Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
362s -
max time network
407s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 04:44
Static task
static1
Behavioral task
behavioral1
Sample
02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe
Resource
win10v2004-20221111-en
General
-
Target
02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe
-
Size
690KB
-
MD5
adcaa924811a0fe41126f8c12349c7cc
-
SHA1
f6591b78a64f5815ddca7f58868fdd253ae1b964
-
SHA256
02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e
-
SHA512
d4d49e51aa59693d65697bc91c2c8cee0f5aecc65cd5419552bb27d1798aab6ba2cacc086a8ec3fa865115d090d4d6bda889a45df8e840513a2d7db6ef3065ad
-
SSDEEP
12288:xC/6UNEwQIJnv+PfT5YYdMqpqhZVt75eMUKYX3SjVUujECfhpmDff9w3d7S:xSNN5bI3tuVtNhYX3qzQzadS
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 1780 svcr.exe 548 svcr.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} svcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe" svcr.exe -
resource yara_rule behavioral2/memory/1780-142-0x0000000000630000-0x0000000000668000-memory.dmp upx behavioral2/memory/1780-144-0x0000000000630000-0x0000000000668000-memory.dmp upx behavioral2/memory/548-164-0x0000000000700000-0x0000000000738000-memory.dmp upx behavioral2/memory/548-166-0x0000000000700000-0x0000000000738000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svcr.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation svcr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" svcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" svcr.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\svcr.exe svcr.exe File created C:\Windows\svcr.exe svcr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svcr.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svcr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svcr.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svcr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svcr.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svcr.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svcr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svcr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{187AAEAA-6FC5-11ED-B5DD-6683CF8C50C7} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE -
Modifies registry key 1 TTPs 10 IoCs
pid Process 1008 reg.exe 4532 reg.exe 3476 reg.exe 5060 reg.exe 3084 reg.exe 2076 reg.exe 4668 reg.exe 2548 reg.exe 2036 reg.exe 4896 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1780 svcr.exe 1780 svcr.exe 548 svcr.exe 548 svcr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 548 svcr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 1028 IEXPLORE.EXE 1028 IEXPLORE.EXE 1028 IEXPLORE.EXE 1028 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4772 wrote to memory of 1780 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 81 PID 4772 wrote to memory of 1780 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 81 PID 4772 wrote to memory of 1780 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 81 PID 4772 wrote to memory of 3532 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 90 PID 4772 wrote to memory of 3532 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 90 PID 4772 wrote to memory of 3532 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 90 PID 4772 wrote to memory of 2228 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 82 PID 4772 wrote to memory of 2228 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 82 PID 4772 wrote to memory of 2228 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 82 PID 4772 wrote to memory of 736 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 89 PID 4772 wrote to memory of 736 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 89 PID 4772 wrote to memory of 736 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 89 PID 4772 wrote to memory of 3784 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 83 PID 4772 wrote to memory of 3784 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 83 PID 4772 wrote to memory of 3784 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 83 PID 4772 wrote to memory of 3372 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 84 PID 4772 wrote to memory of 3372 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 84 PID 4772 wrote to memory of 3372 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 84 PID 4772 wrote to memory of 5012 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 91 PID 4772 wrote to memory of 5012 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 91 PID 4772 wrote to memory of 5012 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 91 PID 4772 wrote to memory of 4344 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 92 PID 4772 wrote to memory of 4344 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 92 PID 4772 wrote to memory of 4344 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 92 PID 4772 wrote to memory of 3260 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 94 PID 4772 wrote to memory of 3260 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 94 PID 4772 wrote to memory of 3260 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 94 PID 4772 wrote to memory of 4920 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 97 PID 4772 wrote to memory of 4920 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 97 PID 4772 wrote to memory of 4920 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 97 PID 1780 wrote to memory of 2308 1780 svcr.exe 101 PID 1780 wrote to memory of 2308 1780 svcr.exe 101 PID 1780 wrote to memory of 2308 1780 svcr.exe 101 PID 4772 wrote to memory of 3204 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 100 PID 4772 wrote to memory of 3204 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 100 PID 4772 wrote to memory of 3204 4772 02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe 100 PID 5012 wrote to memory of 2548 5012 cmd.exe 112 PID 5012 wrote to memory of 2548 5012 cmd.exe 112 PID 5012 wrote to memory of 2548 5012 cmd.exe 112 PID 4920 wrote to memory of 4896 4920 cmd.exe 111 PID 4920 wrote to memory of 4896 4920 cmd.exe 111 PID 4920 wrote to memory of 4896 4920 cmd.exe 111 PID 736 wrote to memory of 3084 736 cmd.exe 113 PID 736 wrote to memory of 3084 736 cmd.exe 113 PID 736 wrote to memory of 3084 736 cmd.exe 113 PID 3372 wrote to memory of 2036 3372 cmd.exe 110 PID 3372 wrote to memory of 2036 3372 cmd.exe 110 PID 3372 wrote to memory of 2036 3372 cmd.exe 110 PID 2228 wrote to memory of 5060 2228 cmd.exe 109 PID 2228 wrote to memory of 5060 2228 cmd.exe 109 PID 2228 wrote to memory of 5060 2228 cmd.exe 109 PID 3532 wrote to memory of 3476 3532 cmd.exe 108 PID 3532 wrote to memory of 3476 3532 cmd.exe 108 PID 3532 wrote to memory of 3476 3532 cmd.exe 108 PID 3260 wrote to memory of 4532 3260 cmd.exe 107 PID 3260 wrote to memory of 4532 3260 cmd.exe 107 PID 3260 wrote to memory of 4532 3260 cmd.exe 107 PID 3204 wrote to memory of 2076 3204 cmd.exe 103 PID 3204 wrote to memory of 2076 3204 cmd.exe 103 PID 3204 wrote to memory of 2076 3204 cmd.exe 103 PID 3784 wrote to memory of 1008 3784 cmd.exe 106 PID 3784 wrote to memory of 1008 3784 cmd.exe 106 PID 3784 wrote to memory of 1008 3784 cmd.exe 106 PID 4344 wrote to memory of 4668 4344 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe"C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\svcr.exe"C:\Users\Admin\AppData\Local\Temp\svcr.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"3⤵PID:2308
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1028 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:17410 /prefetch:25⤵PID:3988
-
-
-
-
C:\Windows\svcr.exe"C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\svcr.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"4⤵PID:3436
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
PID:3628
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
PID:5060
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
PID:3476
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
PID:4668
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
PID:4896
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
PID:2076
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600KB
MD58a2d783c9c968768694f76d5420d05e6
SHA1b42094c631e5f49e9eaefe69d10c53e42860901a
SHA2562c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c
SHA5122380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b
-
Filesize
600KB
MD58a2d783c9c968768694f76d5420d05e6
SHA1b42094c631e5f49e9eaefe69d10c53e42860901a
SHA2562c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c
SHA5122380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b
-
Filesize
600KB
MD58a2d783c9c968768694f76d5420d05e6
SHA1b42094c631e5f49e9eaefe69d10c53e42860901a
SHA2562c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c
SHA5122380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b
-
Filesize
600KB
MD58a2d783c9c968768694f76d5420d05e6
SHA1b42094c631e5f49e9eaefe69d10c53e42860901a
SHA2562c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c
SHA5122380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b