Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 00:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
sex.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
sex.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
sex.exe
-
Size
1.6MB
-
MD5
81130843e119926881fd292f78698e43
-
SHA1
0aacdd67768c851e8f64658bf5e79abb26fc7d94
-
SHA256
1676db653523cf585f02707f8f4c337ecb1aaf5afd07416e07e50f14acc88884
-
SHA512
b92f808bd07c824faf1e23061861cce4f5410fe62d19a0f0a68a2ec3a6adb117e783074f87162eaecaaa447e682df406c481ba68167dc9e15612eb2f84f896da
-
SSDEEP
24576:yImw98okVgela0as5CqLVO7XJCjkD3N0HRAxV0aEhbHdn0TrldepPZ:cL5ljasaUKeaEhDF
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2812 bcdedit.exe 2004 bcdedit.exe -
Renames multiple (10447) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2664 hack.exe 2496 Firefox Installer.exe -
Loads dropped DLL 1 IoCs
pid Process 2496 Firefox Installer.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI hack.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: hack.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\996247162.png" reg.exe -
resource yara_rule behavioral1/memory/2496-12-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x000700000001945b-11.dat upx behavioral1/memory/2496-19-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF hack.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseout.png hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF hack.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\MSB1ARFR.ITS hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana.css hack.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF hack.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui hack.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK hack.exe File created C:\Program Files\Microsoft Office\Office14\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM hack.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\Hx.HxC hack.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf hack.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Perspective.thmx hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF hack.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png hack.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html hack.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html hack.exe File created C:\Program Files\Java\jre7\bin\plugin2\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT hack.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG hack.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tokyo hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml hack.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7db.kic hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXT hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF hack.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\THMBNAIL.PNG hack.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png hack.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Median.eftx hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00458_.WMF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF hack.exe File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14981_.GIF hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv hack.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js hack.exe -
pid Process 1132 powershell.exe 15124 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Firefox Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hack.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 640 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2664 hack.exe 1132 powershell.exe 15124 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2664 hack.exe Token: SeIncreaseQuotaPrivilege 2164 WMIC.exe Token: SeSecurityPrivilege 2164 WMIC.exe Token: SeTakeOwnershipPrivilege 2164 WMIC.exe Token: SeLoadDriverPrivilege 2164 WMIC.exe Token: SeSystemProfilePrivilege 2164 WMIC.exe Token: SeSystemtimePrivilege 2164 WMIC.exe Token: SeProfSingleProcessPrivilege 2164 WMIC.exe Token: SeIncBasePriorityPrivilege 2164 WMIC.exe Token: SeCreatePagefilePrivilege 2164 WMIC.exe Token: SeBackupPrivilege 2164 WMIC.exe Token: SeRestorePrivilege 2164 WMIC.exe Token: SeShutdownPrivilege 2164 WMIC.exe Token: SeDebugPrivilege 2164 WMIC.exe Token: SeSystemEnvironmentPrivilege 2164 WMIC.exe Token: SeRemoteShutdownPrivilege 2164 WMIC.exe Token: SeUndockPrivilege 2164 WMIC.exe Token: SeManageVolumePrivilege 2164 WMIC.exe Token: 33 2164 WMIC.exe Token: 34 2164 WMIC.exe Token: 35 2164 WMIC.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeBackupPrivilege 6108 vssvc.exe Token: SeRestorePrivilege 6108 vssvc.exe Token: SeAuditPrivilege 6108 vssvc.exe Token: SeIncreaseQuotaPrivilege 2164 WMIC.exe Token: SeSecurityPrivilege 2164 WMIC.exe Token: SeTakeOwnershipPrivilege 2164 WMIC.exe Token: SeLoadDriverPrivilege 2164 WMIC.exe Token: SeSystemProfilePrivilege 2164 WMIC.exe Token: SeSystemtimePrivilege 2164 WMIC.exe Token: SeProfSingleProcessPrivilege 2164 WMIC.exe Token: SeIncBasePriorityPrivilege 2164 WMIC.exe Token: SeCreatePagefilePrivilege 2164 WMIC.exe Token: SeBackupPrivilege 2164 WMIC.exe Token: SeRestorePrivilege 2164 WMIC.exe Token: SeShutdownPrivilege 2164 WMIC.exe Token: SeDebugPrivilege 2164 WMIC.exe Token: SeSystemEnvironmentPrivilege 2164 WMIC.exe Token: SeRemoteShutdownPrivilege 2164 WMIC.exe Token: SeUndockPrivilege 2164 WMIC.exe Token: SeManageVolumePrivilege 2164 WMIC.exe Token: 33 2164 WMIC.exe Token: 34 2164 WMIC.exe Token: 35 2164 WMIC.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2664 1968 sex.exe 31 PID 1968 wrote to memory of 2664 1968 sex.exe 31 PID 1968 wrote to memory of 2664 1968 sex.exe 31 PID 1968 wrote to memory of 2664 1968 sex.exe 31 PID 1968 wrote to memory of 2496 1968 sex.exe 33 PID 1968 wrote to memory of 2496 1968 sex.exe 33 PID 1968 wrote to memory of 2496 1968 sex.exe 33 PID 1968 wrote to memory of 2496 1968 sex.exe 33 PID 1968 wrote to memory of 2496 1968 sex.exe 33 PID 1968 wrote to memory of 2496 1968 sex.exe 33 PID 1968 wrote to memory of 2496 1968 sex.exe 33 PID 2664 wrote to memory of 2692 2664 hack.exe 35 PID 2664 wrote to memory of 2692 2664 hack.exe 35 PID 2664 wrote to memory of 2692 2664 hack.exe 35 PID 2664 wrote to memory of 2692 2664 hack.exe 35 PID 2664 wrote to memory of 2124 2664 hack.exe 36 PID 2664 wrote to memory of 2124 2664 hack.exe 36 PID 2664 wrote to memory of 2124 2664 hack.exe 36 PID 2664 wrote to memory of 2124 2664 hack.exe 36 PID 2664 wrote to memory of 2728 2664 hack.exe 37 PID 2664 wrote to memory of 2728 2664 hack.exe 37 PID 2664 wrote to memory of 2728 2664 hack.exe 37 PID 2664 wrote to memory of 2728 2664 hack.exe 37 PID 2664 wrote to memory of 2732 2664 hack.exe 38 PID 2664 wrote to memory of 2732 2664 hack.exe 38 PID 2664 wrote to memory of 2732 2664 hack.exe 38 PID 2664 wrote to memory of 2732 2664 hack.exe 38 PID 2664 wrote to memory of 2848 2664 hack.exe 39 PID 2664 wrote to memory of 2848 2664 hack.exe 39 PID 2664 wrote to memory of 2848 2664 hack.exe 39 PID 2664 wrote to memory of 2848 2664 hack.exe 39 PID 2732 wrote to memory of 2812 2732 cmd.exe 40 PID 2732 wrote to memory of 2812 2732 cmd.exe 40 PID 2732 wrote to memory of 2812 2732 cmd.exe 40 PID 2728 wrote to memory of 2004 2728 cmd.exe 41 PID 2728 wrote to memory of 2004 2728 cmd.exe 41 PID 2728 wrote to memory of 2004 2728 cmd.exe 41 PID 2124 wrote to memory of 640 2124 cmd.exe 42 PID 2124 wrote to memory of 640 2124 cmd.exe 42 PID 2124 wrote to memory of 640 2124 cmd.exe 42 PID 2848 wrote to memory of 1132 2848 cmd.exe 43 PID 2848 wrote to memory of 1132 2848 cmd.exe 43 PID 2848 wrote to memory of 1132 2848 cmd.exe 43 PID 2692 wrote to memory of 2164 2692 cmd.exe 44 PID 2692 wrote to memory of 2164 2692 cmd.exe 44 PID 2692 wrote to memory of 2164 2692 cmd.exe 44 PID 2664 wrote to memory of 15124 2664 hack.exe 50 PID 2664 wrote to memory of 15124 2664 hack.exe 50 PID 2664 wrote to memory of 15124 2664 hack.exe 50 PID 2664 wrote to memory of 15124 2664 hack.exe 50 PID 15124 wrote to memory of 16148 15124 powershell.exe 51 PID 15124 wrote to memory of 16148 15124 powershell.exe 51 PID 15124 wrote to memory of 16148 15124 powershell.exe 51 PID 15124 wrote to memory of 16300 15124 powershell.exe 52 PID 15124 wrote to memory of 16300 15124 powershell.exe 52 PID 15124 wrote to memory of 16300 15124 powershell.exe 52 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sex.exe"C:\Users\Admin\AppData\Local\Temp\sex.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\hack.exe"C:\Users\Admin\AppData\Local\Temp\hack.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\cmd.execmd /c wmic shadowcopy delete /nointeractive3⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
C:\Windows\system32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:640
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No3⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No4⤵
- Modifies boot configuration data using bcdedit
PID:2004
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2812
-
-
-
C:\Windows\system32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:15124 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\996247162.png /f4⤵
- Sets desktop wallpaper using registry
PID:16148
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False4⤵PID:16300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\7zS0C98CCE6\setup-stub.exe.\setup-stub.exe3⤵PID:1648
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD51102d805d581b2642cec9945747c8968
SHA1272aa475615770fe25968fc1787353ca08c89953
SHA25659fde654769fa30863cfb5ae13b21c5adb797f59d810471ea47cf46c2f0dacc0
SHA512aa3b456f24f541a9408653984d8916ba7e6eb7c18f3e0a054f01836c4ec0bfd3c186e7369a077adef7ee73b5452b3ad87b8a3b338aebe5482171e5fdbf1b54c0
-
Filesize
364KB
MD5530894a1f0eb42c7837db4d74829f5c6
SHA199909db6f574ca964a9b822b9b19fd2e851b8c1e
SHA256aac3ce797f50e0a5b9f1b43aaaffb439d4c42e3cf5b9fbeac52fa3d263fde3d0
SHA5120836dd919c5f5648ce3445f9a3c84afe5e1e694ff998f1204498b2a86b13ed297469bea88af0ad7e49c97cd57153c7c43fd0a311b4c2685f4dfca5574d1d10f0
-
Filesize
807KB
MD5e27b5291c8fb2dfdeb7f16bb6851df5e
SHA140207f83b601cd60905c1f807ac0889c80dfe33f
SHA256ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
SHA5122ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5efeedcae94262a8c32cf1923ab6e7072
SHA1d60f1698d7b05e7da9c50d32328fc8053c8a9e91
SHA2567343c8cd7180682bfeee523781b92b4a29fb5a4c60edf583128b1ce1a9a69a4a
SHA512b15dc3676a4fb23095f084c760dafe2117314f43ee371791272d8e31271e60e4139c93e8deb91935424d07fd39f2d264993d948f9e8cbdc237825d3d79f5e63b
-
Filesize
1011B
MD5c92c2b70fb37f84aab38412ad9226aa8
SHA114f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA51204f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848
-
Filesize
630KB
MD5ea482758c49d3c0064c6a40e797ab046
SHA1e93f077ca6fd640e28eb9bd692f44d57ed96fa1a
SHA2568c6eb21ff36dcb4b2adcf556039a9ef518a3e25a1fa02bd2b8d5d8ecd344d06c
SHA512f950457146fa6de0eddfb8219b782f019d97b45a6b2d6fb66e6f3fed28b62a15c86cd22c96a3e402b06c6bb7f14c923925e2abb7e49422dcc7e2b681b7c1c3da
