81a9eb6e5b3b3c239a9cbcccc7d9651d5930aecd0c630e4f36ec6b1d3f4e8cd8

Analysis

max time kernel
147s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

046259ce63932f27c7bf22aeec796c2f
SHA1

cf80d5bdaa2a0a2fa2414375353f8a180ee43b94
SHA256

81a9eb6e5b3b3c239a9cbcccc7d9651d5930aecd0c630e4f36ec6b1d3f4e8cd8
SHA512

03949b25835fbdd98cfff9217d937f0695c9bd89c5d13033f5529f015837aee17de8af20af1e1d5407c624ddc77502f19e6613d60eb65da0966d443974b25dc3
SSDEEP

196608:91OnECWBY37gkHNIrEDXiA7WAnkAvoc9gVYTVhXsBqmZ+kp6MH+3OBd:3OnECWB87gktIrED+G/oogGhuBqA4Md

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ATZmuaBwNwmU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fxkldoUMcXUSOxVB = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aJAQLsoDkiWqC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MYjwJFnMfsmfKHMw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QYiUKrukFVUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SHsJRQZsU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exeAzLWMQp.exe

pid process

1984 Install.exe
1956 Install.exe
1468 AzLWMQp.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Loads dropped DLL 8 IoCs

Processes:

file.exeInstall.exeInstall.exe

pid process

1880 file.exe
1984 Install.exe
1984 Install.exe
1984 Install.exe
1984 Install.exe
1956 Install.exe
1956 Install.exe
1956 Install.exe

pid	process
1984	Install.exe
1956	Install.exe
1468	AzLWMQp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
1880	file.exe
1984	Install.exe
1984	Install.exe
1984	Install.exe
1984	Install.exe
1956	Install.exe
1956	Install.exe
1956	Install.exe

Drops file in System32 directory 8 IoCs

Processes:

AzLWMQp.exepowershell.EXEpowershell.EXEpowershell.EXEInstall.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	AzLWMQp.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	AzLWMQp.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	AzLWMQp.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1836 schtasks.exe
1920 schtasks.exe
1756 schtasks.exe
1076 schtasks.exe
880 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bNHXguvSZYiOwSiXLC.job	schtasks.exe

pid	process
1836	schtasks.exe
1920	schtasks.exe
1756	schtasks.exe
1076	schtasks.exe
880	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

pid	process
1148	powershell.EXE
1148	powershell.EXE
1148	powershell.EXE
1508	powershell.EXE
1508	powershell.EXE
1508	powershell.EXE
1716	powershell.EXE
1716	powershell.EXE
1716	powershell.EXE
320	powershell.EXE
320	powershell.EXE
320	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1148	powershell.EXE
Token: SeDebugPrivilege	1508	powershell.EXE
Token: SeDebugPrivilege	1716	powershell.EXE
Token: SeDebugPrivilege	320	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1880 wrote to memory of 1984	1880	file.exe	Install.exe
PID 1880 wrote to memory of 1984	1880	file.exe	Install.exe
PID 1880 wrote to memory of 1984	1880	file.exe	Install.exe
PID 1880 wrote to memory of 1984	1880	file.exe	Install.exe
PID 1880 wrote to memory of 1984	1880	file.exe	Install.exe
PID 1880 wrote to memory of 1984	1880	file.exe	Install.exe
PID 1880 wrote to memory of 1984	1880	file.exe	Install.exe
PID 1984 wrote to memory of 1956	1984	Install.exe	Install.exe
PID 1984 wrote to memory of 1956	1984	Install.exe	Install.exe
PID 1984 wrote to memory of 1956	1984	Install.exe	Install.exe
PID 1984 wrote to memory of 1956	1984	Install.exe	Install.exe
PID 1984 wrote to memory of 1956	1984	Install.exe	Install.exe
PID 1984 wrote to memory of 1956	1984	Install.exe	Install.exe
PID 1984 wrote to memory of 1956	1984	Install.exe	Install.exe
PID 1956 wrote to memory of 704	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 704	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 704	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 704	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 704	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 704	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 704	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 1952	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 1952	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 1952	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 1952	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 1952	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 1952	1956	Install.exe	forfiles.exe
PID 1956 wrote to memory of 1952	1956	Install.exe	forfiles.exe
PID 704 wrote to memory of 1292	704	forfiles.exe	cmd.exe
PID 704 wrote to memory of 1292	704	forfiles.exe	cmd.exe
PID 704 wrote to memory of 1292	704	forfiles.exe	cmd.exe
PID 704 wrote to memory of 1292	704	forfiles.exe	cmd.exe
PID 704 wrote to memory of 1292	704	forfiles.exe	cmd.exe
PID 704 wrote to memory of 1292	704	forfiles.exe	cmd.exe
PID 704 wrote to memory of 1292	704	forfiles.exe	cmd.exe
PID 1952 wrote to memory of 1756	1952	forfiles.exe	cmd.exe
PID 1952 wrote to memory of 1756	1952	forfiles.exe	cmd.exe
PID 1952 wrote to memory of 1756	1952	forfiles.exe	cmd.exe
PID 1952 wrote to memory of 1756	1952	forfiles.exe	cmd.exe
PID 1952 wrote to memory of 1756	1952	forfiles.exe	cmd.exe
PID 1952 wrote to memory of 1756	1952	forfiles.exe	cmd.exe
PID 1952 wrote to memory of 1756	1952	forfiles.exe	cmd.exe
PID 1292 wrote to memory of 1760	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1760	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1760	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1760	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1760	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1760	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1760	1292	cmd.exe	reg.exe
PID 1756 wrote to memory of 968	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 968	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 968	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 968	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 968	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 968	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 968	1756	cmd.exe	reg.exe
PID 1292 wrote to memory of 1916	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1916	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1916	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1916	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1916	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1916	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1916	1292	cmd.exe	reg.exe
PID 1756 wrote to memory of 1492	1756	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\7zS25D9.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\7zS2CDB.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1292

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1760

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1916

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1756

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:968

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtWMFWxFm" /SC once /ST 00:06:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtWMFWxFm"
4⤵
PID:544

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gtWMFWxFm"
4⤵
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bNHXguvSZYiOwSiXLC" /SC once /ST 15:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\AzLWMQp.exe\" 3x /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\taskeng.exe
taskeng.exe {3815C6C0-474F-4D71-872F-91A75B4351D9} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:800

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1064

C:\Windows\system32\taskeng.exe
taskeng.exe {2770CD15-222A-4969-9FC4-A29E54CF2294} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\AzLWMQp.exe
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\AzLWMQp.exe 3x /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsDMGJUry" /SC once /ST 02:57:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsDMGJUry"
3⤵
PID:1952

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsDMGJUry"
3⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:960

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:572

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "guUXxzrqL" /SC once /ST 07:14:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "guUXxzrqL"
3⤵
PID:636

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "guUXxzrqL"
3⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:964

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\MYjwJFnMfsmfKHMw\BzctWuyA\jaDKZsghgTsyjAoK.wsf"
3⤵
PID:1656

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\MYjwJFnMfsmfKHMw\BzctWuyA\jaDKZsghgTsyjAoK.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATZmuaBwNwmU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QYiUKrukFVUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SHsJRQZsU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aJAQLsoDkiWqC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\obbvPdCxLMZjlJoeoAR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fxkldoUMcXUSOxVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt" /t REG_DWORD /d 0 /reg:64
4⤵
PID:988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MYjwJFnMfsmfKHMw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2000

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNyZAoXAn" /SC once /ST 03:24:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:880

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNyZAoXAn"
3⤵
PID:1492

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1892

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1948

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1256

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS25D9.tmp\Install.exe
Filesize
6.4MB

MD5
b829866d020ee2184ddb6915ea4190e2

SHA1
bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa

SHA256
23db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a

SHA512
6335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25D9.tmp\Install.exe
Filesize
6.4MB

MD5
b829866d020ee2184ddb6915ea4190e2

SHA1
bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa

SHA256
23db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a

SHA512
6335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2CDB.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2CDB.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\AzLWMQp.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Local\Temp\kVuqSqHMACBMgWqnt\QEJzPCsOgNeEaNF\AzLWMQp.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
300df578f0c7e71d169a5460637a186b

SHA1
57cc7b6d0ebaa8581fc3d8291349b13820ae6de2

SHA256
4942b940792f21ac01043007ae4d73a5cca4e382b5afea210e273f2db1e6d2d8

SHA512
5844575ceadef09b416d0f27c83ee569df31ed4b0ced0bee644c86a9c16247c5a61dc6b90e92785bad91fed181cd0951a4fa38eb9700635055f6fc3d5a2090a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
79354f5e55952f9ebb6484e95e187b3d

SHA1
4534dbdc8e17778fb65f7960504a39cedaf2d799

SHA256
d7ddb9de27c8dff4c59b0dae26c58d499bd5a5ad526eea73930f26e0ff4f0ef1

SHA512
125c75efab29f2aa5fd7e805c13024cf60da992405cd5c7e2d1c9f3999945f9b995c6b3641f940d64d9afabe92eda481ae22cb57d0316c5fc26789f01fdeeab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0c1282e4043f1c50116018e4f9ace8b3

SHA1
c58c0d868b4f909059aedd770464dbff1a3601aa

SHA256
12468e3eb33e23b928fddf1c8bde09b4c3078b31b0dc1a7d5d3e7b43e65152eb

SHA512
bd63b6690320eca557edc0b3ffa624a8bcec9065c22b32129dff793f95be82ea4c7f04a5f0f2745c74e852bb9cfd6b102f13229c8d204335a88a4299cdbcc7d6

Download Submit
C:\Windows\Temp\MYjwJFnMfsmfKHMw\BzctWuyA\jaDKZsghgTsyjAoK.wsf
Filesize
8KB

MD5
ab8fd925a07c97205233782c4b179e94

SHA1
b22e13f3edb25650dcb323c93f86bfc2e74c9c74

SHA256
94ff1e7e34b978f80fabbc94cbb813b5c4895e0b551daa01cfa61e2f6d3c93f7

SHA512
a3b26619212bb2a6766ca859a09dc37b8d3dc8692281101545c206703a74d9b6ce6856a4cc744ef9ff9eae002fe51b3d10c98b5d8eb59eb1b4971209196a79bf

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS25D9.tmp\Install.exe
Filesize
6.4MB

MD5
b829866d020ee2184ddb6915ea4190e2

SHA1
bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa

SHA256
23db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a

SHA512
6335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS25D9.tmp\Install.exe
Filesize
6.4MB

MD5
b829866d020ee2184ddb6915ea4190e2

SHA1
bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa

SHA256
23db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a

SHA512
6335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS25D9.tmp\Install.exe
Filesize
6.4MB

MD5
b829866d020ee2184ddb6915ea4190e2

SHA1
bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa

SHA256
23db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a

SHA512
6335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS25D9.tmp\Install.exe
Filesize
6.4MB

MD5
b829866d020ee2184ddb6915ea4190e2

SHA1
bd2466f3e57f4b1a9e0661d79e0cc22d7eac81fa

SHA256
23db00745f3d4be8108d75af4eb0448052ebfb1c589368d51a9ec01993be653a

SHA512
6335ca14f1cc88b95b017bbc1bd7a076d61194919e9699884d19056478adc1db883509ab126b515310c9d608a16bf0e85c6133ee3fddac70689c233204da384e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2CDB.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2CDB.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2CDB.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2CDB.tmp\Install.exe
Filesize
7.0MB

MD5
54042a806886288ad60c64e7adaa2f53

SHA1
30ee71d3a30dff86dad3224ea57d844e18505cc1

SHA256
facea1184fa61e0191fce707f9b9b137c5f5e96a687a7b9d944cc64b546d2487

SHA512
a3a73e500662bf3398936fd3acf4bdf4755abaf80379c7ab37c614014d48bb4b977108c660fd8942e2927562978cee5c2fbe6f29391ff98c26c1dd4ab4550001

Download Submit
memory/284-145-0x0000000000000000-mapping.dmp

Download
memory/320-181-0x000007FEF2D20000-0x000007FEF387D000-memory.dmp

Filesize
11.4MB

Download
memory/320-182-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/320-183-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/320-180-0x000007FEF3880000-0x000007FEF42A3000-memory.dmp

Filesize
10.1MB

Download
memory/360-163-0x0000000000000000-mapping.dmp

Download
memory/544-92-0x0000000000000000-mapping.dmp

Download
memory/572-129-0x0000000000000000-mapping.dmp

Download
memory/636-131-0x0000000000000000-mapping.dmp

Download
memory/688-164-0x0000000000000000-mapping.dmp

Download
memory/704-74-0x0000000000000000-mapping.dmp

Download
memory/780-156-0x0000000000000000-mapping.dmp

Download
memory/876-138-0x0000000000000000-mapping.dmp

Download
memory/908-155-0x0000000000000000-mapping.dmp

Download
memory/960-126-0x0000000000000000-mapping.dmp

Download
memory/964-146-0x0000000000000000-mapping.dmp

Download
memory/968-83-0x0000000000000000-mapping.dmp

Download
memory/976-170-0x0000000000000000-mapping.dmp

Download
memory/1076-130-0x0000000000000000-mapping.dmp

Download
memory/1080-98-0x0000000000000000-mapping.dmp

Download
memory/1148-94-0x0000000000000000-mapping.dmp

Download
memory/1148-97-0x000007FEF3850000-0x000007FEF43AD000-memory.dmp

Filesize
11.4MB

Download
memory/1148-101-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1148-99-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1148-100-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1148-96-0x000007FEF43B0000-0x000007FEF4DD3000-memory.dmp

