Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 00:12
Static task
static1
Behavioral task
behavioral1
Sample
sex.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
sex.exe
Resource
win10v2004-20241007-en
General
-
Target
sex.exe
-
Size
1.6MB
-
MD5
32d34c51bc6fc4eddb6fdf80ea8c574f
-
SHA1
c3f3f908a927597c114c046d0f2a7ef4e76cb46b
-
SHA256
8c09852891a594c9327627c7fd3a6167281bc6285661510bd6d605adab9b6d6f
-
SHA512
42b5035a13c949c7a170b393437e71fb43f96dce84a40541efaed9a277b77f8001d949d1b2209e3d70a4eb2f517bc5c6f978e54d2a20eaddf591cfe61e28cab5
-
SSDEEP
24576:KImw98okVgela0as5CqLVO7XJCjkD3N0HRAxV0aEhbHdn0TrldepPZ:0L5ljasaUKeaEhDF
Malware Config
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1884 bcdedit.exe 3860 bcdedit.exe -
Renames multiple (10418) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2888 hack.exe 2972 Firefox Installer.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI hack.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: hack.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1153038678.png" reg.exe -
resource yara_rule behavioral1/memory/2972-12-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0008000000016df5-11.dat upx behavioral1/memory/2972-17-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\DESIGNER\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5B.BDR hack.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF hack.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis hack.exe File created C:\Program Files\Common Files\System\msadc\es-ES\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF hack.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF hack.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif hack.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html hack.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ShvlRes.dll.mui hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7ge.kic hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF hack.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MET hack.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4 hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\EquityFax.Dotx hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_07.MID hack.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui hack.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00334_.WMF hack.exe File created C:\Program Files\MSBuild\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tijuana hack.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg hack.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\OliveGreen.css hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus hack.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_K_COL.HXK hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152688.WMF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00494_.WMF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00286_.WMF hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg hack.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton hack.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF hack.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png hack.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\GET_YOUR_FILES_BACK.txt hack.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF hack.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10302_.GIF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF hack.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00934_.WMF hack.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt hack.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\GET_YOUR_FILES_BACK.txt hack.exe -
pid Process 880 powershell.exe 5096 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Firefox Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hack.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1124 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2888 hack.exe 880 powershell.exe 5096 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2888 hack.exe Token: SeBackupPrivilege 3624 vssvc.exe Token: SeRestorePrivilege 3624 vssvc.exe Token: SeAuditPrivilege 3624 vssvc.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeIncreaseQuotaPrivilege 3508 WMIC.exe Token: SeSecurityPrivilege 3508 WMIC.exe Token: SeTakeOwnershipPrivilege 3508 WMIC.exe Token: SeLoadDriverPrivilege 3508 WMIC.exe Token: SeSystemProfilePrivilege 3508 WMIC.exe Token: SeSystemtimePrivilege 3508 WMIC.exe Token: SeProfSingleProcessPrivilege 3508 WMIC.exe Token: SeIncBasePriorityPrivilege 3508 WMIC.exe Token: SeCreatePagefilePrivilege 3508 WMIC.exe Token: SeBackupPrivilege 3508 WMIC.exe Token: SeRestorePrivilege 3508 WMIC.exe Token: SeShutdownPrivilege 3508 WMIC.exe Token: SeDebugPrivilege 3508 WMIC.exe Token: SeSystemEnvironmentPrivilege 3508 WMIC.exe Token: SeRemoteShutdownPrivilege 3508 WMIC.exe Token: SeUndockPrivilege 3508 WMIC.exe Token: SeManageVolumePrivilege 3508 WMIC.exe Token: 33 3508 WMIC.exe Token: 34 3508 WMIC.exe Token: 35 3508 WMIC.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe Token: SeIncreaseQuotaPrivilege 3508 WMIC.exe Token: SeSecurityPrivilege 3508 WMIC.exe Token: SeTakeOwnershipPrivilege 3508 WMIC.exe Token: SeLoadDriverPrivilege 3508 WMIC.exe Token: SeSystemProfilePrivilege 3508 WMIC.exe Token: SeSystemtimePrivilege 3508 WMIC.exe Token: SeProfSingleProcessPrivilege 3508 WMIC.exe Token: SeIncBasePriorityPrivilege 3508 WMIC.exe Token: SeCreatePagefilePrivilege 3508 WMIC.exe Token: SeBackupPrivilege 3508 WMIC.exe Token: SeRestorePrivilege 3508 WMIC.exe Token: SeShutdownPrivilege 3508 WMIC.exe Token: SeDebugPrivilege 3508 WMIC.exe Token: SeSystemEnvironmentPrivilege 3508 WMIC.exe Token: SeRemoteShutdownPrivilege 3508 WMIC.exe Token: SeUndockPrivilege 3508 WMIC.exe Token: SeManageVolumePrivilege 3508 WMIC.exe Token: 33 3508 WMIC.exe Token: 34 3508 WMIC.exe Token: 35 3508 WMIC.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2888 1580 sex.exe 31 PID 1580 wrote to memory of 2888 1580 sex.exe 31 PID 1580 wrote to memory of 2888 1580 sex.exe 31 PID 1580 wrote to memory of 2888 1580 sex.exe 31 PID 1580 wrote to memory of 2972 1580 sex.exe 33 PID 1580 wrote to memory of 2972 1580 sex.exe 33 PID 1580 wrote to memory of 2972 1580 sex.exe 33 PID 1580 wrote to memory of 2972 1580 sex.exe 33 PID 1580 wrote to memory of 2972 1580 sex.exe 33 PID 1580 wrote to memory of 2972 1580 sex.exe 33 PID 1580 wrote to memory of 2972 1580 sex.exe 33 PID 2888 wrote to memory of 2624 2888 hack.exe 34 PID 2888 wrote to memory of 2624 2888 hack.exe 34 PID 2888 wrote to memory of 2624 2888 hack.exe 34 PID 2888 wrote to memory of 2624 2888 hack.exe 34 PID 2888 wrote to memory of 2944 2888 hack.exe 35 PID 2888 wrote to memory of 2944 2888 hack.exe 35 PID 2888 wrote to memory of 2944 2888 hack.exe 35 PID 2888 wrote to memory of 2944 2888 hack.exe 35 PID 2888 wrote to memory of 2952 2888 hack.exe 36 PID 2888 wrote to memory of 2952 2888 hack.exe 36 PID 2888 wrote to memory of 2952 2888 hack.exe 36 PID 2888 wrote to memory of 2952 2888 hack.exe 36 PID 2888 wrote to memory of 2616 2888 hack.exe 38 PID 2888 wrote to memory of 2616 2888 hack.exe 38 PID 2888 wrote to memory of 2616 2888 hack.exe 38 PID 2888 wrote to memory of 2616 2888 hack.exe 38 PID 2888 wrote to memory of 2760 2888 hack.exe 39 PID 2888 wrote to memory of 2760 2888 hack.exe 39 PID 2888 wrote to memory of 2760 2888 hack.exe 39 PID 2888 wrote to memory of 2760 2888 hack.exe 39 PID 2944 wrote to memory of 1124 2944 cmd.exe 40 PID 2944 wrote to memory of 1124 2944 cmd.exe 40 PID 2944 wrote to memory of 1124 2944 cmd.exe 40 PID 2616 wrote to memory of 1884 2616 cmd.exe 41 PID 2616 wrote to memory of 1884 2616 cmd.exe 41 PID 2616 wrote to memory of 1884 2616 cmd.exe 41 PID 2760 wrote to memory of 880 2760 cmd.exe 42 PID 2760 wrote to memory of 880 2760 cmd.exe 42 PID 2760 wrote to memory of 880 2760 cmd.exe 42 PID 2952 wrote to memory of 3860 2952 cmd.exe 44 PID 2952 wrote to memory of 3860 2952 cmd.exe 44 PID 2952 wrote to memory of 3860 2952 cmd.exe 44 PID 2624 wrote to memory of 3508 2624 cmd.exe 45 PID 2624 wrote to memory of 3508 2624 cmd.exe 45 PID 2624 wrote to memory of 3508 2624 cmd.exe 45 PID 2888 wrote to memory of 5096 2888 hack.exe 49 PID 2888 wrote to memory of 5096 2888 hack.exe 49 PID 2888 wrote to memory of 5096 2888 hack.exe 49 PID 2888 wrote to memory of 5096 2888 hack.exe 49 PID 5096 wrote to memory of 3656 5096 powershell.exe 50 PID 5096 wrote to memory of 3656 5096 powershell.exe 50 PID 5096 wrote to memory of 3656 5096 powershell.exe 50 PID 5096 wrote to memory of 3336 5096 powershell.exe 51 PID 5096 wrote to memory of 3336 5096 powershell.exe 51 PID 5096 wrote to memory of 3336 5096 powershell.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sex.exe"C:\Users\Admin\AppData\Local\Temp\sex.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\hack.exe"C:\Users\Admin\AppData\Local\Temp\hack.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\cmd.execmd /c wmic shadowcopy delete /nointeractive3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
-
C:\Windows\system32\cmd.execmd /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:1124
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No3⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No4⤵
- Modifies boot configuration data using bcdedit
PID:3860
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1884
-
-
-
C:\Windows\system32\cmd.execmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1153038678.png /f4⤵
- Sets desktop wallpaper using registry
PID:3656
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False4⤵PID:3336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\7zSC9B67BD6\setup-stub.exe.\setup-stub.exe3⤵PID:3064
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1011B
MD5c92c2b70fb37f84aab38412ad9226aa8
SHA114f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA51204f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848
-
Filesize
364KB
MD5530894a1f0eb42c7837db4d74829f5c6
SHA199909db6f574ca964a9b822b9b19fd2e851b8c1e
SHA256aac3ce797f50e0a5b9f1b43aaaffb439d4c42e3cf5b9fbeac52fa3d263fde3d0
SHA5120836dd919c5f5648ce3445f9a3c84afe5e1e694ff998f1204498b2a86b13ed297469bea88af0ad7e49c97cd57153c7c43fd0a311b4c2685f4dfca5574d1d10f0
-
Filesize
807KB
MD5e27b5291c8fb2dfdeb7f16bb6851df5e
SHA140207f83b601cd60905c1f807ac0889c80dfe33f
SHA256ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
SHA5122ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5138e47a6372a99a0079e2fa21bcff5d3
SHA10e7f2b935845f0fab45d1326c97188b8e30e4a7b
SHA2560be797b4562bc1fdaa2d6a2af9ba7cc96da73832992cebc8068d3c34634798e6
SHA512c4c2b1e6c91e19bec6841acfe43f317acfd9eef28314c6e577b799c7e04dce1a451e3e1b34dd189d5c5ddf7b5fba393650d7e12a19c4e91320d7d83a5fb542d4