Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 10:48
Behavioral task
behavioral1
Sample
a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe
Resource
win7-20240221-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe
Resource
win10v2004-20240221-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe
-
Size
387KB
-
MD5
a1ad43760d7a2edb0f7fbc3b9cdc6e9e
-
SHA1
b55d0ccb64a65bd608dafd27d6d57bf6fdb49267
-
SHA256
c40fe14a6a93721e76c9a11fa65e07509a91050c34287f822be74116e1635ed6
-
SHA512
d92c2d970f7880b1179f9d5c22725b466bed45f92ec37efda6bf48cb47bc06bd64b7d0387876368f3df7c597214ba6178c30a79a99174bd522ef5e2abe6b6676
-
SSDEEP
6144:gknN4CVUIm6uk06ZLYgvBA+8xmrxgmA+3cclptVopAfC:FnNhuBoY8SorxgmA+nlvVlfC
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe win-update.exe" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugger = "C:\\Windows\\system32\\iexplorer.exe" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
resource yara_rule behavioral2/memory/2296-0-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/files/0x0007000000023217-11.dat upx behavioral2/memory/2296-69-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-70-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-71-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-72-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-73-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-74-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-76-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-77-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-78-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-79-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-80-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-81-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-82-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-83-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/2296-84-0x0000000000400000-0x00000000004CE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer = "C:\\Windows\\system32\\iexplorer.exe" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win-Update = "C:\\Windows\\win-update.exe" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\j: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\r: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\b: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\e: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\h: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\g: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\n: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\o: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\q: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\t: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\v: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\l: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\m: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\p: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\u: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\w: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\x: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\y: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\z: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\a: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\k: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened (read-only) \??\s: a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2296-69-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-70-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-71-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-72-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-73-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-74-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-76-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-77-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-78-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-79-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-80-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-81-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-82-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-83-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/2296-84-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\c:\Autorun.inf a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened for modification C:\\Autorun.inf a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened for modification \??\f:\Autorun.inf a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened for modification F:\\Autorun.inf a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\iexplorer.exe a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened for modification C:\Windows\SysWOW64\iexplorer.exe a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\win-update.exe a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe File opened for modification C:\Windows\win-update.exe a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\Main a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Allahou Akbar" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.islamweb.net/" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2296 wrote to memory of 4972 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 91 PID 2296 wrote to memory of 4972 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 91 PID 2296 wrote to memory of 4972 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 91 PID 4972 wrote to memory of 1660 4972 cmd.exe 93 PID 4972 wrote to memory of 1660 4972 cmd.exe 93 PID 4972 wrote to memory of 1660 4972 cmd.exe 93 PID 1660 wrote to memory of 2228 1660 net.exe 94 PID 1660 wrote to memory of 2228 1660 net.exe 94 PID 1660 wrote to memory of 2228 1660 net.exe 94 PID 2296 wrote to memory of 3368 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 95 PID 2296 wrote to memory of 3368 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 95 PID 2296 wrote to memory of 3368 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 95 PID 3368 wrote to memory of 2216 3368 cmd.exe 97 PID 3368 wrote to memory of 2216 3368 cmd.exe 97 PID 3368 wrote to memory of 2216 3368 cmd.exe 97 PID 2216 wrote to memory of 516 2216 net.exe 98 PID 2216 wrote to memory of 516 2216 net.exe 98 PID 2216 wrote to memory of 516 2216 net.exe 98 PID 2296 wrote to memory of 1140 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 99 PID 2296 wrote to memory of 1140 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 99 PID 2296 wrote to memory of 1140 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 99 PID 1140 wrote to memory of 2360 1140 cmd.exe 101 PID 1140 wrote to memory of 2360 1140 cmd.exe 101 PID 1140 wrote to memory of 2360 1140 cmd.exe 101 PID 2296 wrote to memory of 2696 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 102 PID 2296 wrote to memory of 2696 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 102 PID 2296 wrote to memory of 2696 2296 a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe 102 PID 2696 wrote to memory of 4076 2696 cmd.exe 104 PID 2696 wrote to memory of 4076 2696 cmd.exe 104 PID 2696 wrote to memory of 4076 2696 cmd.exe 104 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "0" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe"C:\Users\Admin\AppData\Local\Temp\a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe"1⤵
- Modifies WinLogon for persistence
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:2228
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:516
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:2360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 12:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\iexplorer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\at.exeAT 12:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\iexplorer.exe3⤵PID:4076
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5ba9fa2ff95cf51c5e241551ed3eef925
SHA1e3025f0a039f861dd04101aae9c120f85fe3a707
SHA256be203907c52ec704c53a4179b9cbb87e0a12724d9b3e5c22e36cbf18abba13b1
SHA51259274af7c19ddf587d796090fa34a90300df62e9e6fc2bf16f4bcdb7553b58b6e7429426cd98ea632106fd19adc706bc91acd86b4ac8ce5081f13552aac96272
-
Filesize
1KB
MD506582b59bda74b3a65d7024034b4ea3d
SHA1464f0f8d4c7d72eca4d95d9d5c3ee4a8cfd6196c
SHA2568dfd74d9c3b9446430eec61c174ec852d7b1abfefb48fd0936b9516863c1a11d
SHA512656819c944c21a45bf51dad46b8e7e0950d1af7f8538d5962f0d07d336aea2a34a5943e00b88c393489955b806808711b0690d377e0819581e91b1375792bb3e
-
Filesize
1KB
MD532852fa83396724dd914fcf76420e59a
SHA196a591219004fdf544f721b12dada3c8740deb7d
SHA256fc2fe3ab2c34a367e24e587fd814956b2bae6e9133161d8bd5ffa302f75767ae
SHA5129af95a259e514b958cc3749c4567c4281537c160975ca71e17c77b1ac5d1a04c6cbdc753ffe0700b5aa1d9697db39ccae438b3fd377a0574196df53263fab972
-
Filesize
387KB
MD5a1ad43760d7a2edb0f7fbc3b9cdc6e9e
SHA1b55d0ccb64a65bd608dafd27d6d57bf6fdb49267
SHA256c40fe14a6a93721e76c9a11fa65e07509a91050c34287f822be74116e1635ed6
SHA512d92c2d970f7880b1179f9d5c22725b466bed45f92ec37efda6bf48cb47bc06bd64b7d0387876368f3df7c597214ba6178c30a79a99174bd522ef5e2abe6b6676