Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07/05/2020, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
Resource
win10v200430
General
-
Target
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
-
Size
835KB
-
MD5
2cc70c4beed0ba6db11c63bf435c6bf2
-
SHA1
18348a70148e1424ba4c30298b05f3f8820313cd
-
SHA256
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8
-
SHA512
a455468af2b3b4793f959a31826337a89ede5117e17a7d622b1fcc12bdacd503a371742ed47e9cc89ba1e4b7819b18db75aadca6993f9bcb3515cec1964c04fd
Malware Config
Extracted
C:\_readme.txt
https://we.tl/t-xcn1Dtzak4
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1836 updatewin1.exe 1260 updatewin2.exe 308 updatewin1.exe 1580 5.exe 1468 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe -
Checks for installed software on the system 1 TTPs 29 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 5.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 820 powershell.exe 820 powershell.exe 1580 5.exe 1580 5.exe 1580 5.exe 820 powershell.exe 1064 powershell.exe 1064 powershell.exe 1580 5.exe 1596 powershell.exe 1468 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1468 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe -
Loads dropped DLL 16 IoCs
pid Process 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1836 updatewin1.exe 1836 updatewin1.exe 1836 updatewin1.exe 1836 updatewin1.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1836 updatewin1.exe 308 updatewin1.exe 308 updatewin1.exe 308 updatewin1.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1580 5.exe 1580 5.exe 1580 5.exe 1580 5.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 964 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 80 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 25 PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 25 PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 25 PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 25 PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 27 PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 27 PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 27 PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 27 PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 28 PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 28 PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 28 PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 28 PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 28 PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 28 PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 28 PID 1836 wrote to memory of 308 1836 updatewin1.exe 29 PID 1836 wrote to memory of 308 1836 updatewin1.exe 29 PID 1836 wrote to memory of 308 1836 updatewin1.exe 29 PID 1836 wrote to memory of 308 1836 updatewin1.exe 29 PID 1836 wrote to memory of 308 1836 updatewin1.exe 29 PID 1836 wrote to memory of 308 1836 updatewin1.exe 29 PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 30 PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 30 PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 30 PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 30 PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 30 PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 30 PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 30 PID 1836 wrote to memory of 308 1836 updatewin1.exe 29 PID 308 wrote to memory of 820 308 updatewin1.exe 31 PID 308 wrote to memory of 820 308 updatewin1.exe 31 PID 308 wrote to memory of 820 308 updatewin1.exe 31 PID 308 wrote to memory of 820 308 updatewin1.exe 31 PID 308 wrote to memory of 820 308 updatewin1.exe 31 PID 308 wrote to memory of 820 308 updatewin1.exe 31 PID 308 wrote to memory of 820 308 updatewin1.exe 31 PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 33 PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 33 PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 33 PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 33 PID 308 wrote to memory of 1064 308 updatewin1.exe 34 PID 308 wrote to memory of 1064 308 updatewin1.exe 34 PID 308 wrote to memory of 1064 308 updatewin1.exe 34 PID 308 wrote to memory of 1064 308 updatewin1.exe 34 PID 308 wrote to memory of 1064 308 updatewin1.exe 34 PID 308 wrote to memory of 1064 308 updatewin1.exe 34 PID 308 wrote to memory of 1064 308 updatewin1.exe 34 PID 1064 wrote to memory of 1596 1064 powershell.exe 36 PID 1064 wrote to memory of 1596 1064 powershell.exe 36 PID 1064 wrote to memory of 1596 1064 powershell.exe 36 PID 1064 wrote to memory of 1596 1064 powershell.exe 36 PID 1064 wrote to memory of 1596 1064 powershell.exe 36 PID 1064 wrote to memory of 1596 1064 powershell.exe 36 PID 1064 wrote to memory of 1596 1064 powershell.exe 36 PID 308 wrote to memory of 1360 