Analysis
-
max time kernel
124s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
23-11-2022 15:21
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
d7772af55ad86fd7e0d80b329232d4a0
-
SHA1
91bd1a0568fe8f276fd60049412672cb349cd73b
-
SHA256
a30898a315160935891eaf5dc01eac7086e6a72e14dfb9f7be43835261f87290
-
SHA512
d2f4ec0885da71f43b2758d0b21266b53a30014e8d4775c3181d834ac3fb9f5b8acc6a0f549c52e4f40ecfadd1f5b6b70bdac6364492a68e007b6a4ccdbc2e71
-
SSDEEP
196608:91OaKOEjiU9l5UOA0yU/MmtNSM3f7LoVf/Ui2g6n:3Oa8Hl5tA0yTmW8Lt8G
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 29 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSA4E.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF6C.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gavxrfSwB" /SC once /ST 08:07:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gavxrfSwB"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gavxrfSwB"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bPisEBnRwoxYOmuHrm" /SC once /ST 15:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\cpvVqbD.exe\" mF /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A1CEFEAB-C2E6-4B0C-BB89-15FC67B3C9CA} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {F5928324-3087-413A-A73C-96F10C3424C9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\cpvVqbD.exeC:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\cpvVqbD.exe mF /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gQoFWxGcV" /SC once /ST 06:10:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gQoFWxGcV"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gQoFWxGcV"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnMMQZcNb" /SC once /ST 00:47:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnMMQZcNb"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnMMQZcNb"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\LzrOtnkAyuDpOCzW\KWAuIQLm\ZrDdQCujpbslaxWw.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\LzrOtnkAyuDpOCzW\KWAuIQLm\ZrDdQCujpbslaxWw.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCOflLDAd" /SC once /ST 04:52:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCOflLDAd"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCOflLDAd"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ehnYTuGzyhWqfGFsn" /SC once /ST 13:35:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\RMgqiJT.exe\" 4c /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ehnYTuGzyhWqfGFsn"3⤵
-
-
-
C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\RMgqiJT.exeC:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\RMgqiJT.exe 4c /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bPisEBnRwoxYOmuHrm"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\vCYWhmhlU\EYdAax.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ulJHerdNyNJKzGw" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1876885519-872167028982782957-19724904746496270972813937251829780927-1373527193"1⤵
- Windows security bypass
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD574dc860256858b61c0170b9af62c3a83
SHA18d499018f6467a2f7c4f78ea9915e3774f640fbd
SHA256330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a
SHA51256cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625
-
Filesize
6.3MB
MD574dc860256858b61c0170b9af62c3a83
SHA18d499018f6467a2f7c4f78ea9915e3774f640fbd
SHA256330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a
SHA51256cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
7KB
MD59529d96ee36fcb68331585deb81e11c4
SHA19428caff46ebb9932158ad52cf6a589dd9fd99af
SHA256d404ec125846dd98d0446fcf2dcfd88a49979198357ab4f0999380bce515346a
SHA512d28ccb814f8c371f169e562db1f57b88cff303971acfba89244ceb5d76cbcb6bdc4f6843ec6c6aef6ca6c4f1e4866ac8323bae3d5093ee34255d7cae7286293d
-
Filesize
7KB
MD52a9cbf2b386f930bb5df25edfd9e8f6e
SHA10dcefb4499875a910382b24963d5c770803c2c6b
SHA256cb2523a2d74a63a26a8c6d5e4cc621c520c4fdb3a1d05bb7a0fb716a230de6cd
SHA51267c9d55949a740336d3cb3144cc5374e6de8e803c3fb1abe890c919050a04b44375fad69783f2990341a23acf7fe0023ca3d5992aac34012ecf6e8298f365ee3
-
Filesize
7KB
MD592abe87275b0baa44738ae21ba862f59
SHA1329ae05cef9f9799c825e7db786a1bf09ea3fa45
SHA256e194348b53249fa4962c1b13b0a0c002f754ace68917ca1af4fcf748b03c6923
SHA512098591626eaa8916acd744d646b6e2200b8461d59c800c780a0954d6ce7e2f0729035a238e245dd4d08dc8feb5a5dbca6eddf099be7d731609929c481b28211a
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
8KB
MD523c6a0c9c0d769a044e024334bfff402
SHA1339fe0192069fa34df6ad63a9ebe5822a0b4c0e8
SHA256e1b3a9ff7671190b1b28bf4dec96901edfe5bdb26db85dd105b4a0584dfbd738
SHA51225d3bc2ba0d9aefd044251c76b3ab99affffa7263cbfbabf7bcb08b051ee837307dc3ca2df38366798955d4a2654297f48318003efd151d434cd07b5fd089061
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD574dc860256858b61c0170b9af62c3a83
SHA18d499018f6467a2f7c4f78ea9915e3774f640fbd
SHA256330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a
SHA51256cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625
-
Filesize
6.3MB
MD574dc860256858b61c0170b9af62c3a83
SHA18d499018f6467a2f7c4f78ea9915e3774f640fbd
SHA256330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a
SHA51256cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625
-
Filesize
6.3MB
MD574dc860256858b61c0170b9af62c3a83
SHA18d499018f6467a2f7c4f78ea9915e3774f640fbd
SHA256330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a
SHA51256cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625
-
Filesize
6.3MB
MD574dc860256858b61c0170b9af62c3a83
SHA18d499018f6467a2f7c4f78ea9915e3774f640fbd
SHA256330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a
SHA51256cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
Filesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
-
-
-
Filesize
10.1MB
-
-
Filesize
8KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
3.0MB
-
Filesize
11.4MB
-
Filesize
12KB
-
-
Filesize
11.4MB
-
Filesize
124KB
-
-
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
12KB
-
-
Filesize
13.2MB
-
-
-
-
-
-
-
-
-
-
-
Filesize
412KB
-
Filesize
532KB
-
-
-
Filesize
12KB
-
Filesize
124KB
-
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-