10-2004-x64
1057fb495954...9d.exe
windows7-x64
1057fb495954...9d.exe
windows10-2004-x64
105f278f8bde...cb.exe
windows7-x64
105f278f8bde...cb.exe
windows10-2004-x64
1066b157a3d4...e6.exe
windows7-x64
1066b157a3d4...e6.exe
windows10-2004-x64
106ec9f82a79...36.exe
windows7-x64
106ec9f82a79...36.exe
windows10-2004-x64
108d469fed80...33.exe
windows7-x64
108d469fed80...33.exe
windows10-2004-x64
10977e5ce44a...f1.exe
windows7-x64
10977e5ce44a...f1.exe
windows10-2004-x64
10a4865b2ed7...c6.exe
windows7-x64
10a4865b2ed7...c6.exe
windows10-2004-x64
10cbee3a2ab9...7f.exe
windows7-x64
10cbee3a2ab9...7f.exe
windows10-2004-x64
10cd3b81fbf9...1c.exe
windows7-x64
10cd3b81fbf9...1c.exe
windows10-2004-x64
10Resubmissions
12/03/2025, 21:32
250312-1dmynatxey 1011/03/2025, 16:10
250311-tmgdxaxnx4 1006/03/2025, 02:30
250306-cze8yav1az 10Analysis
-
max time kernel
892s -
max time network
896s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 16:10
Static task
static1
Behavioral task
behavioral1
Sample
099355d506f15966ba946cd6f58a72f6c02c73232349cf7f2d6af5641eed0ceb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
099355d506f15966ba946cd6f58a72f6c02c73232349cf7f2d6af5641eed0ceb.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
3a9efda763f017e1ca8237aa27f8659b081f62f42e11aa36b6e122f65caca48a.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
3a9efda763f017e1ca8237aa27f8659b081f62f42e11aa36b6e122f65caca48a.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
3b49b6c1cc92bed7fb10ec3399c1f03449c5ab983a7d03f22bd83392b7a2dc86.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
3b49b6c1cc92bed7fb10ec3399c1f03449c5ab983a7d03f22bd83392b7a2dc86.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
56b7b7798a01e1bad522a375b7b096efeba0e118885b353b525b44471cdec90e.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
56b7b7798a01e1bad522a375b7b096efeba0e118885b353b525b44471cdec90e.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
57fb4959548b3597ea3689167e496cdbb83d07afa9f0f3acb6a56987cd50099d.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
57fb4959548b3597ea3689167e496cdbb83d07afa9f0f3acb6a56987cd50099d.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
5f278f8bdee6e51c769320f10506c28a4e84a56ee3ff44f63eec9a189236b1cb.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
5f278f8bdee6e51c769320f10506c28a4e84a56ee3ff44f63eec9a189236b1cb.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
66b157a3d414b913b1a436edc71e8fc733c1f5457302fe9ca950a8b16d86b9e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
66b157a3d414b913b1a436edc71e8fc733c1f5457302fe9ca950a8b16d86b9e6.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
6ec9f82a79152492b6a50a55dee43665e5205d607206573ce3729f824a05db36.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
6ec9f82a79152492b6a50a55dee43665e5205d607206573ce3729f824a05db36.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
8d469fed80fcd597d17e15df98cd15a4646abb69cd7f81795af94c2c46ed2a33.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
8d469fed80fcd597d17e15df98cd15a4646abb69cd7f81795af94c2c46ed2a33.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral25
Sample
977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral27
Sample
a4865b2ed7dce154e50357674e8f15052a532609af0026dc4c8ea69b8a2f77c6.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
a4865b2ed7dce154e50357674e8f15052a532609af0026dc4c8ea69b8a2f77c6.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral29
Sample
cbee3a2ab943816de40704ed266962b9d84d1a9b58a4a79f0200eb2a7258197f.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
cbee3a2ab943816de40704ed266962b9d84d1a9b58a4a79f0200eb2a7258197f.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral31
Sample
cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe
Resource
win7-20240903-en
General
-
Target
23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe
-
Size
324KB
-
MD5
638264dabfa294ec7b31dfb89a85edbc
-
SHA1
2029e54083f1900349c89cc49a72f914c0db943f
-
SHA256
23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e
-
SHA512
2bc06a4789bcdecc338a53410ffdbf4c4f7914884db9a2ab05940296824aaae5c94a33cce61f82c32d83164efbec9c53ffc4a2ba76e27f6c417d78a9a15e3d0f
-
SSDEEP
6144:HSP8tg4knZXvKh8528ZE/PqOl4LF8SbbAkIlerfDUSwR8t:yPC5jw28ZEl4LF1bUk86bmWt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 5064 netsh.exe 3756 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation crox.exe -
Executes dropped EXE 2 IoCs
pid Process 3492 crox.exe 452 nitropdf.enterprise.pro.x64.13.xx-patch.exe -
Loads dropped DLL 1 IoCs
pid Process 452 nitropdf.enterprise.pro.x64.13.xx-patch.exe -
pid Process 3908 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3560 set thread context of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3492 set thread context of 1216 3492 crox.exe 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nitropdf.enterprise.pro.x64.13.xx-patch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1760 schtasks.exe 4500 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3908 powershell.exe 3908 powershell.exe 3908 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 64 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe Token: SeBackupPrivilege 1176 vssvc.exe Token: SeRestorePrivilege 1176 vssvc.exe Token: SeAuditPrivilege 1176 vssvc.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeDebugPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: SeDebugPrivilege 3492 crox.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe Token: SeIncBasePriorityPrivilege 64 AppLaunch.exe Token: 33 64 AppLaunch.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 3560 wrote to memory of 64 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 88 PID 64 wrote to memory of 3756 64 AppLaunch.exe 92 PID 64 wrote to memory of 3756 64 AppLaunch.exe 92 PID 64 wrote to memory of 3756 64 AppLaunch.exe 92 PID 64 wrote to memory of 5064 64 AppLaunch.exe 93 PID 64 wrote to memory of 5064 64 AppLaunch.exe 93 PID 64 wrote to memory of 5064 64 AppLaunch.exe 93 PID 64 wrote to memory of 3908 64 AppLaunch.exe 96 PID 64 wrote to memory of 3908 64 AppLaunch.exe 96 PID 64 wrote to memory of 3908 64 AppLaunch.exe 96 PID 3560 wrote to memory of 2360 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 110 PID 3560 wrote to memory of 2360 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 110 PID 3560 wrote to memory of 2360 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 110 PID 3560 wrote to memory of 812 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 112 PID 3560 wrote to memory of 812 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 112 PID 3560 wrote to memory of 812 3560 23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe 112 PID 2360 wrote to memory of 1760 2360 cmd.exe 114 PID 2360 wrote to memory of 1760 2360 cmd.exe 114 PID 2360 wrote to memory of 1760 2360 cmd.exe 114 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 1216 3492 crox.exe 116 PID 3492 wrote to memory of 452 3492 crox.exe 117 PID 3492 wrote to memory of 452 3492 crox.exe 117 PID 3492 wrote to memory of 452 3492 crox.exe 117 PID 3492 wrote to memory of 672 3492 crox.exe 119 PID 3492 wrote to memory of 672 3492 crox.exe 119 PID 3492 wrote to memory of 672 3492 crox.exe 119 PID 3492 wrote to memory of 2208 3492 crox.exe 120 PID 3492 wrote to memory of 2208 3492 crox.exe 120 PID 3492 wrote to memory of 2208 3492 crox.exe 120 PID 672 wrote to memory of 4500 672 cmd.exe 123 PID 672 wrote to memory of 4500 672 cmd.exe 123 PID 672 wrote to memory of 4500 672 cmd.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe"C:\Users\Admin\AppData\Local\Temp\23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3756
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe" "C:\Users\Admin\AppData\Local\Temp\crox\crox.exe"2⤵
- System Location Discovery: System Language Discovery
PID:812
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
C:\Users\Admin\AppData\Local\Temp\crox\crox.exeC:\Users\Admin\AppData\Local\Temp\crox\crox.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\crox\crox.exe" "C:\Users\Admin\AppData\Local\Temp\crox\crox.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2208
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
324KB
MD5638264dabfa294ec7b31dfb89a85edbc
SHA12029e54083f1900349c89cc49a72f914c0db943f
SHA25623d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e
SHA5122bc06a4789bcdecc338a53410ffdbf4c4f7914884db9a2ab05940296824aaae5c94a33cce61f82c32d83164efbec9c53ffc4a2ba76e27f6c417d78a9a15e3d0f
-
Filesize
234KB
MD56f8b0021a206e48a50986333b87a5245
SHA1b650435b6e1a0cc59e2c232f83a9796770f85f96
SHA256326ca48a87c1e82e1fcaf95acd5b8c09d92f712591ba88928f48e093c485c40a
SHA512b7f066786f20934148d718689fbcdf830a0a04ebf46092c48b6ec06ef5a989518cb23659a7ecbcef5b689a58546f2ac688a861887611cd3ee62b8ade62b4cc27
-
Filesize
240KB
MD5646260e1f316dd6e518d4c7a9ac6b589
SHA133eb1212fd842078b5b65d8720672582d8acb7ca
SHA2568b0a871839c2e9714684cdb00cd18484780e29ee762f004d300c1fe65bb08628
SHA512fc8e21267cc9141c86d490557de28e1afaebfb8d1519aca377160543b1dd825cd116d7b5bcb2e3b21a15b32f7f45505cf3c47ae6b29e4dd39c137ebaa694acad