Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/05/2024, 16:42
240507-t7tjzaeh9s 1007/05/2024, 16:12
240507-tnt2dseb4v 1007/05/2024, 16:09
240507-tlvj5sea61 1Analysis
-
max time kernel
40s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 16:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Resource
win10v2004-20240419-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 2928 7ev3n.exe 5000 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 60 raw.githubusercontent.com 61 raw.githubusercontent.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3672 SCHTASKS.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "186" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595737633164456" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3504 chrome.exe 3504 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3504 chrome.exe 3504 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 1092 shutdown.exe Token: SeRemoteShutdownPrivilege 1092 shutdown.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe Token: SeShutdownPrivilege 3504 chrome.exe Token: SeCreatePagefilePrivilege 3504 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe 3504 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1920 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3504 wrote to memory of 3200 3504 chrome.exe 85 PID 3504 wrote to memory of 3200 3504 chrome.exe 85 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 2712 3504 chrome.exe 86 PID 3504 wrote to memory of 5468 3504 chrome.exe 87 PID 3504 wrote to memory of 5468 3504 chrome.exe 87 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88 PID 3504 wrote to memory of 2012 3504 chrome.exe 88
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde36bcc40,0x7ffde36bcc4c,0x7ffde36bcc582⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:2712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2364 /prefetch:32⤵PID:5468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2084,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2524 /prefetch:82⤵PID:2012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:3476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:1812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4684 /prefetch:82⤵PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4980,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5004 /prefetch:82⤵PID:4016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5028,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5172 /prefetch:82⤵PID:1836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5440,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5368 /prefetch:82⤵PID:3860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5020 /prefetch:82⤵PID:5376
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:244
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1420
-
C:\Users\Admin\Downloads\7ev3n.exe"C:\Users\Admin\Downloads\7ev3n.exe"1⤵
- Executes dropped EXE
PID:2928 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:4856
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3672
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:2428
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:768
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:3140
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:4548
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:5344
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:412
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:3108
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:2316
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:3956
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:5748
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:4792
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:5488
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:4204
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3966855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD57e74d4795d6a8fdff26ebc9f0fcfdfc5
SHA18deef30970e130487f07222a7d6401fde1537a12
SHA25683f6e1f24675f1126b33810f280e04ec2fd7a4023afedd3f7639880e27e97f06
SHA512911bc63a1b87114e5203420075f02db6e9e780e8dba59fe17257c6d93961337ec7e030cb10b527aa7dfaa3e4dd1971a15a5a3fe39d16f0fe7ac04e5d39cce3cb
-
Filesize
1KB
MD54bd1d2eebe4a95dc571285b947e420c4
SHA1308329c9db5537407a470bfc388cfa1b022b43a3
SHA256d52632e60b3fd437d73025f6b512035b7d84be74958b7aaaf3cbbfd5e81e3b91
SHA512874045e595eb70ec44860700ec6185eda96d831e6dead77f76e9f8339c9540554005fadbe73f4061dec0fe8439e7b04b6476b0f7e83e97dceec25599484ca4bf
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5f73f3c83ee519b0aabc42b7f37bec32f
SHA1c8c0343683b6844bb628f6f5335706aa769fbbb5
SHA256a0d10a2b6ef1f112d28a5f93f1c0913744905ad84eba2df0819db6281e2f0fb6
SHA51277371f868cdbaec00614e933f65c120cbdbd6ce54834aad5ca04dd4c385270b71dbca1abafba8fe51a15dd90a1ece49341a9459c0bf403310197cf6e1da7929b
-
Filesize
9KB
MD589f00803596bf57f1bd788b9cb17f97f
SHA1439eeaa837afe6bc3a94b8b243f88498f6a14161
SHA256e60fdce748de099142f7471a6e2d80aa54b1f47c72daf9a8803075b7e59cd6a1
SHA5122f8ad305d1c18f017b6d681450b39592a0b0e2e339fc64eb175dd89d2592255b82afc4d93b7fb75dc017461f0d79852989d160613cdec21d7964ce39769f24d2
-
Filesize
9KB
MD52af066f17602d6afc32187543a8446d5
SHA16e2c9048548ea5deb314d519eb168956e67a3529
SHA2560db8e5c5ccd84a2ec3cdb554da444cd326ce7bf4b7c32d0508604377835d0b5d
SHA51298327bf002444d5705fa46a2461a4cb6766c45824e2a950febd1301e5c1ee39fcc1a5035f0f5f22285369f5845d95982a7b619f4a0f956a5275f0f8b595a141a
-
Filesize
10KB
MD5e3595123fcc7e807de58ab46c4062818
SHA1c1edf14f9d4f8a197e6b2a7a93dc314a2b386784
SHA2563bd85e148dc478f9dd792826bd62329b958be9792b719990f1f063abd95227c0
SHA5127dbdbc6c9628513e235e3e1ad2e289978c8f5f79399a90e9245afffb54a2aa317717e6989587614a31e4193dcb8ad66e7244bd980d896e327958929311a1352f
-
Filesize
77KB
MD5ca07bb610f3fa6815b561841c7b171ae
SHA1022a2814c0af71951e09fc1483609d15ebf0a6a4
SHA256a0507e2affaad9216f831175dbb1ee5dd3417981de7ecdd5d042a3313c1ee0b4
SHA51207fd2136ec31eb16def540d79498b6c380381e9ce3fee0a4f66a8579664a4b012282ed3520383a0943a93007c67b8165d70611d23c37c23f72e22123a58d2b93
-
Filesize
77KB
MD5b285953df4764e7df7e7bad7ca2cc931
SHA1466413c8d7a0b28bdb92271dd3d29d1de396e511
SHA256f82781e20ac0016a64db4608a641d8d55fd4e7e98ee44cd443e9871079154937
SHA512b15023e6229f13e42b79c667009d4b70197d892a05b0505a6eb46e91b07421632375a886de21a92c9d1c742fad492c6893f74674bcd955021e110bbeb0abaa9f
-
Filesize
56B
MD5f62904abb27a3574e2e6121349ab4955
SHA135b3504f1d6bc88638a0721cf3d898eb0f95092a
SHA256d31225722321313554e736bcd9debc4cb4c5ed6dce3921fa7839162fede832b6
SHA512e8d1cf4c6a745790b2eaf4b3618703337313e3f561ba88982bc1a139aa4b5b29fd5f78f925e5bd12669eed74ca78510f6d6b1ce091bc55299057d2b2e867fb4e
-
Filesize
315KB
MD51ca3659a54277f023deb1866b8fdb383
SHA1898e643b793bfc6d830e6789cc9600d7ce7ebe1c
SHA256ad75779a0a60ea62d593e3e71f3ff0f54c003b3e5feb12181041864942b613b6
SHA5129387ad15c0425a7dea63b6a4e8246e2d3429e3e9f3dabb494339f8deff3c7e59952a9617c0aa31a59462e11578fedb491881c3fb12a3990969ed4e988ce1f066
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6