xred | 1a90320e4bd2b6bfdd9dbc71377a4fec0012333216fd6503a476e8a171728b2e

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
Size

26.7MB
MD5

242fe026b7757526eaf7d5710c05b4a6
SHA1

bd0a5c55bc824bd5b73e505e379e9b688b5c1c33
SHA256

1a90320e4bd2b6bfdd9dbc71377a4fec0012333216fd6503a476e8a171728b2e
SHA512

814a18007cf1908d6614071d05a1126488f878202dfa3f967dcaf8676855fa982f03d573730c6b548b131eeaba7268ec2b67a5c5d7d3be6b42b07bf01c72d6c3
SSDEEP

786432:hu2+/t6D6dbsDTOXFTXRkdObGXYztTHMa0S:N0ZBkd4zZMzS

Score

10^/10

xred backdoor discovery evasion execution persistence privilege_escalation upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2068	netsh.exe
2908	netsh.exe
2888	netsh.exe
2812	netsh.exe
936	netsh.exe
536	netsh.exe
2644	netsh.exe
2276	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Windows\\KMS\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 35 IoCs

pid	Process
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2768	Synaptics.exe
2072	._cache_Synaptics.exe
2432	OInstallLite.exe
2476	MSActBackup.exe
1904	OUninstall.exe
3052	OUninstall.exe
2716	OInstallLite.exe
324	MSActBackup.exe
1972	OInstallLite.exe
1716	OUninstall.exe
1584	OInstallLite.exe
2248	OUninstall.exe
2744	MSActBackup.exe
2112	KMSSS.exe
1544	OUninstall.exe
1576	OInstallLite.exe
2656	MSActBackup.exe
1044	OInstallLite.exe
2952	OInstallLite.exe
1768	OInstallLite.exe
828	OInstallLite.exe
1468	OInstallLite.exe
2248	OInstallLite.exe
1696	OInstallLite.exe
3060	OInstallLite.exe
920	OInstallLite.exe
1592	OInstallLite.exe
1716	OInstallLite.exe
372	OInstallLite.exe
3008	OInstallLite.exe
468	OInstallLite.exe
2708	OInstallLite.exe
2764	OInstallLite.exe
1744	OInstallLite.exe

Loads dropped DLL 64 IoCs

pid	Process
2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2768	Synaptics.exe
2768	Synaptics.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
300	WerFault.exe
300	WerFault.exe
300	WerFault.exe
300	WerFault.exe
300	WerFault.exe
300	WerFault.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
300	WerFault.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019442-125.dat	upx
behavioral1/memory/2476-130-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral1/memory/2476-150-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral1/memory/324-177-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral1/memory/324-196-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral1/memory/2744-224-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral1/memory/2744-237-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral1/memory/2656-286-0x0000000000400000-0x0000000000535000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\KMS\bin\KMSSS.exe	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
File opened for modification	C:\Windows\KMS\bin\KMSSS.log	KMSSS.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1736	sc.exe
2540	sc.exe
1152	sc.exe
2200	sc.exe
2540	sc.exe
2364	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
300	2476	WerFault.exe	51
2976	324	WerFault.exe	80
2648	2744	WerFault.exe	113
320	2656	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSActBackup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSActBackup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSSS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSActBackup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSActBackup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OInstallLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
804	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe
Token: SeSystemProfilePrivilege	2708	wmic.exe
Token: SeSystemtimePrivilege	2708	wmic.exe
Token: SeProfSingleProcessPrivilege	2708	wmic.exe
Token: SeIncBasePriorityPrivilege	2708	wmic.exe
Token: SeCreatePagefilePrivilege	2708	wmic.exe
Token: SeBackupPrivilege	2708	wmic.exe
Token: SeRestorePrivilege	2708	wmic.exe
Token: SeShutdownPrivilege	2708	wmic.exe
Token: SeDebugPrivilege	2708	wmic.exe
Token: SeSystemEnvironmentPrivilege	2708	wmic.exe
Token: SeRemoteShutdownPrivilege	2708	wmic.exe
Token: SeUndockPrivilege	2708	wmic.exe
Token: SeManageVolumePrivilege	2708	wmic.exe
Token: 33	2708	wmic.exe
Token: 34	2708	wmic.exe
Token: 35	2708	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe
Token: SeSystemProfilePrivilege	2708	wmic.exe
Token: SeSystemtimePrivilege	2708	wmic.exe
Token: SeProfSingleProcessPrivilege	2708	wmic.exe
Token: SeIncBasePriorityPrivilege	2708	wmic.exe
Token: SeCreatePagefilePrivilege	2708	wmic.exe
Token: SeBackupPrivilege	2708	wmic.exe
Token: SeRestorePrivilege	2708	wmic.exe
Token: SeShutdownPrivilege	2708	wmic.exe
Token: SeDebugPrivilege	2708	wmic.exe
Token: SeSystemEnvironmentPrivilege	2708	wmic.exe
Token: SeRemoteShutdownPrivilege	2708	wmic.exe
Token: SeUndockPrivilege	2708	wmic.exe
Token: SeManageVolumePrivilege	2708	wmic.exe
Token: 33	2708	wmic.exe
Token: 34	2708	wmic.exe
Token: 35	2708	wmic.exe
Token: SeIncreaseQuotaPrivilege	2060	wmic.exe
Token: SeSecurityPrivilege	2060	wmic.exe
Token: SeTakeOwnershipPrivilege	2060	wmic.exe
Token: SeLoadDriverPrivilege	2060	wmic.exe
Token: SeSystemProfilePrivilege	2060	wmic.exe
Token: SeSystemtimePrivilege	2060	wmic.exe
Token: SeProfSingleProcessPrivilege	2060	wmic.exe
Token: SeIncBasePriorityPrivilege	2060	wmic.exe
Token: SeCreatePagefilePrivilege	2060	wmic.exe
Token: SeBackupPrivilege	2060	wmic.exe
Token: SeRestorePrivilege	2060	wmic.exe
Token: SeShutdownPrivilege	2060	wmic.exe
Token: SeDebugPrivilege	2060	wmic.exe
Token: SeSystemEnvironmentPrivilege	2060	wmic.exe
Token: SeRemoteShutdownPrivilege	2060	wmic.exe
Token: SeUndockPrivilege	2060	wmic.exe
Token: SeManageVolumePrivilege	2060	wmic.exe
Token: 33	2060	wmic.exe
Token: 34	2060	wmic.exe
Token: 35	2060	wmic.exe
Token: SeIncreaseQuotaPrivilege	2060	wmic.exe
Token: SeSecurityPrivilege	2060	wmic.exe
Token: SeTakeOwnershipPrivilege	2060	wmic.exe
Token: SeLoadDriverPrivilege	2060	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
804	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2772	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	30
PID 2648 wrote to memory of 2772	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	30
PID 2648 wrote to memory of 2772	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	30
PID 2648 wrote to memory of 2772	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	30
PID 2772 wrote to memory of 2388	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	31
PID 2772 wrote to memory of 2388	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	31
PID 2772 wrote to memory of 2388	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	31
PID 2772 wrote to memory of 2388	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	31
PID 2648 wrote to memory of 2768	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	32
PID 2648 wrote to memory of 2768	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	32
PID 2648 wrote to memory of 2768	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	32
PID 2648 wrote to memory of 2768	2648	2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	32
PID 2772 wrote to memory of 2708	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	34
PID 2772 wrote to memory of 2708	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	34
PID 2772 wrote to memory of 2708	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	34
PID 2772 wrote to memory of 2708	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	34
PID 2768 wrote to memory of 2072	2768	Synaptics.exe	36
PID 2768 wrote to memory of 2072	2768	Synaptics.exe	36
PID 2768 wrote to memory of 2072	2768	Synaptics.exe	36
PID 2768 wrote to memory of 2072	2768	Synaptics.exe	36
PID 2072 wrote to memory of 2860	2072	._cache_Synaptics.exe	38
PID 2072 wrote to memory of 2860	2072	._cache_Synaptics.exe	38
PID 2072 wrote to memory of 2860	2072	._cache_Synaptics.exe	38
PID 2072 wrote to memory of 2860	2072	._cache_Synaptics.exe	38
PID 2772 wrote to memory of 2432	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	42
PID 2772 wrote to memory of 2432	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	42
PID 2772 wrote to memory of 2432	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	42
PID 2772 wrote to memory of 2432	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	42
PID 2772 wrote to memory of 2432	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	42
PID 2772 wrote to memory of 2432	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	42
PID 2772 wrote to memory of 2432	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	42
PID 2432 wrote to memory of 2060	2432	OInstallLite.exe	43
PID 2432 wrote to memory of 2060	2432	OInstallLite.exe	43
PID 2432 wrote to memory of 2060	2432	OInstallLite.exe	43
PID 2432 wrote to memory of 2060	2432	OInstallLite.exe	43
PID 2432 wrote to memory of 2416	2432	OInstallLite.exe	45
PID 2432 wrote to memory of 2416	2432	OInstallLite.exe	45
PID 2432 wrote to memory of 2416	2432	OInstallLite.exe	45
PID 2432 wrote to memory of 2416	2432	OInstallLite.exe	45
PID 2772 wrote to memory of 1672	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	47
PID 2772 wrote to memory of 1672	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	47
PID 2772 wrote to memory of 1672	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	47
PID 2772 wrote to memory of 1672	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	47
PID 2772 wrote to memory of 1944	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	49
PID 2772 wrote to memory of 1944	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	49
PID 2772 wrote to memory of 1944	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	49
PID 2772 wrote to memory of 1944	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	49
PID 2772 wrote to memory of 2476	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	51
PID 2772 wrote to memory of 2476	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	51
PID 2772 wrote to memory of 2476	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	51
PID 2772 wrote to memory of 2476	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	51
PID 1944 wrote to memory of 1736	1944	cmd.exe	52
PID 1944 wrote to memory of 1736	1944	cmd.exe	52
PID 1944 wrote to memory of 1736	1944	cmd.exe	52
PID 2476 wrote to memory of 300	2476	MSActBackup.exe	53
PID 2476 wrote to memory of 300	2476	MSActBackup.exe	53
PID 2476 wrote to memory of 300	2476	MSActBackup.exe	53
PID 2476 wrote to memory of 300	2476	MSActBackup.exe	53
PID 2772 wrote to memory of 1904	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	54
PID 2772 wrote to memory of 1904	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	54
PID 2772 wrote to memory of 1904	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	54
PID 2772 wrote to memory of 1904	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	54
PID 2772 wrote to memory of 1904	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	54
PID 2772 wrote to memory of 1904	2772	._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe	54

C:\Users\Admin\AppData\Local\Temp\2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2432) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1672
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\sc.exe
      sc.exe stop KMSEmulator
      4⤵
      Launches sc.exe
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe
    "C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 492
      4⤵
      Loads dropped DLL
      Program crash
      PID:300
- - C:\Users\Admin\AppData\Local\Temp\OUninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\OUninstall"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1904
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1904) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1784
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      PID:1980
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OUninstall.exe" /F /Q
    3⤵
    PID:2748
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
    3⤵
    PID:2752
  - - C:\Windows\system32\sc.exe
      sc.exe delete KMSEmulator
      4⤵
      Launches sc.exe
      PID:2540
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe" /F /Q
    3⤵
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\OUninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\OUninstall"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3052
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=3052) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OUninstall.exe" /F /Q
    3⤵
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2716
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2716) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2608
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2304
- - C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe
    "C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 492
      4⤵
      Loads dropped DLL
      Program crash
      PID:2976
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1972
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1972) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:676
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:556
- - C:\Users\Admin\AppData\Local\Temp\OUninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\OUninstall"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1716) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1764
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OUninstall.exe" /F /Q
    3⤵
    PID:2312
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe" /F /Q
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1584
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1584) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1344
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\OUninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\OUninstall"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2248
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2248) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2736
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      PID:2516
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OUninstall.exe" /F /Q
    3⤵
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe
    "C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 496
      4⤵
      Loads dropped DLL
      Program crash
      PID:2648
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2968
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2068
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    PID:1128
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2908
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:3028
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2888
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2764
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2812
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    PID:2944
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:936
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
    3⤵
    PID:2600
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:536
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
    3⤵
    PID:2300
  - - C:\Windows\system32\sc.exe
      sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
      4⤵
      Launches sc.exe
      PID:1152
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
    3⤵
    PID:2380
  - - C:\Windows\system32\sc.exe
      sc.exe start KMSEmulator
      4⤵
      Launches sc.exe
      PID:2200
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe" /F /Q
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\OUninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\OUninstall"
    3⤵
    - Executes dropped EXE
    PID:1544
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1544) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:324
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OUninstall.exe" /F /Q
    3⤵
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1576
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1576) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      PID:280
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe
    "C:\Users\Admin\AppData\Local\Temp\MSActBackup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 492
      4⤵
      Loads dropped DLL
      Program crash
      PID:320
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2268
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2644
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2676
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2276
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
    3⤵
    PID:1776
  - - C:\Windows\system32\sc.exe
      sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
      4⤵
      Launches sc.exe
      PID:2540
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
    3⤵
    PID:2760
  - - C:\Windows\system32\sc.exe
      sc.exe start KMSEmulator
      4⤵
      Launches sc.exe
      PID:2364
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1044
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1044) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2952) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:920
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:984
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1768
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1768) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      PID:2272
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    PID:828
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=828) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      PID:1520
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    PID:1468
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1468) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:992
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    PID:2248
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2248) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    PID:1696
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1696) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3060
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=3060) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:920
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=920) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1152
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    PID:1592
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1592) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1624
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1716) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      PID:2292
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    PID:372
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=372) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1784
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3008
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=3008) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:556
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:468
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=468) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2556
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2708
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2708) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1696
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2764
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2764) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1044
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:592
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /x=100 /y=100
    3⤵
    - Executes dropped EXE
    PID:1744
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=1744) get ParentProcessID /FORMAT:List /FORMAT:List
      4⤵
      PID:896
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" process where (ProcessId=2772) get ExecutablePath /FORMAT:List /FORMAT:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\OInstallLite.exe" /F /Q
    3⤵
    PID:1404
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
      4⤵
      PID:2860

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\KMS\bin\KMSSS.exe
"C:\Windows\KMS\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
26.7MB

MD5
242fe026b7757526eaf7d5710c05b4a6

SHA1
bd0a5c55bc824bd5b73e505e379e9b688b5c1c33

SHA256
1a90320e4bd2b6bfdd9dbc71377a4fec0012333216fd6503a476e8a171728b2e

SHA512
814a18007cf1908d6614071d05a1126488f878202dfa3f967dcaf8676855fa982f03d573730c6b548b131eeaba7268ec2b67a5c5d7d3be6b42b07bf01c72d6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuwqpuPO.xlsm

Filesize
24KB

MD5
6a3a8a64450679c4f7075da96ad1d4b1

SHA1
90cabdd347f4c3e22e32b04851333123a9093b6e

SHA256
af5755447aa4f26ca3ab026f3c65b43022d67db0207bff2199141dd8a62f4600

SHA512
c49119fdcd5173da32d097a3edf3589e0f81be069f90b01e44fe6d40568dc8862f0e59646f89b4940cd142f90b2dc30c06343025576820d68f1bbdaff6987c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuwqpuPO.xlsm

Filesize
26KB

MD5
744eaea15e1349cba0be72bd458ebf56

SHA1
d62fdc18cf2eff80446d6a5aa099d455ee9db96b

SHA256
503d9a48871d47b124faf361777f2ffcece1b7bb7cbad165655dd09e78eed227

SHA512
48de71c2aa498eda4a64faa369afe13514b329804f2961a80250f604ab9bb51a70267c22b08626b481d35df805b73a11bdef6c36193734389c34ad70c095409b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuwqpuPO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuwqpuPO.xlsm

Filesize
27KB

MD5
8df2e30ffa034800ca6b08911ed45196

SHA1
9039114852c8e16a537819690f1ad9a8d6ee1f13

SHA256
78a706d433808ced5723934a7b7ff17db651aa7b2aa62b5281e3cda8d66adafc

SHA512
49426d7d642700ba0882a595eed8e36386e57039ebd462d26ad7badaa46ab975c27acb3ffa722ebaf41a74be5c5db13ab307a513ecbd97ff7d2f268d8ba1475e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuwqpuPO.xlsm

Filesize
26KB

MD5
ff0cc0539e1d5701f25a4a18dc239855

SHA1
8374496d590e5c2096cc2f004013a18707bc1fe3

SHA256
68b828fe5c83cb57b6c6af5e0f2dcb2e91a52268253663e3239ce27412c1f06f

SHA512
5f3b971a223271d4e0ed3dfd9b82a79d0ae6d45d1937ca88da962add007744e67b14bebaea53c9190fbfdda9eac6e30a6233fccf40b75c75e1f0abb1d783abc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUninstall.exe

Filesize
2.9MB

MD5
09ae69b459fbbbd85be5b40e4799c5a4

SHA1
6d0ebb4082a003de0b49955ba05993d8f0794882

SHA256
6cd04a28b98ef7a55756759114f712f099f706c4f1d23aa55903220ae9217243

SHA512
e6078147593f0d25efc02fc1a8b5c5a2d6b604fd9a381db954e8dd2a1ac0ae3cafa188705f6027be4bc31a905d891be226c95052a96a06a9b715895b73301721

Download Submit
C:\Users\Admin\Desktop\~$RepairMount.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\KMS\bin\KMSSS.log

Filesize
773B

MD5
e1daaa79aa5d79711922eb05d27e43d1

SHA1
b45d3d2313a4cf61d96982a1f366061b29bc5678

SHA256
9dd26fd685bff1e0950aa70c2bb970a71cf7bd8a3c1b5e90eb9ab26af51c5e14

SHA512
fd6fcfe29f82a9f7318093c348d9742ff8ea305e26937c0a522de25ac9f08539dc910cd5eed2f8d110a33b8b21dd7032ef8725afd5e6509f95b7541ad84b1d5a

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_242fe026b7757526eaf7d5710c05b4a6_darkgate_magniber_pos.exe

Filesize
26.0MB

MD5
d02f15eb9d0c8cdb597d5b892a8aba86

SHA1
b8344bb2157669389119be005b74c45d5adcbe7e

SHA256
4140061e52a95ecd9e6c9f55e8a18f7fb1f0605fb26e1d8236eaf0dfda04e866

SHA512
47cdd36ef62be7a48d8d80a08fa9cdc3ce2a7176c26818baf1626270633c072a790b41508d179c15f488d831ab439ab0baf47211d1d8a3e16b312a2143fd6328

Download Submit
\Users\Admin\AppData\Local\Temp\MSActBackup.exe

Filesize
453KB

MD5
019d71bd3e4ebf5e1b9171ef6859f071

SHA1
21d297f667f5698af15eee601a9a2a7245fd442f

SHA256
9c6ad0c7cd85ff0d73c3ece7917b698758b48801323f6800022bd01fb42fde4a

SHA512
a462744df26b2ae601a9bcd5d0522587c667707bb01dcd39f2388f4a7120149c2c4c1440d8ce587fbb82d5cdd45c9d8138600203d20759cabe1aa48da9353a09

Download Submit
\Users\Admin\AppData\Local\Temp\OInstallLite.exe

Filesize
13.4MB

MD5
f5f3bc6191392a2ace905124537763a5

SHA1
0bd88a29c7c436e62d20fd70c42fda2320a20ec8

SHA256
d935d643158439897fb19eafef0c79164b63301ffb94f2eb958c0a10c996c4dc

SHA512
1a46fe2fc6c62eb0f9b6382e5a8960206a1df5a0241174033a2529d6f450d6cd3ac6c180698bf3fc68be346ebeeef5c6bdae0f2457e505694e332ed0afb12b86

Download Submit
memory/324-177-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/324-196-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/804-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2476-130-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2476-150-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2648-25-0x0000000000400000-0x0000000001EB8000-memory.dmp

Filesize
26.7MB

Download
memory/2648-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2656-286-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2744-237-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2744-224-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2768-190-0x0000000000400000-0x0000000001EB8000-memory.dmp

Filesize
26.7MB

Download
memory/2768-148-0x0000000000400000-0x0000000001EB8000-memory.dmp

Filesize
26.7MB

Download
memory/2768-38-0x0000000000400000-0x0000000001EB8000-memory.dmp

Filesize
26.7MB

Download
memory/2768-338-0x0000000000400000-0x0000000001EB8000-memory.dmp

Filesize
26.7MB

Download
memory/2772-168-0x0000000005020000-0x0000000005155000-memory.dmp

Filesize
1.2MB

Download
memory/2772-129-0x0000000005020000-0x0000000005155000-memory.dmp

Filesize
1.2MB

Download
memory/2772-294-0x00000000057F0000-0x0000000005925000-memory.dmp

Filesize
1.2MB

Download