308 updatewin1.exe 38 PID 308 wrote to memory of 1360 308 updatewin1.exe 38 PID 308 wrote to memory of 1360 308 updatewin1.exe 38 PID 308 wrote to memory of 1360 308 updatewin1.exe 38 PID 308 wrote to memory of 1648 308 updatewin1.exe 40 PID 308 wrote to memory of 1648 308 updatewin1.exe 40 PID 308 wrote to memory of 1648 308 updatewin1.exe 40 PID 308 wrote to memory of 1648 308 updatewin1.exe 40 PID 308 wrote to memory of 1648 308 updatewin1.exe 40 PID 308 wrote to memory of 1648 308 updatewin1.exe 40 PID 308 wrote to memory of 1648 308 updatewin1.exe 40 PID 1580 wrote to memory of 472 1580 5.exe 42 PID 1580 wrote to memory of 472 1580 5.exe 42 PID 1580 wrote to memory of 472 1580 5.exe 42 PID 1580 wrote to memory of 472 1580 5.exe 42 PID 472 wrote to memory of 1532 472 cmd.exe 44 PID 472 wrote to memory of 1532 472 cmd.exe 44 PID 472 wrote to memory of 1532 472 cmd.exe 44 PID 472 wrote to memory of 1532 472 cmd.exe 44 PID 1480 wrote to memory of 1468 1480 taskeng.exe 49 PID 1480 wrote to memory of 1468 1480 taskeng.exe 49 PID 1480 wrote to memory of 1468 1480 taskeng.exe 49 PID 1480 wrote to memory of 1468 1480 taskeng.exe 49 PID 1944 wrote to memory of 1920 1944 rundll32.exe 54 PID 1944 wrote to memory of 1920 1944 rundll32.exe 54 PID 1944 wrote to memory of 1920 1944 rundll32.exe 54 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe\" --AutoStart" 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe -
Office loads VBA resources, possible macro or embedded object present
-
Makes http(s) request 19 IoCs
Contacts server via http/https, possibly for C2 communication.
description flow ioc HTTP URL 20 http://chumashpeople.com/freebl3.dll HTTP URL 20 http://chumashpeople.com/mozglue.dll HTTP URL 20 http://chumashpeople.com/softokn3.dll HTTP URL 20 http://chumashpeople.com/ HTTP URL 30 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 6 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 12 http://akbz.top/ydtftysdtyftysdfsdpen3/get.php?pid=ADD92632311B7FBC9E7C4B15A8803926&first=true HTTP URL 14 http://akbz.top/files/penelop/updatewin.exe HTTP URL 20 http://chumashpeople.com/msvcp140.dll HTTP URL 20 http://chumashpeople.com/vcruntime140.dll HTTP URL 9 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 11 http://akbz.top/files/penelop/updatewin1.exe HTTP URL 13 http://akbz.top/files/penelop/updatewin2.exe HTTP URL 15 http://akbz.top/files/penelop/3.exe HTTP URL 16 http://akbz.top/files/penelop/4.exe HTTP URL 17 http://akbz.top/files/penelop/5.exe HTTP URL 20 http://chumashpeople.com/517 HTTP URL 20 http://chumashpeople.com/nss3.dll HTTP URL 22 http://ip-api.com/line/ -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1100 icacls.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\.sqpc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\ = "&Edit" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\.sqpc\ = "sqpc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 820 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1532 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1920 WINWORD.EXE 1920 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1920 WINWORD.EXE -
Kills process with taskkill 1 IoCs
pid Process 1532 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe"C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:1304 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe"C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe" --Admin4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵PID:1360
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵PID:1648
-
-
-
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe"3⤵
- Executes dropped EXE
- Drops file in Drivers directory
PID:1260
-
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe"3⤵
- Executes dropped EXE
- Checks for installed software on the system
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Checks processor information in registry
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe & exit4⤵PID:472
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1532
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {65C496CB-191E-440E-97FC-7685B6CEC89D} S-1-5-21-910373003-3952921535-3480519689-1000:DJRWGDLZ\Admin:Interactive:[1]1⤵PID:1480
-
C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeC:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe --Task2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1468
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1552
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\vcredist2010_x64.log.html.sqpc1⤵
- Modifies registry class
PID:1944 -
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\vcredist2010_x64.log.html.sqpc"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1920
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:964