Analysis
-
max time kernel
131s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 12:00
Static task
static1
Behavioral task
behavioral1
Sample
GSecurity.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GSecurity.exe
Resource
win10v2004-20221111-en
General
-
Target
GSecurity.exe
-
Size
851KB
-
MD5
690eee0e48261b646ac54a1866c32510
-
SHA1
ccd9ce1e952026508a233efba834b1de6b3c2490
-
SHA256
82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7
-
SHA512
e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1
-
SSDEEP
24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\GSecurity.cmd disable_win_def -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "0" reg.exe -
Modifies firewall policy service 2 TTPs 60 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\RemoteAdminSettings reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DefaultInboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DefaultInboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DefaultOutboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AllowLocalPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableNotifications = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\FileAndPrint reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DefaultOutboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcast = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\FileAndPrint\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\RemoteAdminSettings reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\FileAndPrint\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\RemoteDesktop\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\AllowLocalPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\RemoteAdminSettings reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\RemoteAdminSettings\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DefaultOutboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\RemoteAdminSettings reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\RemoteAdminSettings\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\RemoteAdminSettings\Enabled = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DisableNotifications = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\EnableFirewall = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\FileAndPrint\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\RemoteAdminSettings\Enabled = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AllowLocalIPsecPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AllowLocalPolicyMerge = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DefaultInboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DefaultOutboundAction = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\DefaultInboundAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Services\FileAndPrint reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AllowLocalPolicyMerge = "1" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Services\FileAndPrint reg.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "2" reg.exe -
Modifies system executable filetype association 2 TTPs 36 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\03Normal\Command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\04AboveNormal\MUIVerb = "Above Normal" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\05High reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicy = "4096" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\01Low reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\01Low\Command\ = "cmd.exe /c start \"\" /Low \"%1\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\03Normal reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\02BelowNormal\Command\ = "cmd.exe /c start \"\" /BelowNormal \"%1\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\MUIVerb = "Run with priority" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\01Low\MUIVerb = "Low" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\01Low\Command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\05High\Command\ = "cmd.exe /c start \"\" /High \"%1\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\06Realtime reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\Icon = "shell32.dll,-25" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\05High\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\02BelowNormal reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\04AboveNormal reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\06Realtime\Command reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicy = "4096" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\04AboveNormal\Command\ = "cmd.exe /c start \"\" /AboveNormal \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\05High\MUIVerb = "High" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\06Realtime\Command\ = "cmd.exe /c start \"\" /Realtime \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\06Realtime\MUIVerb = "Realtime" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\03Normal\Command\ = "cmd.exe /c start \"\" /Normal \"%1\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\04AboveNormal\Command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\SubCommands reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\02BelowNormal\MUIVerb = "Below normal" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\02BelowNormal\Command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\03Normal\MUIVerb = "Normal" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" reg.exe -
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\Drivers\Etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
LGPO.exepid process 3812 LGPO.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 6 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 548 icacls.exe 4784 icacls.exe 1356 takeown.exe 4864 icacls.exe 4304 icacls.exe 1092 takeown.exe -
Sets file execution options in registry 2 TTPs 47 IoCs
Processes:
reg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe reg.exe -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GSecurity.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation GSecurity.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 4304 icacls.exe 1092 takeown.exe 548 icacls.exe 4784 icacls.exe 1356 takeown.exe 4864 icacls.exe -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FWClean = "netsh advfirewall firewall delete rule name=all" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ reg.exe Key deleted \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled reg.exe Key deleted \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies powershell logging option 1 TTPs
-
Drops file in System32 directory 10 IoCs
Processes:
LGPO.execmd.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol LGPO.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol LGPO.exe File opened for modification C:\Windows\System32\GroupPolicy\User\Registry.pol LGPO.exe File opened for modification C:\Windows\SysWOW64\LogFiles\SAFER.LOG cmd.exe File opened for modification C:\Windows\System32\GroupPolicy LGPO.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI LGPO.exe File created C:\Windows\System32\GroupPolicy\User\Registry.pol LGPO.exe File created C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv LGPO.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv LGPO.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini LGPO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4724 736 WerFault.exe 1084 736 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Security svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Security = 0100148000000000000000001400000044000000020030000200000002401400070001000101000000000001000000000280140007000100010100000000000100000000020080000600000000001400ff011f0001010000000000051200000000001400ff011f0001010000000000051300000000001400ff011f0001010000000000050400000000001400a000120001010000000000010000000000001400a000120001010000000000050c00000000001400ff011f0001010000000000050b000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Security svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Security svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Security = 0100148000000000000000001400000044000000020030000200000002401400070001000101000000000001000000000280140007000100010100000000000100000000020080000600000000001400ff011f0001010000000000051200000000001400ff011f0001010000000000051300000000001400ff011f0001010000000000050400000000001400a000120001010000000000010000000000001400a000120001010000000000050c00000000001400ff011f0001010000000000050b000000 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Security = 0100148000000000000000001400000044000000020030000200000002401400070001000101000000000001000000000280140007000100010100000000000100000000020080000600000000001400ff011f0001010000000000051200000000001400ff011f0001010000000000051300000000001400ff011f0001010000000000050400000000001400a000120001010000000000010000000000001400a000120001010000000000050c00000000001400ff011f0001010000000000050b000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\PhishingFilter reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "1" reg.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{92C7D65C-52F3-4545-8A35-213D730DB1ED} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AF9104F7-D6E9-46CC-8FBF-BBE2FB05E3CF}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ceb29da4-7afa-4f24-b3cd-17351d590df0}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0A68C5A2-64AE-4415-88A2-6542304A4745}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{288C5F13-7E52-4ADA-A32E-F5BF9D125F98}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7011471D-3F74-498E-88E1-C0491200312D} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{657B9354-BB3B-4500-A9B0-109B4FA64815}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7B64270B-1216-47CE-9708-DE9D2D628CC5}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A45F39DC-3608-4237-8F0E-139F1BC49464}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D9EC0A76-03BF-11D4-A509-0090270F86E3} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1B13BF1B-A528-4CC4-B5BF-553CAA6487AC}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{31995C64-CB4D-483E-82C2-CCFFE2F66CAB}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{319A68DB-06D0-46DA-9F93-A810D5A70836}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FF65677A-8977-48CA-916A-DFF81B037DF3} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{224530A0-C9CB-4AEE-9C0F-54AC1B533211}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4E7BD74F-2B8D-469E-D4F3-F66DA787AD2D} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AB4DD0F0-38DA-4F48-AAFE-7DE7323BB6B2} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{18B79968-1A76-4953-9EBB-B651407F8998} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{92C7D65C-52F3-4545-8A35-213D730DB1ED}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28F00B0F-DC4E-11D3-ABEC-005004A44EEB} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DBFDA8E-D33B-11D4-9269-00600868E56E}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CE7C3CF0-4B15-11D1-ABED-709549C10001}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FEE7FD53-3356-4D4D-8978-2C4AE3A7E109} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FF3F0F03-0F01-131A-A3F9-08F02B23E0CC}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000185-B716-11D3-92F3-00D0B709A7D8} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{000004Cc-e4ff-4f2c-bc30-dbef0b983bc9}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{280168BC-76BF-4CD0-B835-3D686EFA8DDC}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1E1B2879-88FF-11D2-8D96-123457123457}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D0B0C04A-DC73-4A91-9307-41F3E36579BF}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FAC6E0E1-5D45-4907-BC00-302D702DCC73}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0000607D-D204-42C7-8E46-216055BF9918}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{018B7EC3-EECA-11D3-8E71-0000E82C6C0D} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{10372968-EEA7-4918-8EA4-9F9CE488AD29}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{16A7470E-229C-45F9-AE05-A87034FD14CF}\ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2}\Compatibility Flags = "1024" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{26FD5192-A97C-4B48-A5D7-2420CFDCFDF2}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{30192F8D-0958-44E6-B54D-331FD39AC959} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D6E66235-7AA6-44ED-A06C-6F2033B1D993}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000580-C637-11D5-831C-00105AD6ACF0}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{001F2570-5DF5-11d3-B991-00A0C9BB0874} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{11311111-1111-1111-1111-111111111157}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E1C5E3D-A8E6-4a92-820F-BFCFE45BA158} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CD4C3CF0-4B15-11D1-ABED-709549C10000}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{54771E6F-A5A2-4413-8FB8-7B8F85398174} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{57E69D5A-6539-4D7D-9637-775DE8A385B4} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D3F01312-8A3D-4D41-A4FA-FB61D295CB6B} reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0DDBB570-0396-44C9-986A-8F6F61A51C2F}\Compatibility