darkcomet | 5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be

General

Target

5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Size

394KB
MD5

56aa993a41a0cd5a8006d088d5283237
SHA1

8bc08024acc34a501a0cdbee4deab5fcb031de3b
SHA256

5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be
SHA512

1428301912495253d03c03dbcae08ca97bb6f4ecfd10de0ea342af4115796450e494a6b2ed2662bd1e49dcf5d5c00e6f38d780a3fc16764fee226b9affef4673

Score

10^/10

darkcomet jdb persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

JDB

C2

ogparm.no-ip.org:1604

Mutex

DC_MUTEX-1QSZ3S8

Attributes

gencode
ZRkFME9MDXp6
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

gvztlh.exe

pid process

2040 gvztlh.exe
Loads dropped DLL 1 IoCs

Processes:

5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

pid process

736 5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

pid	process
736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

description	pid	process	target process
PID 736 set thread context of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 40 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
332	reg.exe
1740	reg.exe
2000	reg.exe
1616	reg.exe
992	reg.exe
1372	reg.exe
1544	reg.exe
1868	reg.exe
2024	reg.exe
1412	reg.exe
1696	reg.exe
1620	reg.exe
1712	reg.exe
1968	reg.exe
2024	reg.exe
1372	reg.exe
1492	reg.exe
1668	reg.exe
1116	reg.exe
1972	reg.exe
1644	reg.exe
1412	reg.exe
1304	reg.exe
1960	reg.exe
1348	reg.exe
1492	reg.exe
1176	reg.exe
1384	reg.exe
1788	reg.exe
1720	reg.exe
2012	reg.exe
1868	reg.exe
2016	reg.exe
1620	reg.exe
552	reg.exe
1680	reg.exe
1932	reg.exe
316	reg.exe
1732	reg.exe
1284	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gvztlh.exe

pid	process
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe
2040	gvztlh.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exegvztlh.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeSecurityPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeTakeOwnershipPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeLoadDriverPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeSystemProfilePrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeSystemtimePrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeProfSingleProcessPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeIncBasePriorityPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeCreatePagefilePrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeBackupPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeRestorePrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeShutdownPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeDebugPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeSystemEnvironmentPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeChangeNotifyPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeRemoteShutdownPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeUndockPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeManageVolumePrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeImpersonatePrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeCreateGlobalPrivilege	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: 33	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: 34	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: 35	1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
Token: SeDebugPrivilege	2040	gvztlh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

pid process

1656 5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

pid	process
1656	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 1656	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
PID 736 wrote to memory of 2040	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	gvztlh.exe
PID 736 wrote to memory of 2040	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	gvztlh.exe
PID 736 wrote to memory of 2040	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	gvztlh.exe
PID 736 wrote to memory of 2040	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	gvztlh.exe
PID 736 wrote to memory of 1768	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1768	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1768	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1768	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 1768 wrote to memory of 552	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 552	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 552	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 552	1768	cmd.exe	reg.exe
PID 736 wrote to memory of 1556	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1556	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1556	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1556	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 1556 wrote to memory of 1492	1556	cmd.exe	reg.exe
PID 1556 wrote to memory of 1492	1556	cmd.exe	reg.exe
PID 1556 wrote to memory of 1492	1556	cmd.exe	reg.exe
PID 1556 wrote to memory of 1492	1556	cmd.exe	reg.exe
PID 736 wrote to memory of 1576	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1576	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1576	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1576	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	reg.exe
PID 736 wrote to memory of 1124	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1124	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1124	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 1124	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 1124 wrote to memory of 332	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 332	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 332	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 332	1124	cmd.exe	reg.exe
PID 736 wrote to memory of 636	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 636	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 636	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 636	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 636 wrote to memory of 1668	636	cmd.exe	reg.exe
PID 636 wrote to memory of 1668	636	cmd.exe	reg.exe
PID 636 wrote to memory of 1668	636	cmd.exe	reg.exe
PID 636 wrote to memory of 1668	636	cmd.exe	reg.exe
PID 736 wrote to memory of 520	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 520	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 520	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 736 wrote to memory of 520	736	5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe	cmd.exe
PID 520 wrote to memory of 1116	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1116	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1116	520	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
"C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe
"C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Users\Admin\AppData\Local\Temp\gvztlh.exe
"C:\Users\Admin\AppData\Local\Temp\gvztlh.exe" "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe-true"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Modifies registry key
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe" & exit
2⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "WindowsDefender" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5b55e2dbac9d4cd6ac167d2901fc0757efe21ac0fc9d0f44aa45ed38d6df82be.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gvztlh.exe
Filesize
9KB

MD5
88d821627e48b2ae11df5898dd827b68

SHA1
04963ea40344bbc4126f5f9c39f2135af356aab2

SHA256
4b3b647df8ec0b257e0b253e18609595798e02650dbae948c7503d4183fbdbca

SHA512
de32b4fa0d1608cb113bf2eb6c4b96a11f85897d38122ed3df55159c1fe888a7e7c727094715f32feea061ee08dadfbb3eb355095f2f220557984ca8e1f1031e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvztlh.exe
Filesize
9KB

MD5
88d821627e48b2ae11df5898dd827b68

SHA1
04963ea40344bbc4126f5f9c39f2135af356aab2

SHA256
4b3b647df8ec0b257e0b253e18609595798e02650dbae948c7503d4183fbdbca

SHA512
de32b4fa0d1608cb113bf2eb6c4b96a11f85897d38122ed3df55159c1fe888a7e7c727094715f32feea061ee08dadfbb3eb355095f2f220557984ca8e1f1031e

Download Submit
\Users\Admin\AppData\Local\Temp\gvztlh.exe
Filesize
9KB

MD5
88d821627e48b2ae11df5898dd827b68

SHA1
04963ea40344bbc4126f5f9c39f2135af356aab2

SHA256
4b3b647df8ec0b257e0b253e18609595798e02650dbae948c7503d4183fbdbca

SHA512
de32b4fa0d1608cb113bf2eb6c4b96a11f85897d38122ed3df55159c1fe888a7e7c727094715f32feea061ee08dadfbb3eb355095f2f220557984ca8e1f1031e

Download Submit
memory/316-128-0x0000000000000000-mapping.dmp

Download
memory/332-98-0x0000000000000000-mapping.dmp

Download
memory/520-102-0x0000000000000000-mapping.dmp

Download
memory/552-133-0x0000000000000000-mapping.dmp

Download
memory/552-91-0x0000000000000000-mapping.dmp

Download
memory/604-121-0x0000000000000000-mapping.dmp

Download
memory/636-99-0x0000000000000000-mapping.dmp

Download
memory/736-101-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/736-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/736-83-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/816-151-0x0000000000000000-mapping.dmp

Download
memory/820-111-0x0000000000000000-mapping.dmp

Download
memory/948-123-0x0000000000000000-mapping.dmp

Download
memory/992-126-0x0000000000000000-mapping.dmp

Download
memory/996-105-0x0000000000000000-mapping.dmp

Download
memory/1116-103-0x0000000000000000-mapping.dmp

Download
memory/1124-97-0x0000000000000000-mapping.dmp

Download
memory/1176-138-0x0000000000000000-mapping.dmp

Download
memory/1248-129-0x0000000000000000-mapping.dmp

Download
memory/1304-154-0x0000000000000000-mapping.dmp

Download
memory/1320-113-0x0000000000000000-mapping.dmp

Download
memory/1324-139-0x0000000000000000-mapping.dmp

Download
memory/1348-122-0x0000000000000000-mapping.dmp

Download
memory/1356-125-0x0000000000000000-mapping.dmp

Download
memory/1368-107-0x0000000000000000-mapping.dmp

Download
memory/1372-142-0x0000000000000000-mapping.dmp

Download
memory/1384-148-0x0000000000000000-mapping.dmp

Download
memory/1412-130-0x0000000000000000-mapping.dmp

Download
memory/1412-146-0x0000000000000000-mapping.dmp

Download
memory/1432-109-0x0000000000000000-mapping.dmp

Download
memory/1444-147-0x0000000000000000-mapping.dmp

Download
memory/1492-134-0x0000000000000000-mapping.dmp

Download
memory/1492-94-0x0000000000000000-mapping.dmp

Download
memory/1496-149-0x0000000000000000-mapping.dmp

Download
memory/1544-150-0x0000000000000000-mapping.dmp

Download
memory/1556-93-0x0000000000000000-mapping.dmp

Download
memory/1576-95-0x0000000000000000-mapping.dmp

Download
memory/1616-108-0x0000000000000000-mapping.dmp

Download
memory/1620-144-0x0000000000000000-mapping.dmp

Download
memory/1644-116-0x0000000000000000-mapping.dmp

Download
memory/1656-90-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-62-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-71-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-76-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-58-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-81-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-60-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-70-0x000000000048F888-mapping.dmp

Download
memory/1656-65-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-64-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-67-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-56-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1656-55-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/1668-100-0x0000000000000000-mapping.dmp

Download
memory/1680-106-0x0000000000000000-mapping.dmp

Download
memory/1696-140-0x0000000000000000-mapping.dmp

Download
memory/1732-132-0x0000000000000000-mapping.dmp

Download
memory/1740-114-0x0000000000000000-mapping.dmp

Download
memory/1760-119-0x0000000000000000-mapping.dmp

Download
memory/1768-89-0x0000000000000000-mapping.dmp

Download
memory/1780-117-0x0000000000000000-mapping.dmp

Download
memory/1792-137-0x0000000000000000-mapping.dmp

Download
memory/1824-143-0x0000000000000000-mapping.dmp

Download
memory/1836-127-0x0000000000000000-mapping.dmp

Download
memory/1864-115-0x0000000000000000-mapping.dmp

Download
memory/1868-124-0x0000000000000000-mapping.dmp

Download
memory/1932-110-0x0000000000000000-mapping.dmp

Download
memory/1940-145-0x0000000000000000-mapping.dmp

Download
memory/1960-120-0x0000000000000000-mapping.dmp

Download
memory/1964-141-0x0000000000000000-mapping.dmp

Download
memory/1972-112-0x0000000000000000-mapping.dmp

Download
memory/2000-152-0x0000000000000000-mapping.dmp

Download
memory/2012-96-0x0000000000000000-mapping.dmp

Download
memory/2016-136-0x0000000000000000-mapping.dmp

Download
memory/2016-153-0x0000000000000000-mapping.dmp

Download
memory/2024-118-0x0000000000000000-mapping.dmp

Download
memory/2032-135-0x0000000000000000-mapping.dmp

Download
memory/2040-92-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-85-0x0000000000000000-mapping.dmp

Download
memory/2040-104-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads