Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
FRST64.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
FRST64.exe
Resource
win10v2004-20240508-en
General
-
Target
FRST64.exe
-
Size
2.3MB
-
MD5
42f626b952be10e6f0826631431fc2dd
-
SHA1
c0f1ba2f53ea222581be47b6a1ca3f2efe9e7507
-
SHA256
741fc8882114d576c049e5a0e830282ae99b39df35cb5a090bf0e8f4b5ddb353
-
SHA512
9571e11f179b928ea41c7c24512ae6536154dca42eb32d658ae55a0a49956b42933f23c0860f9f58cd1e57f08421becbd8d6107b9afd55da41b3c80e20a640df
-
SSDEEP
49152:o2EYTb8atv1orq+pEiSDTj1VyvBaj3jnE/ImdPFRgiYhFE94Ik0ZD5FJ9X+:tXbIrqtnDmdPFRTY73IRZD5FLX
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FRST64.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 2740 bcdedit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier FRST64.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor FRST64.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information FRST64.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController FRST64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 FRST64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile FRST64.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 FRST64.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy FRST64.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4000 FRST64.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 2740 bcdedit.exe Token: SeRestorePrivilege 2740 bcdedit.exe Token: SeRestorePrivilege 2740 bcdedit.exe Token: SeRestorePrivilege 2740 bcdedit.exe Token: SeBackupPrivilege 4652 vssvc.exe Token: SeRestorePrivilege 4652 vssvc.exe Token: SeAuditPrivilege 4652 vssvc.exe Token: SeRestorePrivilege 4000 FRST64.exe Token: SeBackupPrivilege 4000 FRST64.exe Token: SeRestorePrivilege 3532 reg.exe Token: SeRestorePrivilege 2016 reg.exe Token: SeRestorePrivilege 2544 reg.exe Token: SeRestorePrivilege 4260 reg.exe Token: SeRestorePrivilege 3464 reg.exe Token: SeRestorePrivilege 1404 reg.exe Token: SeRestorePrivilege 1592 reg.exe Token: SeRestorePrivilege 3128 reg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe 4000 FRST64.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4000 wrote to memory of 216 4000 FRST64.exe 85 PID 4000 wrote to memory of 216 4000 FRST64.exe 85 PID 4000 wrote to memory of 2688 4000 FRST64.exe 87 PID 4000 wrote to memory of 2688 4000 FRST64.exe 87 PID 2688 wrote to memory of 2740 2688 cmd.exe 89 PID 2688 wrote to memory of 2740 2688 cmd.exe 89 PID 4000 wrote to memory of 1896 4000 FRST64.exe 94 PID 4000 wrote to memory of 1896 4000 FRST64.exe 94 PID 1896 wrote to memory of 3532 1896 cmd.exe 96 PID 1896 wrote to memory of 3532 1896 cmd.exe 96 PID 4000 wrote to memory of 4644 4000 FRST64.exe 97 PID 4000 wrote to memory of 4644 4000 FRST64.exe 97 PID 4644 wrote to memory of 2016 4644 cmd.exe 99 PID 4644 wrote to memory of 2016 4644 cmd.exe 99 PID 4000 wrote to memory of 5036 4000 FRST64.exe 100 PID 4000 wrote to memory of 5036 4000 FRST64.exe 100 PID 5036 wrote to memory of 2544 5036 cmd.exe 102 PID 5036 wrote to memory of 2544 5036 cmd.exe 102 PID 4000 wrote to memory of 4004 4000 FRST64.exe 103 PID 4000 wrote to memory of 4004 4000 FRST64.exe 103 PID 4004 wrote to memory of 4260 4004 cmd.exe 105 PID 4004 wrote to memory of 4260 4004 cmd.exe 105 PID 4000 wrote to memory of 1200 4000 FRST64.exe 106 PID 4000 wrote to memory of 1200 4000 FRST64.exe 106 PID 1200 wrote to memory of 3464 1200 cmd.exe 108 PID 1200 wrote to memory of 3464 1200 cmd.exe 108 PID 4000 wrote to memory of 1748 4000 FRST64.exe 109 PID 4000 wrote to memory of 1748 4000 FRST64.exe 109 PID 1748 wrote to memory of 1404 1748 cmd.exe 111 PID 1748 wrote to memory of 1404 1748 cmd.exe 111 PID 4000 wrote to memory of 3536 4000 FRST64.exe 112 PID 4000 wrote to memory of 3536 4000 FRST64.exe 112 PID 3536 wrote to memory of 1592 3536 cmd.exe 114 PID 3536 wrote to memory of 1592 3536 cmd.exe 114 PID 4000 wrote to memory of 4896 4000 FRST64.exe 115 PID 4000 wrote to memory of 4896 4000 FRST64.exe 115 PID 4896 wrote to memory of 3128 4896 cmd.exe 117 PID 4896 wrote to memory of 3128 4896 cmd.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FRST64.exe"C:\Users\Admin\AppData\Local\Temp\FRST64.exe"1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /u /c echo 22⤵PID:216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD3⤵
- Modifies boot configuration data using bcdedit
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SOFTWARE2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SOFTWARE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SYSTEM3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SAM2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SAM3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\DEFAULT2⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\DEFAULT3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SECURITY2⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SECURITY3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\COMPONENTS2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\COMPONENTS3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\NTUSER.DAT2⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\NTUSER.DAT3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\UsrClass.dat2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\reg.exereg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\UsrClass.dat3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD504aabf833b396be894992874fcd3f792
SHA13b07209b1ff5bfa57d1470e90f4b7b731c5eef44
SHA25644dfa555a362250d940b5772ecf09194d3315757b7574c387822fd9c0fc8544b
SHA5120d906c0396afeb11863cd22c7dca8532e2c6a1c4462e24862da51a5a1d6d84eae92fd146a336eb107ecbde9315ad5c59993695f8c2cfa4952f72701589d889d6
-
Filesize
4.0MB
MD5d7ac57df88bc9c42b6e5decaf213021d
SHA19e1431be1ea30107d8bf7097a9bbd1639fadf194
SHA256d8c940a916764351b2ef18906bb680081ea002ddad2a3c635fe89df607081974
SHA5120676175ac266487533e18b715ea812e8f93eaaca3b3e5840180a3fef66b36dc8cfd0ff47686d43e79d0bfcf8d1ad32054aae7390964e2147de519d4bef20e141