Flags = "1024" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{56336BCB-3D8A-11D6-A00B-0050DA18DE71}\Compatibility Flags = "1024" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{970BF476-3CF2-4572-9EF9-4479E1591DB8} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1678F7E1-C422-11D0-AD7D-00400515CAAA}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7B64270B-1216-47CE-9708-DE9D2D628CC5} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{214868A8-F71B-473E-8ECF-6EE1DE6B91D8} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{288C5F13-7E52-4ADA-A32E-F5BF9D125F98}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A0F0D762-D1DE-43af-B70E-D87864743EB3} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B5E60A66-0C51-4894-8DF8-CBDF4E478D58}\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{001DAE60-95C0-11d3-924E-009027950886} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00EC76B0-1952-4F0E-A5E0-F14FFAF01F61}\ reg.exe -
Modifies data under HKEY_USERS 12 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL = "https://raw.githubusercontent.com/Gorstak-79/Pac/main/antiad.pac" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0" reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft reg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\.DEFAULT reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Mouse reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0" reg.exe -
Modifies registry class 64 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\MUIVerb = "Safe Mode" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\06MD5\Command\ = "powershell.exe -noexit get-filehash -literalpath '%1' -algorithm MD5 | format-list" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\2ControlPanelCmd reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\03SHA384 reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AutorunsDisabled\EPP reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\runasuser reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\SubCommands reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ShowSearchSuggestionsGlobal = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\Shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\1ControlPanelCmd\Command\ = "explorer.exe shell:::{26EE0668-A00A-44D7-9371-BEB064C98683}" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\shell\04SafeModeNormal\Command\ = "wscript.exe \"C:\\ProgramData\\WinaeroTweaker\\SafeModeNormalMode.vbs\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\02SHA256\Command\ = "powershell.exe -noexit get-filehash -literalpath '%1' -algorithm SHA256 | format-list" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\06MD5\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\shell\02SafeModeNet\MUIVerb = "Safe Mode with Networking" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\04SHA512 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\FolderType = "NotSpecified" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\04SHA512\Command reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\03Normal reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Extract\NeverDefault reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\04SHA512\MUIVerb = "SHA512" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\01Low reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\01Low\MUIVerb = "Low" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\*\shell\GetFileHash\shell\07RIPEMD160\Command\ = "powershell.exe -noexit get-filehash -literalpath '%1' -algorithm RIPEMD160 | format-list" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\05High reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\Shell\runas reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\* reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\05High\Command\ = "cmd.exe /c start \"\" /High \"%1\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\03Normal\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\shell\01SafeMode\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\exefile\Shell\RunWithPriority\shell\03Normal\Command\ = "cmd.exe /c start \"\" /Normal \"%1\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\Shell\runas\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\SubCommands reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\SafeMode\SubCommands reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AutorunsDisabled reg.