Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17/01/2024, 19:29
Static task
static1
Behavioral task
behavioral1
Sample
63695aab8d849ed964b4698763bad225.exe
Resource
win7-20231215-en
General
-
Target
63695aab8d849ed964b4698763bad225.exe
-
Size
788KB
-
MD5
63695aab8d849ed964b4698763bad225
-
SHA1
19655d3e5937b485275f137308242c6fc8868e75
-
SHA256
160b00f82db12dcf5e84510565f7da878e9e252e104392ae7740b75c59050f35
-
SHA512
e4421c50b886401f1271f21e5acd151626a4e1117490a9bc6cecbd00e8726594b553f29faa694a964e7ce71983bd222b30d08993ac2ef57033325cda869399a9
-
SSDEEP
12288:DlP3QOq8VL/YN0XmtyjgDkatT1CFNjh56ARPax530MbwDB+PV4jiS:ZU8Bs0KyEXi/V5LRPUkEwDSVHS
Malware Config
Extracted
cybergate
2.6
Hacked
anonymous101.serveblog.net:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Run
-
install_file
Run.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x506e1qPK.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\sidescroll.exe = "C:\\Users\\Admin\\AppData\\Roaming\\sidescroll.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run th3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Run\\Run.exe" th3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run x506e1qPK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\sidescroll.exe" x506e1qPK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run th3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Run\\Run.exe" th3.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J88EQJA8-TQ05-4QQ7-188B-WUP84GDQ45X4} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J88EQJA8-TQ05-4QQ7-188B-WUP84GDQ45X4}\StubPath = "C:\\Windows\\system32\\Run\\Run.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J88EQJA8-TQ05-4QQ7-188B-WUP84GDQ45X4} th3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J88EQJA8-TQ05-4QQ7-188B-WUP84GDQ45X4}\StubPath = "C:\\Windows\\system32\\Run\\Run.exe Restart" th3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DBAEBDE-B29A-F3CC-C72A-FEEE5CF5F4FC} x506e1qPK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DBAEBDE-B29A-F3CC-C72A-FEEE5CF5F4FC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\sidescroll.exe" x506e1qPK.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7DBAEBDE-B29A-F3CC-C72A-FEEE5CF5F4FC} x506e1qPK.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Active Setup\Installed Components\{7DBAEBDE-B29A-F3CC-C72A-FEEE5CF5F4FC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\sidescroll.exe" x506e1qPK.exe -
Executes dropped EXE 6 IoCs
pid Process 2372 th3.exe 2804 x506e1qPK.exe 552 x506e1qPK.exe 648 x506e1qPK.exe 1240 th3.exe 1476 Run.exe -
Loads dropped DLL 9 IoCs
pid Process 3068 63695aab8d849ed964b4698763bad225.exe 3068 63695aab8d849ed964b4698763bad225.exe 3068 63695aab8d849ed964b4698763bad225.exe 3068 63695aab8d849ed964b4698763bad225.exe 2804 x506e1qPK.exe 552 x506e1qPK.exe 2372 th3.exe 1240 th3.exe 1240 th3.exe -