Filesize
10.1MB

Download
memory/1148-148-0x0000000000000000-mapping.dmp

Download
memory/1148-95-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download
memory/1256-143-0x0000000000000000-mapping.dmp

Download
memory/1264-176-0x0000000000000000-mapping.dmp

Download
memory/1292-77-0x0000000000000000-mapping.dmp

Download
memory/1348-172-0x0000000000000000-mapping.dmp

Download
memory/1352-166-0x0000000000000000-mapping.dmp

Download
memory/1424-154-0x0000000000000000-mapping.dmp

Download
memory/1460-147-0x0000000000000000-mapping.dmp

Download
memory/1468-107-0x0000000000000000-mapping.dmp

Download
memory/1492-87-0x0000000000000000-mapping.dmp

Download
memory/1508-165-0x0000000000000000-mapping.dmp

Download
memory/1508-144-0x0000000000000000-mapping.dmp

Download
memory/1508-116-0x0000000000000000-mapping.dmp

Download
memory/1508-119-0x000007FEF3880000-0x000007FEF42A3000-memory.dmp

Filesize
10.1MB

Download
memory/1508-123-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1508-124-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/1508-120-0x000007FEF2D20000-0x000007FEF387D000-memory.dmp

Filesize
11.4MB

Download
memory/1508-121-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1544-149-0x0000000000000000-mapping.dmp

Download
memory/1544-167-0x0000000000000000-mapping.dmp

Download
memory/1564-169-0x0000000000000000-mapping.dmp

Download
memory/1620-162-0x0000000000000000-mapping.dmp

Download
memory/1656-150-0x0000000000000000-mapping.dmp

Download
memory/1660-174-0x0000000000000000-mapping.dmp

Download
memory/1664-157-0x0000000000000000-mapping.dmp

Download
memory/1696-127-0x0000000000000000-mapping.dmp

Download
memory/1696-168-0x0000000000000000-mapping.dmp

Download
memory/1716-159-0x0000000000000000-mapping.dmp

Download
memory/1716-137-0x000007FEF2380000-0x000007FEF2EDD000-memory.dmp

Filesize
11.4MB

Download
memory/1716-135-0x000007FEF2EE0000-0x000007FEF3903000-memory.dmp

Filesize
10.1MB

Download
memory/1716-136-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1716-139-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1716-140-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/1716-132-0x0000000000000000-mapping.dmp

Download
memory/1756-161-0x0000000000000000-mapping.dmp

Download
memory/1756-79-0x0000000000000000-mapping.dmp

Download
memory/1756-114-0x0000000000000000-mapping.dmp

Download
memory/1760-82-0x0000000000000000-mapping.dmp

Download
memory/1768-171-0x0000000000000000-mapping.dmp

Download
memory/1828-122-0x0000000000000000-mapping.dmp

Download
memory/1836-90-0x0000000000000000-mapping.dmp

Download
memory/1844-141-0x0000000000000000-mapping.dmp

Download
memory/1880-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1892-142-0x0000000000000000-mapping.dmp

Download
memory/1916-86-0x0000000000000000-mapping.dmp

Download
memory/1920-104-0x0000000000000000-mapping.dmp

Download
memory/1948-173-0x0000000000000000-mapping.dmp

Download
memory/1952-115-0x0000000000000000-mapping.dmp

Download
memory/1952-175-0x0000000000000000-mapping.dmp

Download
memory/1952-160-0x0000000000000000-mapping.dmp

Download
memory/1952-75-0x0000000000000000-mapping.dmp

Download
memory/1956-71-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/1956-64-0x0000000000000000-mapping.dmp

Download
memory/1964-151-0x0000000000000000-mapping.dmp

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/2004-158-0x0000000000000000-mapping.dmp

Download
memory/2008-125-0x0000000000000000-mapping.dmp

Download
memory/2020-102-0x0000000000000000-mapping.dmp

Download
memory/2020-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads