Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
12/03/2025, 21:02
General
-
Target
https://devsploits.net/xeno/
Malware Config
Signatures
-
Detects Rhadamanthys payload 4 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Drops file in Windows directory 18 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://devsploits.net/xeno/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb460946f8,0x7ffb46094708,0x7ffb460947182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4168 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=64 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14557641305540486643,5691161455978802557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_ℝ𝕖𝕝𝕖𝕒𝕤𝕖-𝕏𝕖𝕟𝕠-𝕩𝟞𝟜 (1).zip\README.txt1⤵
-
C:\Users\Admin\Documents\Release\Release\Xeno.exe"C:\Users\Admin\Documents\Release\Release\Xeno.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Candles.cda Candles.cda.bat & Candles.cda.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\expand.exeexpand Candles.cda Candles.cda.bat3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2141303⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Quality.cda3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "VSNET" Cw3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 214130\Nightmare.com + Purchased + Emails + Devices + Drivers + Congratulations + Avenue + They + Moments + Chi + Independently + Levy 214130\Nightmare.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ad.cda + ..\Learning.cda + ..\Click.cda + ..\Garlic.cda + ..\Drunk.cda + ..\Cargo.cda + ..\Milk.cda + ..\Tourist.cda + ..\Zum.cda O3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\214130\Nightmare.comNightmare.com O3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 9284⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5812 -ip 58121⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Release.zip\Release\Xeno.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Release.zip\Release\Xeno.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Candles.cda Candles.cda.bat & Candles.cda.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\expand.exeexpand Candles.cda Candles.cda.bat3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2141303⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Quality.cda3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "VSNET" Cw3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 214130\Nightmare.com + Purchased + Emails + Devices + Drivers + Congratulations + Avenue + They + Moments + Chi + Independently + Levy 214130\Nightmare.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ad.cda + ..\Learning.cda + ..\Click.cda + ..\Garlic.cda + ..\Drunk.cda + ..\Cargo.cda + ..\Milk.cda + ..\Tourist.cda + ..\Zum.cda O3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\214130\Nightmare.comNightmare.com O3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ab283f88362e9716dd5c324319272528
SHA184cebc7951a84d497b2c1017095c2c572e3648c4
SHA25661e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2
SHA51266dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484
-
Filesize
152B
MD5fffde59525dd5af902ac449748484b15
SHA1243968c68b819f03d15b48fc92029bf11e21bedc
SHA25626bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762
SHA512f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645
-
Filesize
1KB
MD5711e6c9aa26ba55d6d4494b83cbcadcb
SHA13befa1e680431323589ec68bf557837b4b064e6d
SHA25686524a5b46743cd119bdba6188d794536e25c455441b9d17e7b8b2433d980018
SHA5122b937ca92163fb8b4d190a13f5e78a99f21f12b20e3bff20234d5d62bac9b25abe0fbd950479b56509164ff1a1131fc76d2172e6e572d60ae9b9d98a8736c8aa
-
Filesize
2KB
MD588a4dda9d2f88856c0cfb0127f252481
SHA1b55bc008ead38d44abfab21c69b324541bea4c51
SHA2564b4adff41756ee5a3b3c255d78f42e3c6476a9e7784c5aa097242c598863ac92
SHA512b6028b319099151119c1d398cdf3ee60091a08bc150c9219c8acd1ad3543a67f893b98e778cd7cb022c9f493382ab9ddae93ff58fcc041d1a819dfa27566bdd8
-
Filesize
1KB
MD5afd07bb573849e1ae3f83dd733c7b0c1
SHA14d0a777f0487d40c2d092b8b1cc9cedded388409
SHA256aea9381c204676cb1a36f4174a2f65349b975d1bb96e04dd033630f34788bbec
SHA5120c06070aa5cf17e04943c81fda0398fcb7da8a0ed81aa1e4fb7b26589881a856f642ad98d8ab3c4403298cdb755a24b35efb861add52fe9d36e9c6ac68d2709f
-
Filesize
2KB
MD5917506b0ea56f22a9446f309eb1a9b8e
SHA1d10bb91dd32d2f5795929cbdd8955bad72ec2adc
SHA2563353264ba62ef2ce102068fa3b6fa13a914cb8a47a2bc862fc9cde9249809693
SHA5122bcddde2e6636d32fe3402ebdf097ff69afdce70b16675f6569d7279a8b81b627fe199ac7896be641108a5243cb4a9df4706b4695260fab4a72218e7dbe85c4d
-
Filesize
6KB
MD5913132078cbf119c2033a20c05da8b1b
SHA18b2d23e4ae4918b2385980b92fb75e6b976319f2
SHA25676215810dce777bf9461b3775180f24fa1e9958140208a3e8642dc113186a39f
SHA512bd74ed9d6c260319cb5e9cd3007706b3f8903cd2667867dd62a9fc7ac318e05fd3a0224fc77aed0cce0c9e6980c82619114da43aa31fb8caf14aa9361f98375c
-
Filesize
6KB
MD5d70a5f24d059506d35cc15d3c7e9b812
SHA1b23229fc19ab4906425910ff875a01bd9c0a6629
SHA25657741e4bbdc58bc6a95aab3036d60e7398dc9486e993279489d943ee5bc47ba2
SHA512c274db10c58513f637b6e2276705723b2076ef5e6382e1c5d186cadf34e9773fdeb960a58afdefba5f138e9d25ccde60fee20a46b57093e8910203962140ba00
-
Filesize
6KB
MD5e087da7941ff24eeee0b94ce83cfc473
SHA1315b7171eaa756f0022953e339f9b20292e37b8e
SHA256f202017ec6c77e2753424e0bcd027c04ebe84e0c923df8cae2180a33fb1c7c16
SHA5125349c46c29adeb93850ad1f5d31e72a62b91defb187cd3343477a9e41140ac8b7ea584d2270bed4b2ea8facca782668825e48bc39e398795e58a3060d630f400
-
Filesize
6KB
MD5fb528f78f00699a50d424bf256e4f34b
SHA1b3dea6ab4009212e4e9e0a42112d0e5e5bd87f72