resource yara_rule behavioral1/files/0x000d0000000122f6-28.dat upx behavioral1/memory/2372-49-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/648-160-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/648-167-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2372-360-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/648-361-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/648-363-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2388-655-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/2372-663-0x0000000001DA0000-0x0000000001DF7000-memory.dmp upx behavioral1/memory/1240-674-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1240-958-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/2372-957-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2388-983-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1476-985-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1476-987-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1240-1492-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1240-1736-0x00000000052B0000-0x0000000005307000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Run\\Run.exe" th3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Run\\Run.exe" th3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\sidescroll.exe" x506e1qPK.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\sidescroll.exe" x506e1qPK.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 63695aab8d849ed964b4698763bad225.exe File opened for modification \??\PhysicalDrive0 x506e1qPK.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Run\Run.exe th3.exe File opened for modification C:\Windows\SysWOW64\Run\Run.exe th3.exe File opened for modification C:\Windows\SysWOW64\Run\Run.exe th3.exe File opened for modification C:\Windows\SysWOW64\Run\ th3.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3060 set thread context of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 2804 set thread context of 552 2804 x506e1qPK.exe 33 PID 552 set thread context of 648 552 x506e1qPK.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 1244 reg.exe 2404 reg.exe 3060 reg.exe 2768 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2372 th3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1240 th3.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: 1 648 x506e1qPK.exe Token: SeCreateTokenPrivilege 648 x506e1qPK.exe Token: SeAssignPrimaryTokenPrivilege 648 x506e1qPK.exe Token: SeLockMemoryPrivilege 648 x506e1qPK.exe Token: SeIncreaseQuotaPrivilege 648 x506e1qPK.exe Token: SeMachineAccountPrivilege 648 x506e1qPK.exe Token: SeTcbPrivilege 648 x506e1qPK.exe Token: SeSecurityPrivilege 648 x506e1qPK.exe Token: SeTakeOwnershipPrivilege 648 x506e1qPK.exe Token: SeLoadDriverPrivilege 648 x506e1qPK.exe Token: SeSystemProfilePrivilege 648 x506e1qPK.exe Token: SeSystemtimePrivilege 648 x506e1qPK.exe Token: SeProfSingleProcessPrivilege 648 x506e1qPK.exe Token: SeIncBasePriorityPrivilege 648 x506e1qPK.exe Token: SeCreatePagefilePrivilege 648 x506e1qPK.exe Token: SeCreatePermanentPrivilege 648 x506e1qPK.exe Token: SeBackupPrivilege 648 x506e1qPK.exe Token: SeRestorePrivilege 648 x506e1qPK.exe Token: SeShutdownPrivilege 648 x506e1qPK.exe Token: SeDebugPrivilege 648 x506e1qPK.exe Token: SeAuditPrivilege 648 x506e1qPK.exe Token: SeSystemEnvironmentPrivilege 648 x506e1qPK.exe Token: SeChangeNotifyPrivilege 648 x506e1qPK.exe Token: SeRemoteShutdownPrivilege 648 x506e1qPK.exe Token: SeUndockPrivilege 648 x506e1qPK.exe Token: SeSyncAgentPrivilege 648 x506e1qPK.exe Token: SeEnableDelegationPrivilege 648 x506e1qPK.exe Token: SeManageVolumePrivilege 648 x506e1qPK.exe Token: SeImpersonatePrivilege 648 x506e1qPK.exe Token: SeCreateGlobalPrivilege 648 x506e1qPK.exe Token: 31 648 x506e1qPK.exe Token: 32 648 x506e1qPK.exe Token: 33 648 x506e1qPK.exe Token: 34 648 x506e1qPK.exe Token: 35 648 x506e1qPK.exe Token: SeDebugPrivilege 648 x506e1qPK.exe Token: SeDebugPrivilege 1240 th3.exe Token: SeDebugPrivilege 1240 th3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2372 th3.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3060 63695aab8d849ed964b4698763bad225.exe 3068 63695aab8d849ed964b4698763bad225.exe 2804 x506e1qPK.exe 552 x506e1qPK.exe 648 x506e1qPK.exe 648 x506e1qPK.exe 648 x506e1qPK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3060 wrote to memory of 3068 3060 63695aab8d849ed964b4698763bad225.exe 28 PID 3068 wrote to memory of 2720 3068 63695aab8d849ed964b4698763bad225.exe 29 PID 3068 wrote to memory of 2720 3068 63695aab8d849ed964b4698763bad225.exe 29 PID 3068 wrote to memory of 2720 3068 63695aab8d849ed964b4698763bad225.exe 29 PID 3068 wrote to memory of 2720 3068 63695aab8d849ed964b4698763bad225.exe 29 PID 3068 wrote to memory of 2372 3068 63695aab8d849ed964b4698763bad225.exe 31 PID 3068 wrote to memory of 2372 3068 63695aab8d849ed964b4698763bad225.exe 31 PID 3068 wrote to memory of 2372 3068 63695aab8d849ed964b4698763bad225.exe 31 PID 3068 wrote to memory of 2372 3068 63695aab8d849ed964b4698763bad225.exe 31 PID 3068 wrote to memory of 2804 3068 63695aab8d849ed964b4698763bad225.exe 32 PID 3068 wrote to memory of 2804 3068 63695aab8d849ed964b4698763bad225.exe 32 PID 3068 wrote to memory of 2804 3068 63695aab8d849ed964b4698763bad225.exe 32 PID 3068 wrote to memory of 2804 3068 63695aab8d849ed964b4698763bad225.exe 32 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2804 wrote to memory of 552 2804 x506e1qPK.exe 33 PID 2804 wrote to memory of 552 2804 x506e1qPK.exe 33 PID 2804 wrote to memory of 552 2804 x506e1qPK.exe 33 PID 2804 wrote to memory of 552 2804 x506e1qPK.exe 33 PID 2372 wrote to memory of 1204 2372 th3.exe 18 PID 2804 wrote to memory of 552 2804 x506e1qPK.exe 33 PID 2372 wrote to memory of 1204 2372 th3.exe 18
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\63695aab8d849ed964b4698763bad225.exe"C:\Users\Admin\AppData\Local\Temp\63695aab8d849ed964b4698763bad225.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\63695aab8d849ed964b4698763bad225.exe"C:\Users\Admin\AppData\Local\Temp\63695aab8d849ed964b4698763bad225.exe"3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\desktop.bat" "4⤵PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\th3.exe"C:\Users\Admin\AppData\Local\Temp\th3.exe"4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
PID:2388
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\th3.exe"C:\Users\Admin\AppData\Local\Temp\th3.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1240 -
C:\Windows\SysWOW64\Run\Run.exe"C:\Windows\system32\Run\Run.exe"6⤵
- Executes dropped EXE
PID:1476
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe"C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe"C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:552 -
C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe"C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe"6⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:648 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f7⤵PID:964
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f8⤵
- Modifies firewall policy service
- Modifies registry key
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f7⤵PID:1940
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f8⤵
- Modifies firewall policy service
- Modifies registry key
PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe:*:Enabled:Windows Messanger" /f7⤵PID:2412
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\x506e1qPK.exe:*:Enabled:Windows Messanger" /f8⤵
- Modifies firewall policy service
- Modifies registry key
PID:1244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\sidescroll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\sidescroll.exe:*:Enabled:Windows Messanger" /f7⤵PID:872
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\sidescroll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\sidescroll.exe:*:Enabled:Windows Messanger" /f8⤵
- Modifies firewall policy service
- Modifies registry key
PID:2404
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5f74843185c7f98d428614abf5cc330d5
SHA19007fca13a610d0ef84bf68dacde86a378b6971a
SHA25658f34d18a3433809c59f0e576b480968e340b85f3f1958c23be7010526ec3c22
SHA512cf98529d13eada9842a639a7e793332b2d4e57466ce52f65a15ec52afdbaca335447a22cba3ecf14b4209099f5cf88e8c270fe2f66c0cac99bbab4fd38b631a0
-
Filesize
8B
MD5903f0b29e67285b8ff40f2e11f42f9fe
SHA14c1e57bc5b6ce4c2c5a8aa87b50dad1e3cfe7426
SHA256238ab7d6fb61297a0765d871a1f1cf9ef2a6e253984904e05e853b833146018b
SHA512ce91fc7e050721b44b5c68193009ab5dc508a50940df4cb41426aa55c270eecbc0b06541de70bd5dca853f39558c4d283dd8b88a131efb4556024ece9f19aff1
-
Filesize
8B
MD5d4999736d0863fe2ca3db567e4064802
SHA144fc36183a2318cbd145834278a1dcca5e61197f
SHA256f70da7d7ee66f5a86c8cef81d77461b870692b63490f2ae4df5a4e813b1358d0
SHA512377e4515d46f07e2e27819530abf8a0f2e3e7b8695444b5c0d6213269cacae6b0ad7a18aa36b3fa394e174daa34b75e22213f5ac73c11b213b941cb8c60cf598
-
Filesize
8B
MD5c34408ebab705c77ee40775ed743c649
SHA13b9c9529de90fbbd200ef699c3703cccc2207d66
SHA25696005e437e5fc6a8080864bc2dcdeefcb2276a5db004e72c94ad6a4fa71dea1f
SHA512730933254986a26e1b508e1d87ecda9f0fba5e99f6e33518a39ab857197f2b6251ed5c8db0c14ce591698297ac7f48f41d13c9d7dd82a80c50aba398951b3cf0
-
Filesize
8B
MD54fca92e246f1c7c290ae78e7785caca4
SHA17bf9202a8b49d09d544b79d48d53ca43ddaf94d6
SHA2565bdc71f7c68827bbd20ee0b66a3b5778ddfe7ab91325a7aec6f16254eee71290
SHA5122f898e5b8e2f9e7264c3348f4d7622518f6a3f131383909888e72cce16b6a5de0951dce11230da1ce15d47db00ee944d9ef9764ac6f78b50daf54dc3caf6570a
-
Filesize
8B
MD563bd39e77cc7429dbe4da93e71f67d42
SHA1e5112b59a214722fc5828f3f0a9f6daac5d30729
SHA2560bd20f3ea836fe1c6a513c763a14254e3816268a3b873d13e0f15ba8e0a1c1b6
SHA512f69125e1a1171d06440cac0b59b01dc78caa58c1672c80a96e166a806c684eff679f6a7a43d75b4a8ecf35295a72b442a38df0fcb5cc3a5adaf4b8bd7a0417f8
-
Filesize
8B
MD51052cf4d406f3f37b4236fb233b4f02e
SHA10adb012a67cf8c6d25c6a63302f8e12bc13b818f
SHA256170dda22559df5288745f8f702430b38b0e84cb99a7d0eb0cd2317f385a3175f
SHA512fd06b5c43f5dd643b40e807c6bc759daaaf741df30301efaa03788419e21251e680e471375172de260619ff6b97a93f5670e0b186dfa335bca134afad3a41da7
-
Filesize
8B
MD546fd0b0a3a5b038a226461d59b3135f6
SHA171cd976619e957f990d213805f123551ca901ceb
SHA25663e8967dda70e80c339e17f14e16a8872f25e4d984eca492e02e4647ca0e8207
SHA5120c644314aaf710de5c20e4d178974640be0d416c0d63cce3a603174325b792182eacc1d69daf6b4db5dedec8d196be90055628af13f1e01f396dc907e701e173
-
Filesize
8B
MD59b795272a4bd7d3a8afa14e8f1463bd2
SHA15f2931da6d02b840b855a95f829d0187e4d7ab3a
SHA256f478cc9e35c2f89121bb7ec1084fef01bb177fa096b043187dba1b0e5921058e
SHA512b2b039a0a710907c80c6a678e8da121fbab2fca7777dd0a2f2d66b67e0ff7cefde07f62f27aacceb2da6789fffa3070b95e28b00a44e9a305a44341a53aaeec6
-
Filesize
8B
MD57cd5a2c8b09b58d4a7876fa5b1fb7d8c
SHA1f259975ee1034c429c67f45814e29991a1857e9d
SHA25661386ba4dea6eb0fae79fdb8130bea0ad2a753452c675c3d94c23f4ee28c36ab
SHA5124b42463d5d2ccb2dd74f038176a64564f5bbebfe4850a574a1c2791eceb2dd22325bdae8e05e6d03f6a9a976688a9b1b06860d79afc1aad62c5d92161aff5b64
-
Filesize
8B
MD5c55be0111e5822ac41f8aec51889d607
SHA1619efc4d41328365752bebc0dca81397a5c8458e
SHA2565f3057c65d946510bf5d775c15ebabf43257e458320abeba3abd6bd5e2a73190
SHA512a32ac0901346f06a197c383eed8639cf6adb2dee195115bf8cd7bd5bb8859558ba8eaf5a068ae517ada5021b4811476ea3fb4198f806a4486f5fcadb9e6c6a63
-
Filesize
8B
MD541b08650bcc8d5533036aacb8403d622
SHA11b0f90d0153b9e40cc14d2b0b118a7114d4975cf
SHA25649a0c315bad9bdad2f85f131a087dae487b399fe6aaeb386e210cb5c3cabf632
SHA512297ce93f3e4343bb794fe8571093ab62e4105bd9f26be9586d6b5d1932061157f3b6cea11f89b8d538962fd26b0ed9abef47fe66d7e32a8b485690317a8a916c
-
Filesize
8B
MD5802c525bbd6d132eff293cb38a793a30
SHA175f5f6c3b640caf85db2266691a388bafec7d4c5
SHA25612d439422d23b52f29dca205cf0a7034a685f4f722d9f0e9df539da68f3ee3b4
SHA5122b2f2ae578cf9bb544b081f397485371f6a98303db4eb5601ec38717defac2806df3f98433bff379f4d1bf5acce17027339b9a27a53c33d8e771a4f0c2f97889
-
Filesize
8B
MD5e234aaa9a6fbf7c60869c7dd2188e9da
SHA16e18477f147675227b01d41bfcd5e3ebe694ee94
SHA2564d7623763cc46827c6dff6eec71c993694f2ee820ff0188f400e6597f1991f72
SHA51201a9936d5dee36e054523b8218055f1287e886a4c68a2f97ac6c6a8cb3017f83f2aa8ea62bf532116c52e5f8f0893a17066af459aafbe199dda8a17bdcc617f4
-
Filesize
8B
MD5b269956deb9f4b64f496e68cc958d98d
SHA157a12c954dcb890b884394f3c479cd1790d5d89e
SHA2569b5082f2a8645a619efce82e096532d525536236e0d5dce3df79460cfbc35ee7
SHA512695937501cfcf70b712d08f102decdc94e609f64be409bd3d0f843e4c398036f45b70199502d862f95435339d163ce2a70bf495ea2e9dc80c94375ab6c0e3088
-
Filesize
8B
MD52bca74058da8a5980775dea94e5bbcd8
SHA1244789e0856a4c100352fe66b704696dc5bfe2e9
SHA256dc2d6597f333a6279eb0b21abb6a3d0738a87d38840ad2408265b0248d84aa2f
SHA51290b8871cd96c699ba81b2dc734520dec8195f934134b8759cd861822e516ed40c6402ce93944ae1657578bd64206ed1291dc813e0ec2770d3b8c2dbb015f53f8
-
Filesize
8B
MD5e1207f233b15186ee4bf15e8d550760e
SHA1e2a81d54c5687f48a094be10b438c4d49c12aa51
SHA2569e564fc7931886936c209717bca3efbeb6bfb5d3addb18637e5eab71736bca28
SHA512bb8874d0949926abe37de85db9bfb4928c1b257ab7c375dd2363cad4afb72c53157b2b737d906c4c88ce491f7fe77fc64bc159e0a77dee16dcfc7ec5cc2cee8d
-
Filesize
8B
MD54eb6b29719fd61b94c6570a5a2a26727
SHA1dcf4bc6493320e7d7d778b1d0dff53e9ae10ccc4
SHA256c3fb86d2d6b73cff0703a8c884c769714b1b51af5b6d5523fcc0ba8fa1edb4a1
SHA512713fa90ff4f0d793caec699cfb9ae7fd762e6330ac29a0ced1a9fc47a508d7d24d6047cb9019b0d04b94d9c3d1824e0cff3d4bfeba32f81c5a8b96e3a7ca6533
-
Filesize
8B
MD58589b497a0be0789e307e732bdd33130
SHA124909019737e4ef45f565725146417d2d3af5c63
SHA2565226d414a5bf100cdaa64e11ed033c6332d4be1c6236a62161a41624abc2d287
SHA512cb485d8b4fbab6b8b84d0ab9f0cc5542abafa08d50bd94bbdb68cbff1070dd3f2d2ab1126e6350032a25b914a37e5cfc8100f179191cc53e69ef47873c56a04e
-
Filesize
8B
MD596184c246a19aa100648f33d228a58a9
SHA1df41843e77e5c44f8316567cde31beded94899a3
SHA2563f9d63ce9e6de0bb8f5fe0684e64a3fac450b00ebefbbe5f8b96ce1ebb33237e
SHA51228f6580a7b22a6654bfea9e0dddba363dc87d2fa8b33e136e188046a02448fb770c3efbecd944179886c0173a756dc1c48a621f7acd2007709894df9229363d0
-
Filesize
8B
MD501c574c6cbb72276b26b5ccc7ccb02b2
SHA134ae33da0b28797f86c191c765ef114d9df7b9ea
SHA256f6bac15cb3d2157f16b2d7901f28b03aa84d85297806077841e7318c7c094ebc
SHA5126709049d01f65fcd5b3236fe56e84adaec0a1b47402ee4641c802b54a99ea2bfade1cbf817485e0d9f3a3ccfdd759fbbd78895e99320e65e21a7f8553904786c
-
Filesize
8B
MD55bb262f2071095696d7153500a56d46f
SHA1ee193fe175bcc127f4d76430705457a47d38f930
SHA256a9c34616b3d78f915338820d5417fd8c3c0751c8c9a35895dfc1b88645aaa36b
SHA512c065e6360c3f953f47f796c434a8b2d5cb26924a9ef3e68d1392757232d3116aca9a8a44b458d17b20d2f5a1da9c0efdd38c0c17889fe39b7c552d5def55dcb5
-
Filesize
8B
MD5ffbf1c78b89ced968bc56eba189ebb86
SHA1eac9985494271ed9c7e3212eb3173a1d80122f7d
SHA2565ff6d25cf2241d55f18153fa9f0ceb2944bf3bbc3b50af017d55a00f5305be51
SHA512dc299a72e58725f5af7b6c8c450704fa29aef777b9d20d7da2ba14890b6957ffc1f77b1bd78480c0e31d8b8a90e222a0f98f10c5055e1a5da06860fade1ddc49
-
Filesize
8B
MD5c8e9973ec0fef42ca22a0cdb1ffb1ebb
SHA13c85eade12ae0a798472b5ba546e67f970e09f09
SHA256dcfb4a1a7849bf2eb58f511d133272c5c10a4699771f54d88650c290c8b73947
SHA51261f3c2fa275d62a833407d51bee6222dc6e099bb7d1589859a53e34b3fb82d865f3f65dd9a9e3df89a85033b1984a33accdea644a89a807054392a1d4b56e853
-
Filesize
378B
MD567f23640e9351a83d05971c9659d3ded
SHA11d75868da9e44dee0b3d8511bfefc1a243534d6c
SHA2566aeebb9e693bb77776ab8f139bca5571929dd5211ceaea5f6619fdb9832d0aa1
SHA51214f49e0ed06344e260f12bb0b0a0ee58dccb5a3b7ea5b0a432ae222a1e2f7a69f69df2167e3423cf6eab503578ef397a838414e8bb96c8b04531215e22427d63
-
Filesize
340KB
MD58427eb5a3e221afbe6e4ef5887f83f56
SHA1a3d967c5043a01d8ea600a46026ec4f88dd90f73
SHA2562f111df97467dbebff0ae01b44b72b541b1e10ef110198486fc69d2a52e01743
SHA512858ecd7337c3b77d4ca72899bb4b7f9e1c9554ae059eb1483ec578500c208de2484205854d289a2d3a011720ed997fbbb152716afd61bbe76a998c135fd93df9
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
Filesize
276KB
MD570970d1f2d946648ed3a6951e79725dd
SHA1baabaa5eca87fd16e0e741f75b5be7aa1723c44e
SHA25622803ce49b456011307f3c396b4912f7363bcfdd11abe17b6e592bc7a00a7d13
SHA512e06f0967e801b8964f1cca158d6efc93d9bcaf0ef55bdd702c44714319d1c62e726fe6eba528715709613c60d073f129bd2b57cc6e4857f9bd3628298a2365db