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CcFWSettg.Category reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Extract reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\Shell\runas\HasLUAShield reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\MUIVerb = "@shell32.dll,-4161" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\ControlPanel\shell\3ControlPanelCmd\MUIVerb = "@shell32.dll,-32537" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Extract\command reg.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4508 powershell.exe 4508 powershell.exe 2940 powershell.exe 2940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exeauditpol.exeauditpol.exepowershell.exedescription pid process Token: SeDebugPrivilege 4508 powershell.exe Token: SeSecurityPrivilege 4240 auditpol.exe Token: SeSecurityPrivilege 4600 auditpol.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeBackupPrivilege 2940 powershell.exe Token: SeRestorePrivilege 2940 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
GSecurity.execmd.exeLGPO.exepowershell.exedescription pid process target process PID 5100 wrote to memory of 2108 5100 GSecurity.exe cmd.exe PID 5100 wrote to memory of 2108 5100 GSecurity.exe cmd.exe PID 5100 wrote to memory of 2108 5100 GSecurity.exe cmd.exe PID 2108 wrote to memory of 624 2108 cmd.exe chcp.com PID 2108 wrote to memory of 624 2108 cmd.exe chcp.com PID 2108 wrote to memory of 624 2108 cmd.exe chcp.com PID 2108 wrote to memory of 628 2108 cmd.exe fsutil.exe PID 2108 wrote to memory of 628 2108 cmd.exe fsutil.exe PID 2108 wrote to memory of 628 2108 cmd.exe fsutil.exe PID 2108 wrote to memory of 2348 2108 cmd.exe where.exe PID 2108 wrote to memory of 2348 2108 cmd.exe where.exe PID 2108 wrote to memory of 2348 2108 cmd.exe where.exe PID 2108 wrote to memory of 3068 2108 cmd.exe fsutil.exe PID 2108 wrote to memory of 3068 2108 cmd.exe fsutil.exe PID 2108 wrote to memory of 3068 2108 cmd.exe fsutil.exe PID 2108 wrote to memory of 4508 2108 cmd.exe powershell.exe PID 2108 wrote to memory of 4508 2108 cmd.exe powershell.exe PID 2108 wrote to memory of 4508 2108 cmd.exe powershell.exe PID 2108 wrote to memory of 3812 2108 cmd.exe LGPO.exe PID 2108 wrote to memory of 3812 2108 cmd.exe LGPO.exe PID 2108 wrote to memory of 3812 2108 cmd.exe LGPO.exe PID 3812 wrote to memory of 4240 3812 LGPO.exe auditpol.exe PID 3812 wrote to memory of 4240 3812 LGPO.exe auditpol.exe PID 3812 wrote to memory of 4600 3812 LGPO.exe auditpol.exe PID 3812 wrote to memory of 4600 3812 LGPO.exe auditpol.exe PID 2108 wrote to memory of 1092 2108 cmd.exe takeown.exe PID 2108 wrote to memory of 1092 2108 cmd.exe takeown.exe PID 2108 wrote to memory of 1092 2108 cmd.exe takeown.exe PID 2108 wrote to memory of 548 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 548 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 548 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4784 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4784 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4784 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 1356 2108 cmd.exe takeown.exe PID 2108 wrote to memory of 1356 2108 cmd.exe takeown.exe PID 2108 wrote to memory of 1356 2108 cmd.exe takeown.exe PID 2108 wrote to memory of 4864 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4864 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4864 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4304 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4304 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 4304 2108 cmd.exe icacls.exe PID 2108 wrote to memory of 2940 2108 cmd.exe powershell.exe PID 2108 wrote to memory of 2940 2108 cmd.exe powershell.exe PID 2108 wrote to memory of 2940 2108 cmd.exe powershell.exe PID 2940 wrote to memory of 4808 2940 powershell.exe REG.EXE PID 2940 wrote to memory of 4808 2940 powershell.exe REG.EXE PID 2108 wrote to memory of 1400 2108 cmd.exe netsh.exe PID 2108 wrote to memory of 1400 2108 cmd.exe netsh.exe PID 2108 wrote to memory of 1400 2108 cmd.exe netsh.exe PID 2108 wrote to memory of 3940 2108 cmd.exe reg.exe PID 2108 wrote to memory of 3940 2108 cmd.exe reg.exe PID 2108 wrote to memory of 3940 2108 cmd.exe reg.exe PID 2108 wrote to memory of 312 2108 cmd.exe reg.exe PID 2108 wrote to memory of 312 2108 cmd.exe reg.exe PID 2108 wrote to memory of 312 2108 cmd.exe reg.exe PID 2108 wrote to memory of 4548 2108 cmd.exe reg.exe PID 2108 wrote to memory of 4548 2108 cmd.exe reg.exe PID 2108 wrote to memory of 4548 2108 cmd.exe reg.exe PID 2108 wrote to memory of 932 2108 cmd.exe reg.exe PID 2108 wrote to memory of 932 2108 cmd.exe reg.exe PID 2108 wrote to memory of 932 2108 cmd.exe reg.exe PID 2108 wrote to memory of 628 2108 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Setup.bat" "2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\where.exewhere powershell3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -EnableNetworkProtection Enabled; Set-MpPreference -EnableControlledFolderAccess Enabled; Set-MpPreference -DisableRealtimeMonitoring 0; Set-MpPreference -DisableBehaviorMonitoring 0; Set-MpPreference -DisableBlockAtFirstSeen 0; Set-MpPreference -MAPSReporting 2; Set-MpPreference -SubmitSamplesConsent 1; Set-MpPreference -DisableIOAVProtection 0; Set-MpPreference -DisableScriptScanning 0; Set-MpPreference -PUAProtection Enabled; Set-MpPreference -ScanAvgCPULoadFactor 50; Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,01443614-cd74-433a-b99e-2ecdc07bfc25,c1db55ab-c21a-4637-bb3f-a12568109d35,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d1e49aac-8f56-4280-b9ba-993a6d77406c,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,26190899-1602-49e8-8b27-eb1d0a1ce869,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,e6db77e5-3df2-4cf1-b95a-636979351e5b,56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\assembly'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\Microsoft.NET\Framework\*\NativeImages'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\WinSxS\*\*.ni.dll'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:ProgramData'\Microsoft\Windows Defender';3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\LGPO.exelgpo /g C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /clear /y4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /restore /file:"C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Public\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Admin\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Uninstall-ProvisioningPackage -AllInstalledPackages"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\REG.EXE"C:\Windows\SysNative\REG.EXE" export HKLM\Software\Microsoft\Provisioning C:\Users\Admin\AppData\Local\Temp\ICD_20230119-130024-974_2940.9_2009453561.1\regBefore.txt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\reg.exeReg.exe import GSecurity.reg3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies firewall policy service
- Modifies system executable filetype association
- Allows Network login with blank passwords
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v SavedLegacySettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxySettingsPerUser /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\system32\bitsadmin" /reset /allusers3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /f /v Start /t REG_DWORD /d 0x000000023⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 0x000000003⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v EnableFirewall /t REG_DWORD /d 0x000000013⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v DoNotAllowExceptions3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wuauserv" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoWindowsUpdate3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 396 -p 736 -ip 7361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 736 -ip 7361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 736 -s 10561⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 736 -s 9721⤵
- Program crash
-
C:\Windows\system32\pacjsworker.exeC:\Windows\system32\pacjsworker.exe 78103123-300f-41a0-a7b3-7388dc4e18f7 4f65a821-2063-4578-94ca-ce445c01fac01⤵
-
C:\Windows\system32\pacjsworker.exeC:\Windows\system32\pacjsworker.exe 01876050-a953-45bd-845e-ac980afadfbc 4f65a821-2063-4578-94ca-ce445c01fac01⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
4Change Default File Association
1Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
12Disabling Security Tools
3Bypass User Account Control
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD576647b9bcd9045278ae84eb955f28e61
SHA151c6e0c27e25965791335e8bec62f1535577deb7
SHA256ef1646166d7176f4750962673e392d0b2324cfd5fa845e810b1a611bd6d05661
SHA51272acec46030a81a695ddf93eb703de2e40720a146e288b726237b1c8c8722423fdf70de16ff8316389dbacde8e4555e5df1198a0036e5d6c062c4aad8df2e754
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\Default.cmdFilesize
754B
MD54456b2cc70f07ca2b454f58c219a2962
SHA1f2de2afed43b7d1345f25d861e0212cbc8a7ae70
SHA256d6298067d6cf2c5ec58c652944bcdb1c907d54e799f1e9d19bf64c3962ac912f
SHA512580d780f3c1b8fd3bb4974095b007ab6f56063b5fa83e4dede875906c2f5a99dec236db2751c0858cf52797efab5a16cd9d2009d7b5f1a098f967093a4a99c6f
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\GCleaner.cmdFilesize
8KB
MD5bc47b8370d537b2a1b42db0fd8b45f52
SHA1b1ebe7e18c62114ec293d9c6d6a6a3a11c165376
SHA25669fd3d2cb5ab22aa7048c52acb3966d20418ebdb1122a8e2202401532bc2c3c4
SHA51268ac0e668a24703c39ecc4b6b479cb49b0e90b07e903ee70ee7fa96835d9a02ac21d1f7d3472ae7ad6fb0733546eed13bc106705328582677cb191705cdf4dad
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\GSecurity.cmdFilesize
17KB
MD5a58cdfed001a7ed5ef0424d065ade878
SHA1c62d2988899f47ad4e1d7dbd984686ce1895fbfe
SHA256108ca7617704d247a178639a0e5a784c4aab7ca21d9b140a613dc735c2be78c4
SHA51215993f149d582837bab39a9fd051ac320cd7493715c1268ebfa66701fe6a1ae9bb60d47fc91d5d089fdb7361d765cac66c496199c8eaf193b0ef26769766f06f
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\GSecurity.regFilesize
402KB
MD5ea863eaf37b5c2ca56b2f7b245bfe9c9
SHA146d8c13202685316b3f7e3f49d805775b5503575
SHA2567ad440b3d5be201b52970cc011010fba5240086fc5c0037349cfca64db697fb7
SHA5121f6ac0a9e99fd37a6bd066193585535e48b99513016035e59961f5f0a13fb173d1438ae2ec5459b072f34e591dcc594f664db8756acff8a2d22c1cb2fc993495
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\Windows Auto Configure.cmdFilesize
425KB
MD5481a7a7f22375dc884b6fc32303259c7
SHA1a67d3e99460417fb3209f9f138a45ac5df101560
SHA256676c02bce686b66f66dbf7bf9a80519e999c414f8abf2684e636521766e58299
SHA51224d777046dfc9b44ac7ebfd3a34248b0d59874f2cb24a81c27024b9d7b6d8b3a8a0bd036832081dacda2af4b734b8879dc68f3c72f379d729434db2741960b42
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\Backup.xmlFilesize
6KB
MD5fec543270099e8e0b511af397f5a45af
SHA15861518cfe47d31730e2d345d7cd508b345832fb
SHA2562a139ba072a192ae9d8e6a35181f451b2a555a4ab235fdc418a2eb4d5a7cda7c
SHA512bacffbd87dd2c2419b03880572fb1dbf6117815fc14bff7c1890365c9c64e4f2e2b2b8b0aba0a91645ff22821adcc4120632131d14247ca5de4d0bbe9ad21fe5
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csvFilesize
5KB
MD515f39814e8869ad9a08c76dfb0b7767a
SHA1eebc2506c8a3c7f3bda126621bccbb916b64a385
SHA256562640690a95aed2d94fed072fa4004cd6589bbaab17f2646d05d8d00dc323cd
SHA51229f11ae6b37ed3113a08b00be9b272fb8b2a368525dba5de8d09ee05e1567629b80f14bb70e324da5e4ad7260d5636a8d9122ecc7af95324a0f08a8f0e8ae6bb
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\registry.polFilesize
158KB
MD56682405d042a96b9780d5f3a7eca9696
SHA1040abfb571257c8badaac1c71634cdb20985fb1e
SHA2560ccc07817161b99c9b76eb1c76ee4cb73dc0c895b7d9f05295e109b0c5e9588e
SHA5121fa16e99206f54fb10463e2a40b582b54cb2a77f759466316c10f3990da114bd8b03d49864b29c2fd1ca9e80ac2ca6416ed8913d5b6cc21543ffdfda6bbd4469
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\User\registry.polFilesize
1KB
MD54f2f4a469381a7831bf4f399ccd62d3c
SHA169c0b8aa73718cd480776c5c6a5cb1a228c30258
SHA2565288c00c01e3f9fd0f70e5f55eaa7d3753378f296951bb041de47317ba3c669c
SHA512114e9d2497b131175c1b39a6dc9a939f54ec36ae63b152e72169d698e89b036f22272a27dfe5e1b74b9e6299c012d5db46df509a61ca5be1a72835ccd1e04c4b
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Setup.batFilesize
751B
MD5e891627d232c5676ba3fc37cd3c1c4da
SHA190f0f18b00fc3039d183092dfc144cac15211ddc
SHA256407ae179eecd183bc8c9a938649127a63c76a5f9436e3aa8977103e23a89b0d1
SHA512a4ae767155775bf22173e3b38ab5c45d82085667c9f990bd8a4a5bd1c8b8d4effd4d0ede5652744aab9f2d9215efca95b1acf21fe23f2793a6ab51b865b8003c
-
C:\Users\Admin\AppData\Local\Temp\ICD_20230119-130024-974_2940.9_2009453561.1\regBefore.txtFilesize
127KB
MD545b08c896a1b303a9a97583f8da2105b
SHA1ada39d1274f57bb236a1ce296d2b3d8e59ebb705
SHA256e96b22c0eb20f6ad56f87ae2a7cd7b8aff52425584e2df7d613dcd02ec7d1b92
SHA512700f4ae2b77b6de2e97e607e7f83e6413e45a5affcaa6ce3385e3a8a44a844eb8e7cef34711d5454f5ac2f52cb0e664fa3c7ffd928b5bf002cd651263c5c8734
-
memory/312-182-0x0000000000000000-mapping.dmp
-
memory/548-204-0x0000000000000000-mapping.dmp
-
memory/548-166-0x0000000000000000-mapping.dmp
-
memory/624-134-0x0000000000000000-mapping.dmp
-
memory/628-185-0x0000000000000000-mapping.dmp
-
memory/628-135-0x0000000000000000-mapping.dmp
-
memory/884-207-0x0000000000000000-mapping.dmp
-
memory/932-184-0x0000000000000000-mapping.dmp
-
memory/1084-208-0x0000000000000000-mapping.dmp
-
memory/1092-165-0x0000000000000000-mapping.dmp
-
memory/1092-203-0x0000000000000000-mapping.dmp
-
memory/1356-209-0x0000000000000000-mapping.dmp
-
memory/1356-168-0x0000000000000000-mapping.dmp
-
memory/1400-179-0x0000000000000000-mapping.dmp
-
memory/1724-189-0x0000000000000000-mapping.dmp
-
memory/2104-199-0x0000000000000000-mapping.dmp
-
memory/2108-132-0x0000000000000000-mapping.dmp
-
memory/2164-191-0x0000000000000000-mapping.dmp
-
memory/2348-136-0x0000000000000000-mapping.dmp
-
memory/2348-188-0x0000000000000000-mapping.dmp
-
memory/2368-200-0x0000000000000000-mapping.dmp
-
memory/2656-186-0x0000000000000000-mapping.dmp
-
memory/2940-175-0x00000000072C0000-0x00000000072CC000-memory.dmpFilesize
48KB
-
memory/2940-176-0x0000000007430000-0x000000000744C000-memory.dmpFilesize
112KB
-
memory/2940-171-0x0000000000000000-mapping.dmp
-
memory/2940-174-0x000000006F5D0000-0x000000006F61C000-memory.dmpFilesize
304KB
-
memory/2984-205-0x0000000000000000-mapping.dmp
-
memory/3068-137-0x0000000000000000-mapping.dmp
-
memory/3152-190-0x0000000000000000-mapping.dmp
-
memory/3184-195-0x0000000000000000-mapping.dmp
-
memory/3380-194-0x0000000000000000-mapping.dmp
-
memory/3420-193-0x0000000000000000-mapping.dmp
-
memory/3812-202-0x0000000000000000-mapping.dmp
-
memory/3812-156-0x0000000000000000-mapping.dmp
-
memory/3856-196-0x0000000000000000-mapping.dmp
-
memory/3920-192-0x0000000000000000-mapping.dmp
-
memory/3940-180-0x0000000000000000-mapping.dmp
-
memory/4240-161-0x0000000000000000-mapping.dmp
-
memory/4304-170-0x0000000000000000-mapping.dmp
-
memory/4304-211-0x0000000000000000-mapping.dmp
-
memory/4364-201-0x0000000000000000-mapping.dmp
-
memory/4400-212-0x0000000000000000-mapping.dmp
-
memory/4484-187-0x0000000000000000-mapping.dmp
-
memory/4508-141-0x00000000052C0000-0x00000000058E8000-memory.dmpFilesize
6.2MB
-
memory/4508-151-0x00000000074F0000-0x00000000074FA000-memory.dmpFilesize
40KB
-
memory/4508-144-0x0000000005B00000-0x0000000005B66000-memory.dmpFilesize
408KB
-
memory/4508-155-0x00000000077B0000-0x00000000077B8000-memory.dmpFilesize
32KB
-
memory/4508-149-0x0000000007B30000-0x00000000081AA000-memory.dmpFilesize
6.5MB
-
memory/4508-150-0x00000000074B0000-0x00000000074CA000-memory.dmpFilesize
104KB
-
memory/4508-139-0x0000000000000000-mapping.dmp
-
memory/4508-148-0x0000000006720000-0x000000000673E000-memory.dmpFilesize
120KB
-
memory/4508-154-0x00000000077D0000-0x00000000077EA000-memory.dmpFilesize
104KB
-
memory/4508-152-0x0000000007710000-0x00000000077A6000-memory.dmpFilesize
600KB
-
memory/4508-140-0x0000000004BD0000-0x0000000004C06000-memory.dmpFilesize
216KB
-
memory/4508-142-0x00000000058F0000-0x0000000005912000-memory.dmpFilesize
136KB
-
memory/4508-153-0x00000000076D0000-0x00000000076DE000-memory.dmpFilesize
56KB
-
memory/4508-147-0x000000006F5D0000-0x000000006F61C000-memory.dmpFilesize
304KB
-
memory/4508-146-0x0000000007340000-0x0000000007372000-memory.dmpFilesize
200KB
-
memory/4508-145-0x0000000006180000-0x000000000619E000-memory.dmpFilesize
120KB
-
memory/4508-143-0x0000000005A90000-0x0000000005AF6000-memory.dmpFilesize
408KB
-
memory/4548-183-0x0000000000000000-mapping.dmp
-
memory/4600-162-0x0000000000000000-mapping.dmp
-
memory/4768-198-0x0000000000000000-mapping.dmp
-
memory/4780-197-0x0000000000000000-mapping.dmp
-
memory/4784-206-0x0000000000000000-mapping.dmp
-
memory/4784-167-0x0000000000000000-mapping.dmp
-
memory/4808-177-0x0000000000000000-mapping.dmp
-
memory/4864-210-0x0000000000000000-mapping.dmp
-
memory/4864-169-0x0000000000000000-mapping.dmp