SHA25676ed214d45f435914a8f79f605a2cfeabb7fbe3d0454a11a51e01a3b56fcffa0
SHA51250b144f712b9a19ef13ddf9da727a71bad85901448f71c4dea9d66a7a5c0d3dae367930de010a0d43af9e5d44007ef447cc097d00afb0d1bf9c9f3d3adabe344
-
Filesize
8KB
MD5f1037f851421eac98656ea042fdd6cc7
SHA184690cbae189d2708851009fdf6b04b1d5c100ff
SHA25602e368b3f4710507ad1e3a04a34160519e31c14d1abbf81e485eb6f76b8a35f5
SHA512e6b308f5dd6457d95762a136573cbc8380b880d43e31b49d940905aefa9aeb778b4ec0e7b1349aa23fa0be847fe4eb683db47d04564393fc640ad926453d4583
-
Filesize
1KB
MD5966eb2d6996e57e867d5127d411b449a
SHA139b5763fb912ef83d4284d4ccb2878bbfdccc459
SHA256a34deea32d9635a9d4a7a19b036bcdc7618feebdd0809f06930b7c3967da213b
SHA512bcbf5425cbd2a60497717fdf9df0c4140359fd9f4dcaa735eeb06b79950ede1175f52f35400642355ff07f536560f182074f1291fb1c1ff0b060e3633dcadea4
-
Filesize
1KB
MD55fcf1973af1f86f4d4a4fb1f99432d04
SHA131174a39d5c226f425304cf4065f557f0bd1e7a9
SHA256734b3e7901b1f81a405db6d4fa52f486f1ad4c47cfab608bf03860d60591231e
SHA5129f0f2310cca4f9e7bb22aaa201e47316f3b263ecf8ef823ef1ba329eab4f6d22f30515f9b8cf0144af88ef6f32b97191777780f965983c31f743423896223143
-
Filesize
707B
MD555ab6c9e138f358abc7a578dfdf0b9bd
SHA1dcdbf73be36f9e1e5406de92214a863f3cfe9ab2
SHA25680ebf491bdf5bca58836f65f0a51a77d37137e85797c9faf53574cdd7d4cebda
SHA5124574ea3ea383b2b309c920faa15a333d432a60d69be2009f6d8a222e8a7210c1d47b364517b604a7674d8473441e65cf3661f3c4c02086ba0ed608f25dcdc62a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD511792a1f492705fc7d02d4df4f7906fd
SHA1fe6149d288583659f05dbd231dde5f24155a5f3f
SHA256ce90fd8149df4bbff6b0b97dedd09f509048abb1a806bf538c5d94b155d00435
SHA512befc42fb9cdbfdab5f3dc735edb3b54cbbf22c45bf36be056507b6b0ebba77b4230ac6f47c52af7e1f18f2ae4d03b8684ec07fef507ffad6c8618eaba3fd155b
-
Filesize
11KB
MD5b5d0ba01f55b653379c388f71c509190
SHA17ed46ad0b4cd17131a08c7593689414df1cb0ad3
SHA256f1afb418279ee4fef82e7dcd0ca40f96660b2b21d9272b24d1af7e8eb3fcc10e
SHA512593c7edf7e196581c67c7423ac7754bd1b5dc525a0aaea4d1e09cfd1dd340769d767a08fc38cae4998caf7f6beaf87bfeb6fe1f835525994f41bb19abd86f618
-
Filesize
12KB
MD5acd69bc36e203a24c384f4c5ffca93bb
SHA181027b3a13a40b0576cafc7742bc7c42ad090286
SHA2563749110ed33b282308a6169e6a3dac9bb97f651d1b87e827f1bc27e965b54e9d
SHA5125b896fae09c3ebc29eefa906dea33e682988b75db01f15e09eb6a9a8528121ae7fdd9c410d8e8283e6db6a55ed23faff3b520004a29d6471b47f3294709b0818
-
Filesize
11KB
MD5155c0ee500c5d1f34703b364ccd737fa
SHA1da0a1872a90c3183629d086d6cd9109b28924fee
SHA256d1e1b39c7309f6a8ca0827b35c1eadff04caa2d2ffd280f8e7c79085cee97a31
SHA5126aa0ca0411606803e83d1e979b30225498699f9b33a9750d182bd0fdc2ef3d2ad0effe2218d26acbde88bf25bace419835e63c5b8bebb92990fe9887ef9f757f
-
Filesize
12KB
MD5a1410a3c3602fb1133d29fb3283e764e
SHA157f995beb211f7cb344327c30f5f3b5284aa8247
SHA256003c32ae15b789ad29ed7c44ded02f3de7292d9cbacba40f52c5c58aa94e32c0
SHA512a125f5b4a23f17ea96241b5e97db56263d3a67de6293ee69c748a456dee6c3e98e654e3982bda1fccfae14aecc83eb2bea4f34488f2f345a45af31d0a13d808d
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
1KB
MD58e6968e7265e6d3029155ec07f4f0802
SHA153a333ab5df26c65b050b29ae8ef379ed94d95f4
SHA256eb46b1dd968a78b130404c05b6203b37d74b1ac37c6fc22dee59bce7f33e3dd3
SHA512adb03a2de256ed3d33052853aa409aa610f4e7f442e3bd23778e7bc2e21fede18a0e32ef0a9866ca5dc92054332e884840737a1e0001502571ddb0ea14f2360b
-
Filesize
663KB
MD529da1cb69af24bf91a77f0a5c9e1ac56
SHA163cd695b8b0359bf0498fa31ff4a0e8e61a25127
SHA256738dcb250a9ca55ea0f8b3f9a98ac556c96bb9833f31629b185f635870cb3015
SHA51272c55a3c8601b86004bf91b90ed12f1519897a78759876fd60ce8ee4e259ca4f0a1a1ffdfd88ee73d0d39759643789648f1e5c6c0aae4fec2c9ecc8198169e9c
-
Filesize
97KB
MD59d76009030cebd2b61637a2ff632633b
SHA12594cd1ffd229cdfbbba6af8c3794d909c4a75c5
SHA2562f3da93ec99eda38f4e0c0e9b4f43d4d11f230a5a415879e80ae5025e52ec752
SHA5126ba7e6fa500b5c99a8c3c8b8bbf94b91b4f4222b715616e32bcb89d5217cef3ba783df3ec5c1fc7617661123d7ec67d2ebac079e2a9a526ea308587731c37e5f
-
Filesize
95KB
MD5ffc7bc4c479d6ed4afedc7a0bfc498fe
SHA1ea4ac12ea36bef6bf48b92f06a024828e747c93d
SHA2569a6e8c7c4c77db65411fbf0544488f442fc134a1e9674bb95ea4f22f7f8e23f7
SHA512128f66d832c96b1f47859bf284e226e868ab03fb9abebb979329a25b1a20b4d677623d418d5a56573900a6fbcdfdd6a750e62cf9dfee267a3359bf33a7af0150
-
Filesize
78KB
MD5deead8c5c5156c81b433581e467d790d
SHA146f905214114233c659390ca79a26bc7ea867b22
SHA25659b3a1f07a81ececccf8e74dec98b3c6bb3d53819a7f2379d7ebe8df95770ce8
SHA5129a8feb225a56b911dc3288a82730df28af6901c3860b3bcc95685b2456672b12afdbd45a14eadb493b70e472eceeb04ef4225f0ac059de330c72909a7b6eddab
-
Filesize
53KB
MD5900676974b1eafd1a8646a935d14b22e
SHA13897d81c81f68f1e873d266fd237021250d76491
SHA2565da863d069502feb391748ff78eda59812ad75dd02b47e05d2ef7d874bc5293d
SHA512cc45f6bf0743c908967e89be3823773b77bbf9c3515291e6a544b73a9bc9d2158f0af89bc6cdb84580a580ff5e9ff02a1e2e68fca81bc15a78992fb414cc62dc
-
Filesize
77KB
MD52cc4d93a13a0947770bf71809db7a6ea
SHA1d460140e3acc6207655c7585001bd5b88cc748e6
SHA25655a7561c01b246e6a769bb64b3e306bbb3b12e190afbe1fd020dc91f0bbf58c6
SHA512b67155b3f4f1171ceb9dca650d5f01576cc2418ebc697182fe16f1580a9f964ed27f5b1c4902a53854956add2a52a02ec27ebdf000d174a6a555ecb070b7e847
-
Filesize
80KB
MD5ee2fe2bf5afc597a25cfa2dc4585fe69
SHA16ba68ff319432c1c3b0ff98e720d48c67d217eb0
SHA25691dabddbda26df9609f32bf6093a6a91099fc8e7e9c6727885ff7dc189ac5284
SHA5121540ad7c9c70c455b868274e63e8c9648c8669c77f6ec480182f00116cb6f45c0677022e169dfa6e53737de40c1373f3b3c20a9f7be283b0e02c0dd58a6cf52e
-
Filesize
1KB
MD5b3be8be6102401e7b8346c31aeb2bd2e
SHA1f9120f6113facfdf486afd7b38541139491eb01b
SHA25647662b07301483120fe76c90bbf86cb7b3d3ab41ff891b3aae5b6f5877377ccc
SHA512006f64ad1747ac4ea730f4a382ef5951bf27b658324b06df0f49587893e47d7dbfbfb2d61da0cf267c16bea602d5cef76e342787fb9ce0cc111dbbef0d1af92b
-
Filesize
137KB
MD524904b6392768beff8e080011531124d
SHA1a403635bcec18f8409c190e947b5989cc39e3817
SHA256fd70de521583bc3868ff2712617eac86d2f0dc18f7b3d871f8189b8c12deed23
SHA5126a1f88cbe53f371af6a2533781d409aac823872764b5996592dda3776fed555f3338a9248d135a2088cbf43725226970785aed9c93e82fe48c421d10196ea699
-
Filesize
51KB
MD5f790605f546d2e687345badea26862cb
SHA12c7a3eedfe402944f1b147cee0cb9151ed26307f
SHA2564474264672b3aa7cd73e1c98c1a88e4debcafb34b106070332b751ca7d1ecc55
SHA5120a994e8682b17300ad2bdd72a7202294c56fb59397ec18179706025fdebd971d478006915b4a06502d6f523854ca2fb0c16a855dd27f53d1db957fb6b4709ff6
-
Filesize
81KB
MD5b53b44452048d1f79aab4187bd7741dd
SHA1b6033b3915594c07fd48bdac2054b266e9ff9ae4
SHA256496f9fd798ca8aa06c9304fd5d73ca371ee7497908bd74d839b37d95b07d81c1
SHA512cf69597c03d01c8a6811fe98cc683d8f962ecc9972cf7251108779d32254258774509d0ff57231fba9b78f428456a0f55e0fe4280469c9a63ee75b1f1799e0eb
-
Filesize
94KB
MD5708a8b180364bae1dad0f35c22a49276
SHA1c21ec42fba3bac16a946466d70fefa36ca0ecc39
SHA256deb72b719c04181290f95ac6fcf2ffa26c06e2b15f270a67bea4f4d81ded1bba
SHA51244c3e8896b7d40617338172886a1450793bf886c2c3ca9a294fbdc77dd8ee7781a5c9143aabc9dd7ad041ac6a6b3ecbf8647f55f7439577993d5498159d83fe9
-
Filesize
53KB
MD56da52d95e6fec14420174ee774eff497
SHA1960d55684db66614560ed129be297ea99669300c
SHA256122875092db6fb3b79bcf8d5b5cf7cb0651ed96291a0aa7670ba674330dc59d8
SHA512e89d8634921d369f2d996f007a198358e21503449a14337e82406425e26447c38b666b745e9ab1657d50cf8c961dc0c048ad769a7796fcdd0fcbb01b86154409
-
Filesize
92KB
MD56b0059f6ab4dad979a5bbdd008ae9ea5
SHA107199d632b794a54df8a026d8131e188c4e1be0c
SHA256e044504ad0f0c1a5d9743613a0f2598422c67b8bb33be9efdf1b32929ec60c28
SHA512684849bfbe38102fffb66243292013e7c0e851bdb5cb72d6f925e857db84f85f9359f14512128edaada304d24e59a28157a10ae86ebdada0f602ecce8e49527f
-
Filesize
79KB
MD52447add9ef7fbc3db9f1f533514a2490
SHA1ef0886005c946cec8f450c644ddf219f3e292715
SHA25682f980ac40c070691fa4264277fb089ec87dedff40d889c7ae6cfc5f21ffe051
SHA512dd84ded149e80fec88f24d7daeb911b4a2e842779ec21405b100d7c1859fa1f3151d4f9413783359a367c990a732a7090070380735022806f27d4d610d6b06cd
-
Filesize
49KB
MD5e39196aeef5d2e2d043d0743036453c4
SHA100c5f9c28add71a8f28ef19569bb93724b2f2c3e
SHA256b57aa26c8df214c42d76839e9761229d3de4326375bec31cc71968ab6d0e93b5
SHA51241b86ab1825f6c4c6b0cfca461dccc890d301eed03009cf736b5ad53271275ea30b00a03067ef9f4b5d22b5a623e1299a4b001d77da2164261e8d37eec742cb9
-
Filesize
63KB
MD574db0d44d20d089c9b96910981c63e98
SHA15cb0bf4fd429e3e51786764b4bccc77a4b2e9a50
SHA2561fcd4b87f9a417e42ee71ef092f73c80fbe6c0e91dc4fe1b86615610de3d5061
SHA5124abb60f53205b5a7ed5c2fe02b70bd42bbc16213e71457be32c9da76f495351772662d7f8b3db527289198c759e6b7067d4e07e70a3494849793987e06659353
-
Filesize
86KB
MD5c91c1ac87208df1f4bc9ad5cc020b571
SHA1242ce7b15f04d255cd324b57baee5b092a1aad6c
SHA256c388fd3a8006f6002bf5f0606f28c3b1aec52cc5adead7e7113cf968a685748d
SHA512a0e730f7de889b6d987807b8ad34fcced94048e873687b3a52a74ea9f613ce227e05cb7392dc766a1984afb6d77f05da5c27e95c2c4bbe630a197252a7e33d60
-
Filesize
109KB
MD5c8b72511514176b98f88cb9b810e8734
SHA1ef74755915229e17ef8be063ae79eb248abf95b1
SHA256cb0706339f95cfbee2206e09e9a387a128c4e1385130a36ae6ecce1b1a05e48f
SHA512e52e7ce121aa6bd92f77d20c3d9fc2a7de4a8601582770212f70b98b657aabd2007323dc2034a8121a71b14a8f4968ba735d0f8fe0fdddef332e34eecd818b79
-
Filesize
477KB
MD5479683196e67c0a98d79201de707b1a2
SHA12ec214394469fac9398c74c885384a1fcea91487
SHA2566b301dddc4fbc8a032299e2ee008ad0ac277e3d3de2821265c3765abc3dc52f1
SHA51244ee95c7cfdfe7bdbdaa5da9ce645e6b028868194e9cfd26017002f5c59b3f4786d7455c69bcdeda21890360626cda0d9457b9f97437a28c4c55913f158c1131
-
Filesize
77KB
MD50787048effd905eac0720fcff54f4e39
SHA1f50d87da025e6a7dc3c1521f3142455a45372b63
SHA25636ca66c6b0a8d60a9dc9cad9ada4577da1d52963982f2a3c4f39fba1a3c8a06f
SHA51288e215ce3502b3d4d46a3099bce6c723a2092ce7774e11c754223ec1f4e7c9bec5eb914b62fe6e5073d9a8dc0521b4d48a9df643733f34be353e3778d4d74ce4
-
Filesize
94KB
MD58d4baa550a8e4b3943d7990961be56df
SHA1a19e5ea61e8c63fc5673787bb00cd2bf17490f84
SHA256e4a4d8a6051597941bab63ac4a2d83501978436d9826496760d9841d46e031b0
SHA5126a354adff672dad0c64135d896068ee2406d3721b72e5b935ce9f4ca7b8e089ed5737cad24d76c5a1804fd41a561e5cb5276c13faab48f602e32eb2fad03f56b
-
Filesize
41KB
MD599ce6bbc27c6d10d30dfe38c9cfc9baf
SHA15f2198f49eefcbc78056e03cfe3ff7c1fd0f5f99
SHA256a1cb3293acf7dd2f9f47644c7b51d1caef34c328ab9debb86b8e22b4f361afe2
SHA512ccb080846dda9130a44319e7872d92db4a4a80dcc0a110947602047fb49b6ac54d53627bc6756c4db025ecde6f73ded16733f970022dae4678d79028570e9455
-
Filesize
17KB
MD567d288ddfbd64288ee836f85c79bbe3e
SHA1a4ea361ddefa78271ace60f696a7e7bc06701d73
SHA25613e15a5cdcc7f7d1d14ff5cd16301affa73806bbc853328944fa5d8cacfd12d9
SHA512294c8c87ed3ee4b07e98a94e9499333a223c635533d6a9db652bbc9460faf2d6471a80f17ff284eecd59390752f988ff81509739d80b9259e23f95a1f77b8b4f
-
Filesize
42.7MB
MD5715c065ba5ea6fc333c47748013f45fa
SHA1b2d25c0a758f1300df255e4ce71a70321b93e855
SHA256751a27292739619afd3e4808a837d9f945386bda222f418f879be450e1017a95
SHA5123c429804254180cc956bc931ab4b68ad56ae038ed5da89761a34959017cc7d1219e60ddfecfc4b680ca942b502e281f9e12a87d4bde763dd5f99e662ce76f84b
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
2.1MB
-
Filesize
4.0MB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB