Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-01-2023 12:00
Static task
static1
Behavioral task
behavioral1
Sample
GSecurity.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GSecurity.exe
Resource
win10v2004-20221111-en
General
-
Target
GSecurity.exe
-
Size
851KB
-
MD5
690eee0e48261b646ac54a1866c32510
-
SHA1
ccd9ce1e952026508a233efba834b1de6b3c2490
-
SHA256
82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7
-
SHA512
e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1
-
SSDEEP
24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\GSecurity.cmd disable_win_def -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "0" reg.exe -
Modifies firewall policy service 2 TTPs 60 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\RemoteAdminSettings\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableNotifications = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\RemoteAdminSettings reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\RemoteAdminSettings\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DefaultOutboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\RemoteAdminSettings reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DisableNotifications = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\RemoteAdminSettings reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\FileAndPrint reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DefaultInboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\RemoteAdminSettings\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\FileAndPrint\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\AllowLocalPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DefaultOutboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DefaultOutboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\FileAndPrint\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AllowLocalPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AllowLocalPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DefaultOutboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\FileAndPrint reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\FileAndPrint\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DefaultInboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DefaultInboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\RemoteAdminSettings reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AllowLocalPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DefaultInboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\EnableFirewall = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\RemoteAdminSettings\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\FileAndPrint reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "1" reg.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "2" reg.exe -
Modifies system executable filetype association 2 TTPs 36 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\01Low\MUIVerb = "Low" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\01Low\Command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\02BelowNormal\Command\ = "cmd.exe /c start \"\" /BelowNormal \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\03Normal\MUIVerb = "Normal" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\06Realtime reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicy = "4096" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\04AboveNormal\Command\ = "cmd.exe /c start \"\" /AboveNormal \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\06Realtime\MUIVerb = "Realtime" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\05High\MUIVerb = "High" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicy = "4096" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\MUIVerb = "Run with priority" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\03Normal reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\05High\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\04AboveNormal\Command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\06Realtime\Command\ = "cmd.exe /c start \"\" /Realtime \"%1\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\SubCommands reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\02BelowNormal reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\02BelowNormal\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\03Normal\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\05High reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\06Realtime\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\Icon = "shell32.dll,-25" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\03Normal\Command\ = "cmd.exe /c start \"\" /Normal \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\05High\Command\ = "cmd.exe /c start \"\" /High \"%1\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\01Low reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\01Low\Command\ = "cmd.exe /c start \"\" /Low \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\02BelowNormal\MUIVerb = "Below normal" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\04AboveNormal reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\04AboveNormal\MUIVerb = "Above Normal" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" reg.exe -
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\Drivers\Etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
LGPO.exepid process 636 LGPO.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 6 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 2024 icacls.exe 1044 icacls.exe 428 takeown.exe 1100 icacls.exe 1996 icacls.exe 768 takeown.exe -
Sets file execution options in registry 2 TTPs 44 IoCs
Processes:
reg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe reg.exe -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1004 cmd.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 428 takeown.exe 1100 icacls.exe 1996 icacls.exe 768 takeown.exe 2024 icacls.exe 1044 icacls.exe -
Adds Run key to start application 2 TTPs 15 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\FWClean = "netsh advfirewall firewall delete rule name=all" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled reg.exe -
Modifies powershell logging option 1 TTPs
-
Drops file in System32 directory 20 IoCs
Processes:
netsh.execmd.exegpscript.exeLGPO.exeicacls.exetakeown.exeicacls.exeicacls.exepowershell.exetakeown.exeicacls.exereg.exedescription ioc process File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG netsh.exe File opened for modification C:\Windows\SysWOW64\LogFiles\SAFER.LOG cmd.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG gpscript.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv LGPO.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol LGPO.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG icacls.exe File opened for modification C:\Windows\System32\GroupPolicy LGPO.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol LGPO.exe File created C:\Windows\System32\GroupPolicy\User\Registry.pol LGPO.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG takeown.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG icacls.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG icacls.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG powershell.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini LGPO.exe File created C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv LGPO.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol LGPO.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG takeown.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG icacls.exe File opened for modification C:\Windows\system32\LogFiles\SAFER.LOG reg.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI LGPO.exe -
Drops file in Windows directory 1 IoCs
Processes:
DrvInst.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "1" reg.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{16A7470E-229C-45F9-AE05-A87034FD14CF}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6AF9BC61-3CC5-42A7-82D1-FFC2562A7289}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6596829B-37D4-40ad-971B-1E9041725C52}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{669695BC-A811-4A9D-8CDF-BA8C795F261E}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{907CA0E5-CE84-11D6-9508-02608CDD2841}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{910E7499-6311-4843-8EB0-0100A7955A1F} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DE614603-6320-4046-A7A7-6A69CEC26F14}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EFD84954-6B46-42f4-81F3-94CE9A77052D}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20A03A4C-9FAF-45D5-A5C2-B6C49774E03C}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53E10C2C-43B2-4657-BA29-AAE179E7D35C} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{392BE62B-E7DE-430A-8859-0AFE677DE6E1}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4B2F5308-2CB0-40E2-8030-59936ED5D22C}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4E7BD74F-2B8D-469E-C0FB-EF60B19DBC34} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8952A998-1E7E-4716-B23D-3DBE03910972}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9E7138EE-4E7B-11D5-94EF-006008A4ED7F} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CD17FAAA-17B4-4736-AAEF-436EDC304C8C}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-00FA-71ED-4ABA-348801BAA0A9}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{000004Cc-e4ff-4f2c-bc30-dbef0b983bc9}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA83E942-B796-46DE-9155-1632ECC5473B} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EFD440C0-0943-11d3-9D65-00A0CC22CBC4}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{30192F8D-0958-44E6-B54D-331FD39AC959} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{99410CDE-6F16-42ce-9D49-3807F78F0287}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F760CB9E-C60F-4A89-890E-FAE8B849493E}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA79FA22-8DB3-43D1-997B-6DBFD8845569} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{000E7270-CC7A-0786-8E7A-DA09B51938A6}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0cef79d8-d373-11d3-a7d3-00062962bf17}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{31995C64-CB4D-483E-82C2-CCFFE2F66CAB}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{607DF741-7D0A-11D4-9EDC-005004189684}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6EB5B540-1E74-4D91-A7F0-5B758D333702}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00A6FAF1-072E-44CF-8957-5838F569A31D}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1D870C86-AA3C-4451-81E4-71D480A1A652}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{001DAE60-95C0-11d3-924E-009027950886}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58359010-BF36-11D3-99A2-0050DA2EE1BE}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5ED50735-B0D9-47C6-9774-02DD8E6FE053} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{75D1F3B2-2A21-11D7-97B9-0010DC2A6243}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BA7270AE-5636-4618-BAF3-F86ADA39F036} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CC90CDA0-74A0-45b4-80EF-D89CA8C249B8}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0033-C1AC-0E62-0C1F0537605D}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-5555-0704-0B53-2C8830E9FAEC}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D985E70B-97F1-477E-AF6C-66E496DEDBD6}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00D6A7E7-4A97-456f-848A-3B75BF7554D7} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3E8A1971-45A5-45EE-828B-8C78431C0BD4}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B4E0F9CB-BC06-4A33-BBB3-F75F16B6FF5E}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0002-53D4-0622-35EA0235778E}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BA7270AE-5636-4618-BAF3-F86ADA39F036}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27A5FF76-9919-492C-98E3-EDA3502FC829}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4580026C-022A-4FDA-87BC-EDA848D0B7A6} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1C4DA27D-4D52-4465-A089-98E01BB725CA}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3FE16C08-D6A7-4133-84FC-D5BFB4F7D886}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4E7BD74F-2B8D-469E-C0FB-EF60B19DBC34}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{90DA654C-083C-11D6-8A9D-0050BA8452C0}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{910E7499-6311-4843-8EB0-0100A7955A1F}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00673769-777F-4814-BE0F-74CBA1D823B8}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{19A447BA-9C2E-4864-93F5-A0645229771E} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{79369D5C-2903-4b7a-ADE2-D5E0DEE14D24}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A3E3F04C-F98C-4295-95EF-41C57425B077}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DB893839-10F0-4AF9-92FA-B23528F530AF} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C38A62E-D257-40E8-8BB7-5624E38FEB0A}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35F59C80-C1F2-4EEA-9981-686C7D5A9277} reg.exe -
Modifies data under HKEY_USERS 12 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL = "https://raw.githubusercontent.com/Gorstak-79/Pac/main/antiad.pac" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\.DEFAULT reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Mouse reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0" reg.exe -
Modifies registry class 64 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\MUIVerb = "@shell32.dll,-4161" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash\shell\06MD5 reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\01Low reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\05High\MUIVerb = "High" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\06Realtime\Command\ = "cmd.exe /c start \"\" /Realtime \"%1\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\Shell\runas reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\2ControlPanelCmd reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AutorunsDisabled\EPP reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\MUIVerb = "Run with priority" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash\shell\02SHA256\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Extract reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\1ControlPanelCmd\Command\ = "explorer.exe shell:::{26EE0668-A00A-44D7-9371-BEB064C98683}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\shell\runas\ = "Install this update" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\runasuser\SuppressionPolicy = "4096" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\OptimizeWindowsSearchResultsForScreenReaders = "0" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\SubCommands reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\04AboveNormal\Command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash\shell\02SHA256\Command\ = "powershell.exe -noexit get-filehash -literalpath '%1' -algorithm SHA256 | format-list" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\3ControlPanelCmd\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\Shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\3ControlPanelCmd\MUIVerb = "@shell32.dll,-32537" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\shell\02SafeModeNet\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\shell\04SafeModeNormal\MUIVerb = "Exit Safe Mode" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash\shell\06MD5\MUIVerb = "MD5" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\Position = "Bottom" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AutorunsDisabled reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash\shell\06MD5\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\2ControlPanelCmd\MUIVerb = "@shell32.dll,-31062" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\1ControlPanelCmd\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AutorunsDisabled\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Extract\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash\shell\07RIPEMD160\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Shell\RunWithPriority\shell\01Low\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\1ControlPanelCmd\MUIVerb = "@shell32.dll,-31061" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Extract\ = "Extract the contents" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\*\shell\GetFileHash\shell\03SHA384\MUIVerb = "SHA384" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CcFWSettg.Category\CLSID reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\EnableEncryptedMediaExtensions = "0" reg.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1380 powershell.exe 1472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeauditpol.exeauditpol.exepowershell.exedescription pid process Token: SeDebugPrivilege 1380 powershell.exe Token: SeSecurityPrivilege 1028 auditpol.exe Token: SeSecurityPrivilege 836 auditpol.exe Token: SeDebugPrivilege 1472 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
GSecurity.execmd.exeLGPO.exedescription pid process target process PID 872 wrote to memory of 1004 872 GSecurity.exe cmd.exe PID 872 wrote to memory of 1004 872 GSecurity.exe cmd.exe PID 872 wrote to memory of 1004 872 GSecurity.exe cmd.exe PID 872 wrote to memory of 1004 872 GSecurity.exe cmd.exe PID 872 wrote to memory of 1004 872 GSecurity.exe cmd.exe PID 872 wrote to memory of 1004 872 GSecurity.exe cmd.exe PID 872 wrote to memory of 1004 872 GSecurity.exe cmd.exe PID 1004 wrote to memory of 1232 1004 cmd.exe chcp.com PID 1004 wrote to memory of 1232 1004 cmd.exe chcp.com PID 1004 wrote to memory of 1232 1004 cmd.exe chcp.com PID 1004 wrote to memory of 1232 1004 cmd.exe chcp.com PID 1004 wrote to memory of 1364 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 1364 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 1364 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 1364 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 1348 1004 cmd.exe where.exe PID 1004 wrote to memory of 1348 1004 cmd.exe where.exe PID 1004 wrote to memory of 1348 1004 cmd.exe where.exe PID 1004 wrote to memory of 1348 1004 cmd.exe where.exe PID 1004 wrote to memory of 852 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 852 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 852 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 852 1004 cmd.exe fsutil.exe PID 1004 wrote to memory of 1380 1004 cmd.exe powershell.exe PID 1004 wrote to memory of 1380 1004 cmd.exe powershell.exe PID 1004 wrote to memory of 1380 1004 cmd.exe powershell.exe PID 1004 wrote to memory of 1380 1004 cmd.exe powershell.exe PID 1004 wrote to memory of 636 1004 cmd.exe LGPO.exe PID 1004 wrote to memory of 636 1004 cmd.exe LGPO.exe PID 1004 wrote to memory of 636 1004 cmd.exe LGPO.exe PID 1004 wrote to memory of 636 1004 cmd.exe LGPO.exe PID 636 wrote to memory of 1028 636 LGPO.exe auditpol.exe PID 636 wrote to memory of 1028 636 LGPO.exe auditpol.exe PID 636 wrote to memory of 1028 636 LGPO.exe auditpol.exe PID 636 wrote to memory of 1028 636 LGPO.exe auditpol.exe PID 636 wrote to memory of 836 636 LGPO.exe auditpol.exe PID 636 wrote to memory of 836 636 LGPO.exe auditpol.exe PID 636 wrote to memory of 836 636 LGPO.exe auditpol.exe PID 636 wrote to memory of 836 636 LGPO.exe auditpol.exe PID 1004 wrote to memory of 428 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 428 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 428 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 428 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 1100 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1100 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1100 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1100 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1996 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1996 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1996 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1996 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 768 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 768 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 768 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 768 1004 cmd.exe takeown.exe PID 1004 wrote to memory of 2024 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 2024 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 2024 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 2024 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1044 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1044 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1044 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1044 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1472 1004 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Setup.bat" "2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\where.exewhere powershell3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -EnableNetworkProtection Enabled; Set-MpPreference -EnableControlledFolderAccess Enabled; Set-MpPreference -DisableRealtimeMonitoring 0; Set-MpPreference -DisableBehaviorMonitoring 0; Set-MpPreference -DisableBlockAtFirstSeen 0; Set-MpPreference -MAPSReporting 2; Set-MpPreference -SubmitSamplesConsent 1; Set-MpPreference -DisableIOAVProtection 0; Set-MpPreference -DisableScriptScanning 0; Set-MpPreference -PUAProtection Enabled; Set-MpPreference -ScanAvgCPULoadFactor 50; Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,01443614-cd74-433a-b99e-2ecdc07bfc25,c1db55ab-c21a-4637-bb3f-a12568109d35,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d1e49aac-8f56-4280-b9ba-993a6d77406c,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,26190899-1602-49e8-8b27-eb1d0a1ce869,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,e6db77e5-3df2-4cf1-b95a-636979351e5b,56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\assembly'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\Microsoft.NET\Framework\*\NativeImages'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\WinSxS\*\*.ni.dll'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:ProgramData'\Microsoft\Windows Defender';3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exelgpo /g C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /clear /y4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /restore /file:"C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Public\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Admin\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Uninstall-ProvisioningPackage -AllInstalledPackages"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all3⤵
- Modifies Windows Firewall
- Drops file in System32 directory
-
C:\Windows\SysWOW64\reg.exeReg.exe import GSecurity.reg3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies firewall policy service
- Modifies system executable filetype association
- Allows Network login with blank passwords
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v SavedLegacySettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:323⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\system32\bitsadmin" /reset /allusers3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxySettingsPerUser /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoWindowsUpdate3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wuauserv" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v DoNotAllowExceptions3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v EnableFirewall /t REG_DWORD /d 0x000000013⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 0x000000003⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /f /v Start /t REG_DWORD /d 0x000000023⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /f3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
- Drops file in System32 directory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "6"1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\Default.cmdFilesize
754B
MD54456b2cc70f07ca2b454f58c219a2962
SHA1f2de2afed43b7d1345f25d861e0212cbc8a7ae70
SHA256d6298067d6cf2c5ec58c652944bcdb1c907d54e799f1e9d19bf64c3962ac912f
SHA512580d780f3c1b8fd3bb4974095b007ab6f56063b5fa83e4dede875906c2f5a99dec236db2751c0858cf52797efab5a16cd9d2009d7b5f1a098f967093a4a99c6f
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\GCleaner.cmdFilesize
8KB
MD5bc47b8370d537b2a1b42db0fd8b45f52
SHA1b1ebe7e18c62114ec293d9c6d6a6a3a11c165376
SHA25669fd3d2cb5ab22aa7048c52acb3966d20418ebdb1122a8e2202401532bc2c3c4
SHA51268ac0e668a24703c39ecc4b6b479cb49b0e90b07e903ee70ee7fa96835d9a02ac21d1f7d3472ae7ad6fb0733546eed13bc106705328582677cb191705cdf4dad
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\GSecurity.cmdFilesize
17KB
MD5a58cdfed001a7ed5ef0424d065ade878
SHA1c62d2988899f47ad4e1d7dbd984686ce1895fbfe
SHA256108ca7617704d247a178639a0e5a784c4aab7ca21d9b140a613dc735c2be78c4
SHA51215993f149d582837bab39a9fd051ac320cd7493715c1268ebfa66701fe6a1ae9bb60d47fc91d5d089fdb7361d765cac66c496199c8eaf193b0ef26769766f06f
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\GSecurity.regFilesize
402KB
MD5ea863eaf37b5c2ca56b2f7b245bfe9c9
SHA146d8c13202685316b3f7e3f49d805775b5503575
SHA2567ad440b3d5be201b52970cc011010fba5240086fc5c0037349cfca64db697fb7
SHA5121f6ac0a9e99fd37a6bd066193585535e48b99513016035e59961f5f0a13fb173d1438ae2ec5459b072f34e591dcc594f664db8756acff8a2d22c1cb2fc993495
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\Windows Auto Configure.cmdFilesize
425KB
MD5481a7a7f22375dc884b6fc32303259c7
SHA1a67d3e99460417fb3209f9f138a45ac5df101560
SHA256676c02bce686b66f66dbf7bf9a80519e999c414f8abf2684e636521766e58299
SHA51224d777046dfc9b44ac7ebfd3a34248b0d59874f2cb24a81c27024b9d7b6d8b3a8a0bd036832081dacda2af4b734b8879dc68f3c72f379d729434db2741960b42
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\Backup.xmlFilesize
6KB
MD5fec543270099e8e0b511af397f5a45af
SHA15861518cfe47d31730e2d345d7cd508b345832fb
SHA2562a139ba072a192ae9d8e6a35181f451b2a555a4ab235fdc418a2eb4d5a7cda7c
SHA512bacffbd87dd2c2419b03880572fb1dbf6117815fc14bff7c1890365c9c64e4f2e2b2b8b0aba0a91645ff22821adcc4120632131d14247ca5de4d0bbe9ad21fe5
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csvFilesize
5KB
MD515f39814e8869ad9a08c76dfb0b7767a
SHA1eebc2506c8a3c7f3bda126621bccbb916b64a385
SHA256562640690a95aed2d94fed072fa4004cd6589bbaab17f2646d05d8d00dc323cd
SHA51229f11ae6b37ed3113a08b00be9b272fb8b2a368525dba5de8d09ee05e1567629b80f14bb70e324da5e4ad7260d5636a8d9122ecc7af95324a0f08a8f0e8ae6bb
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\registry.polFilesize
158KB
MD56682405d042a96b9780d5f3a7eca9696
SHA1040abfb571257c8badaac1c71634cdb20985fb1e
SHA2560ccc07817161b99c9b76eb1c76ee4cb73dc0c895b7d9f05295e109b0c5e9588e
SHA5121fa16e99206f54fb10463e2a40b582b54cb2a77f759466316c10f3990da114bd8b03d49864b29c2fd1ca9e80ac2ca6416ed8913d5b6cc21543ffdfda6bbd4469
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\User\registry.polFilesize
1KB
MD54f2f4a469381a7831bf4f399ccd62d3c
SHA169c0b8aa73718cd480776c5c6a5cb1a228c30258
SHA2565288c00c01e3f9fd0f70e5f55eaa7d3753378f296951bb041de47317ba3c669c
SHA512114e9d2497b131175c1b39a6dc9a939f54ec36ae63b152e72169d698e89b036f22272a27dfe5e1b74b9e6299c012d5db46df509a61ca5be1a72835ccd1e04c4b
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Setup.batFilesize
751B
MD5e891627d232c5676ba3fc37cd3c1c4da
SHA190f0f18b00fc3039d183092dfc144cac15211ddc
SHA256407ae179eecd183bc8c9a938649127a63c76a5f9436e3aa8977103e23a89b0d1
SHA512a4ae767155775bf22173e3b38ab5c45d82085667c9f990bd8a4a5bd1c8b8d4effd4d0ede5652744aab9f2d9215efca95b1acf21fe23f2793a6ab51b865b8003c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5065c6ff004def915f91c1d1329ca2d94
SHA11b6fcd797dafdd3c02dff7cfa845ae444903193e
SHA25660efa386992210c57d093acdc99323d849159964610ce322f98b416963defc81
SHA5124ffb76cad8be4b959a53c89405b3acd3d645045ecc452cb8f4528d988b030c90d827b983b8199a685e489acee0fe1876305d427d9eef669189e7062cc13d1cd0
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
2KB
MD5a0259e08a38920dca8eb6ca50a38e24b
SHA195f5767d353f3723bd0feb430889fe22381b23d3
SHA256f9f18bd92c33f8c6041b32531ede97b07f1090ede455021b4580b399792c30c1
SHA512b320f5212b8a8260fdc173929e176fe96cf8fd1cc0697cb787800353b91d84b417dc6da4435c5d6666dd0b097a65670b3b4718856f07c227b1eebcc2185d2fd3
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
3KB
MD51e6e146ef23b87a796002aefbccd690b
SHA1d9c3090e5c6b7eb3b2f99ef0a75f982b7e34cd2a
SHA2565bc689f51b800374cfe966d57f2dc636f539db44cecb44b4f39452b2ab870384
SHA512f6f01da45eae8c760a7f65d773085b614872951c3662ff002eaa8ef974aa740c629bed1b222ea4f85b11b5d777561f555463772d5ecff68efe36f7485b7d6a93
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
3KB
MD5540c9f1221b583e967cc1ce6f9c78350
SHA1cab79d7d59e7b60a1de80b9c79169ee0aa72dcfb
SHA256b7995ae074a7ab439e10919134d65373c5cae7cebd1a929868f2708ba8e686ea
SHA512ae9617cd3b2713d3eada26929132b7b69325abb11598f38bd3b05b35082d9efa590c708623ad39f068c8455394ab9d67a3c878a72edbc2b6e617882e47981d43
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
6KB
MD5aad0a51f543efee64bdd56fef5148ca1
SHA153e0443cf61a22f454b4b32f6ef5530544f7e882
SHA256055b2760b10dd8f1f74b98c614e763c2a0c22de3fd472b1b2dee16cf56ed1dc5
SHA51203f92f3c6cc6c5911ddd30a6547e74fb5c69292959102ab876da6312a43ab63641b18f815c794a39dac0fae689a784b1d2f8fa2609ea06dcd19266ead50ca5eb
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
7KB
MD5198581f2233396c30e5a9113750423ef
SHA1207602dc23ef42ad8198bd5043dc8487da214aa9
SHA256186d207e4ad389ec367b704251e2e5ac63f0a75734a86c0733fe9e52b5895609
SHA5121c3e9e7930d8cbf5d430f46262e7cfa0b0c1611d5a42c5b47ccce9f8349ce8b74452a7a98005d490e5de58ade0fefd8465ed0a748c547c3e39a935a09c5ab234
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
7KB
MD50f64e28d3a661761932229652b6d0fc7
SHA182b29ad66033bdf65c3d962bbff06f555fc0c8d4
SHA2568879d647a9f74782e1c8087c15d33c94660277f736bc2c496375d0f2058e6caf
SHA5121e75673b0d67ddd184aad958b20de89ea4a1c535dd3ebfe95e2d996a254070d724418d60c965bc4703477bc5311fb80b5001af7415fb1b7707afcdbc7a2d9dcf
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
7KB
MD5e30936fee064d4775ee350a829a92785
SHA176880ca0a1f87aef1f075f98b67d2ae3dad00861
SHA25682f28442d93bf0dac1c73e7f6446862d53dd33938bd2f33bda9b7133525f4fe9
SHA5123ada13eff75bbe34e7f10b13c3162cb93da0d4fe657ebd1f8a143300a2d9a0d85c8c3c91feb7e1c2e9e12d7b72995bb277e687ad42c2a30606f9964284f5bab6
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
27KB
MD567a1560bc708a47c51d2a7dbfa6cda49
SHA121269c88dcf646bde60e50849b52a370ff135a09
SHA25614994f4e60078f5f3ea7fc80baf3a3c8f355ff8639b5e980be09fb8c170c9f02
SHA51226f5cfec7e3b9b7060e7edb6fb3b39114c804aca659a3f0869d4a799935bb80cbabfc491a34a0603cc36f07863a696d49db463b8b0ff6c9f9200fba4492d29b9
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
53KB
MD5c1ba86b4d0b8a5a2bf2ddb2c495aac61
SHA1d65da0924990653bbe313b85db2132e4b4bd763e
SHA2569619759f338fa29fb83eae5f118af1dcdc48830cf77b8bc5c3d52169e6800b6d
SHA51278cbe3bf17f4a922b74a72747bf90814baa5e36204b015361b050eaa503615d3e6e4d13bd3daca02ac7935b10b3fd1bec9f1b80ff3253357e55ee6077c729685
-
\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
memory/308-105-0x0000000000000000-mapping.dmp
-
memory/428-77-0x0000000000000000-mapping.dmp
-
memory/612-117-0x0000000000000000-mapping.dmp
-
memory/636-68-0x0000000000000000-mapping.dmp
-
memory/660-97-0x0000000000000000-mapping.dmp
-
memory/756-111-0x0000000000000000-mapping.dmp
-
memory/764-123-0x0000000000000000-mapping.dmp
-
memory/768-82-0x0000000000000000-mapping.dmp
-
memory/768-106-0x0000000000000000-mapping.dmp
-
memory/836-74-0x0000000000000000-mapping.dmp
-
memory/852-60-0x0000000000000000-mapping.dmp
-
memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/904-125-0x0000000000000000-mapping.dmp
-
memory/948-121-0x0000000000000000-mapping.dmp
-
memory/992-103-0x0000000000000000-mapping.dmp
-
memory/1004-55-0x0000000000000000-mapping.dmp
-
memory/1028-73-0x0000000000000000-mapping.dmp
-
memory/1028-131-0x0000000000000000-mapping.dmp
-
memory/1044-87-0x0000000000000000-mapping.dmp
-
memory/1100-78-0x0000000000000000-mapping.dmp
-
memory/1152-128-0x0000000000000000-mapping.dmp
-
memory/1156-130-0x0000000000000000-mapping.dmp
-
memory/1232-57-0x0000000000000000-mapping.dmp
-
memory/1240-118-0x0000000000000000-mapping.dmp
-
memory/1336-124-0x0000000000000000-mapping.dmp
-
memory/1348-59-0x0000000000000000-mapping.dmp
-
memory/1364-58-0x0000000000000000-mapping.dmp
-
memory/1380-64-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/1380-62-0x0000000000000000-mapping.dmp
-
memory/1380-126-0x0000000000000000-mapping.dmp
-
memory/1380-65-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/1464-116-0x0000000000000000-mapping.dmp
-
memory/1472-89-0x0000000000000000-mapping.dmp
-
memory/1472-93-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/1472-114-0x0000000000000000-mapping.dmp
-
memory/1480-108-0x0000000000000000-mapping.dmp
-
memory/1552-107-0x0000000000000000-mapping.dmp
-
memory/1560-113-0x0000000000000000-mapping.dmp
-
memory/1576-129-0x0000000000000000-mapping.dmp
-
memory/1616-119-0x0000000000000000-mapping.dmp
-
memory/1636-122-0x0000000000000000-mapping.dmp
-
memory/1704-104-0x0000000000000000-mapping.dmp
-
memory/1716-120-0x0000000000000000-mapping.dmp
-
memory/1740-127-0x0000000000000000-mapping.dmp
-
memory/1748-101-0x0000000000000000-mapping.dmp
-
memory/1756-102-0x0000000000000000-mapping.dmp
-
memory/1792-112-0x0000000000000000-mapping.dmp
-
memory/1824-94-0x0000000000000000-mapping.dmp
-
memory/1864-110-0x0000000000000000-mapping.dmp
-
memory/1884-100-0x0000000000000000-mapping.dmp
-
memory/1936-115-0x0000000000000000-mapping.dmp
-
memory/1996-80-0x0000000000000000-mapping.dmp
-
memory/2024-85-0x0000000000000000-mapping.dmp