10618c686daa3f878ac92104e7c8e0c1529434b616266723776e4a9c88170c5c

Analysis

max time kernel
119s
max time network
110s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ff68c776a2d6b53fb37632da2b1fb0N.exe
Size

6.4MB
MD5

03ff68c776a2d6b53fb37632da2b1fb0
SHA1

7c4783f0df0136b0743ed246778442a3a4a81b89
SHA256

10618c686daa3f878ac92104e7c8e0c1529434b616266723776e4a9c88170c5c
SHA512

65faba2b8d39378d67ee70e5b2e05f617a6fd4d15e9dd78e0d2f1419e5da216237b62c96827b15c8da96d932869617fc7f930b4496d1a75382f6b2ec230055ff
SSDEEP

196608:91Okl7QcP1p+o5ETEunJjvC7oUoa7m1QtdcwG:3OgV9cOEounJjvMoVa7mwHG

Score

10^/10

evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\GWySJhlKSbDuiomy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\GWySJhlKSbDuiomy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\iFIQBiuMTZUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FhsMTvRiU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RFxCBGtTODaU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\GWySJhlKSbDuiomy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\GWySJhlKSbDuiomy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\iFIQBiuMTZUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GLXYdpiECluCPYQiXJR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\DVkSBBtutEOgdaVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BAJdVDKENAtrC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FhsMTvRiU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\DVkSBBtutEOgdaVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BAJdVDKENAtrC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GLXYdpiECluCPYQiXJR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RFxCBGtTODaU2 = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
1940	powershell.EXE
2196	powershell.EXE
1388	powershell.exe
2104	powershell.EXE

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
2692	Install.exe
2792	lUfLVlW.exe
1596	TBECDst.exe

Loads dropped DLL 7 IoCs

pid	Process
2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe
2692	Install.exe
2692	Install.exe
2692	Install.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	lUfLVlW.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	lUfLVlW.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	lUfLVlW.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	lUfLVlW.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bhUbGthiAMRPkmWnMY.job	schtasks.exe
File created	C:\Windows\Tasks\FeXuZZpzPKWOhLEOt.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	2792	WerFault.exe	40

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	lUfLVlW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	lUfLVlW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30eceb30aadbda01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	lUfLVlW.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	lUfLVlW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000109c9830aadbda01	lUfLVlW.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1596	schtasks.exe
2800	schtasks.exe
960	schtasks.exe
784	schtasks.exe
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2600	powershell.exe
1940	powershell.EXE
1940	powershell.EXE
1940	powershell.EXE
2196	powershell.EXE
2196	powershell.EXE
2196	powershell.EXE
1388	powershell.exe
2104	powershell.EXE
2104	powershell.EXE
2104	powershell.EXE

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3020	WMIC.exe
Token: SeSecurityPrivilege	3020	WMIC.exe
Token: SeTakeOwnershipPrivilege	3020	WMIC.exe
Token: SeLoadDriverPrivilege	3020	WMIC.exe
Token: SeSystemProfilePrivilege	3020	WMIC.exe
Token: SeSystemtimePrivilege	3020	WMIC.exe
Token: SeProfSingleProcessPrivilege	3020	WMIC.exe
Token: SeIncBasePriorityPrivilege	3020	WMIC.exe
Token: SeCreatePagefilePrivilege	3020	WMIC.exe
Token: SeBackupPrivilege	3020	WMIC.exe
Token: SeRestorePrivilege	3020	WMIC.exe
Token: SeShutdownPrivilege	3020	WMIC.exe
Token: SeDebugPrivilege	3020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3020	WMIC.exe
Token: SeRemoteShutdownPrivilege	3020	WMIC.exe
Token: SeUndockPrivilege	3020	WMIC.exe
Token: SeManageVolumePrivilege	3020	WMIC.exe
Token: 33	3020	WMIC.exe
Token: 34	3020	WMIC.exe
Token: 35	3020	WMIC.exe
Token: SeDebugPrivilege	1940	powershell.EXE
Token: SeDebugPrivilege	2196	powershell.EXE
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe
Token: SeSecurityPrivilege	1948	WMIC.exe
Token: SeTakeOwnershipPrivilege	1948	WMIC.exe
Token: SeLoadDriverPrivilege	1948	WMIC.exe
Token: SeSystemtimePrivilege	1948	WMIC.exe
Token: SeBackupPrivilege	1948	WMIC.exe
Token: SeRestorePrivilege	1948	WMIC.exe
Token: SeShutdownPrivilege	1948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1948	WMIC.exe
Token: SeUndockPrivilege	1948	WMIC.exe
Token: SeManageVolumePrivilege	1948	WMIC.exe
Token: SeDebugPrivilege	2104	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2692	2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe	30
PID 2156 wrote to memory of 2692	2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe	30
PID 2156 wrote to memory of 2692	2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe	30
PID 2156 wrote to memory of 2692	2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe	30
PID 2156 wrote to memory of 2692	2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe	30
PID 2156 wrote to memory of 2692	2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe	30
PID 2156 wrote to memory of 2692	2156	03ff68c776a2d6b53fb37632da2b1fb0N.exe	30
PID 2692 wrote to memory of 2788	2692	Install.exe	32
PID 2692 wrote to memory of 2788	2692	Install.exe	32
PID 2692 wrote to memory of 2788	2692	Install.exe	32
PID 2692 wrote to memory of 2788	2692	Install.exe	32
PID 2692 wrote to memory of 2788	2692	Install.exe	32
PID 2692 wrote to memory of 2788	2692	Install.exe	32
PID 2692 wrote to memory of 2788	2692	Install.exe	32
PID 2788 wrote to memory of 2652	2788	forfiles.exe	34
PID 2788 wrote to memory of 2652	2788	forfiles.exe	34
PID 2788 wrote to memory of 2652	2788	forfiles.exe	34
PID 2788 wrote to memory of 2652	2788	forfiles.exe	34
PID 2788 wrote to memory of 2652	2788	forfiles.exe	34
PID 2788 wrote to memory of 2652	2788	forfiles.exe	34
PID 2788 wrote to memory of 2652	2788	forfiles.exe	34
PID 2652 wrote to memory of 2600	2652	cmd.exe	35
PID 2652 wrote to memory of 2600	2652	cmd.exe	35
PID 2652 wrote to memory of 2600	2652	cmd.exe	35
PID 2652 wrote to memory of 2600	2652	cmd.exe	35
PID 2652 wrote to memory of 2600	2652	cmd.exe	35
PID 2652 wrote to memory of 2600	2652	cmd.exe	35
PID 2652 wrote to memory of 2600	2652	cmd.exe	35
PID 2600 wrote to memory of 3020	2600	powershell.exe	36
PID 2600 wrote to memory of 3020	2600	powershell.exe	36
PID 2600 wrote to memory of 3020	2600	powershell.exe	36
PID 2600 wrote to memory of 3020	2600	powershell.exe	36
PID 2600 wrote to memory of 3020	2600	powershell.exe	36
PID 2600 wrote to memory of 3020	2600	powershell.exe	36
PID 2600 wrote to memory of 3020	2600	powershell.exe	36
PID 2692 wrote to memory of 1596	2692	Install.exe	37
PID 2692 wrote to memory of 1596	2692	Install.exe	37
PID 2692 wrote to memory of 1596	2692	Install.exe	37
PID 2692 wrote to memory of 1596	2692	Install.exe	37
PID 2692 wrote to memory of 1596	2692	Install.exe	37
PID 2692 wrote to memory of 1596	2692	Install.exe	37
PID 2692 wrote to memory of 1596	2692	Install.exe	37
PID 1532 wrote to memory of 2792	1532	taskeng.exe	40
PID 1532 wrote to memory of 2792	1532	taskeng.exe	40
PID 1532 wrote to memory of 2792	1532	taskeng.exe	40
PID 1532 wrote to memory of 2792	1532	taskeng.exe	40
PID 2792 wrote to memory of 2800	2792	lUfLVlW.exe	41
PID 2792 wrote to memory of 2800	2792	lUfLVlW.exe	41
PID 2792 wrote to memory of 2800	2792	lUfLVlW.exe	41
PID 2792 wrote to memory of 2800	2792	lUfLVlW.exe	41
PID 2792 wrote to memory of 2384	2792	lUfLVlW.exe	43
PID 2792 wrote to memory of 2384	2792	lUfLVlW.exe	43
PID 2792 wrote to memory of 2384	2792	lUfLVlW.exe	43
PID 2792 wrote to memory of 2384	2792	lUfLVlW.exe	43
PID 516 wrote to memory of 1940	516	taskeng.exe	46
PID 516 wrote to memory of 1940	516	taskeng.exe	46
PID 516 wrote to memory of 1940	516	taskeng.exe	46
PID 1940 wrote to memory of 320	1940	powershell.EXE	48
PID 1940 wrote to memory of 320	1940	powershell.EXE	48
PID 1940 wrote to memory of 320	1940	powershell.EXE	48
PID 2792 wrote to memory of 3068	2792	lUfLVlW.exe	51
PID 2792 wrote to memory of 3068	2792	lUfLVlW.exe	51
PID 2792 wrote to memory of 3068	2792	lUfLVlW.exe	51
PID 2792 wrote to memory of 3068	2792	lUfLVlW.exe	51

C:\Users\Admin\AppData\Local\Temp\03ff68c776a2d6b53fb37632da2b1fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\03ff68c776a2d6b53fb37632da2b1fb0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\7zS3FDE.tmp\Install.exe
  .\Install.exe /jjdidjaR "525403" /S
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "bhUbGthiAMRPkmWnMY" /SC once /ST 20:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV\PuqSOhquDeJkxWB\lUfLVlW.exe\" yE /Udidxzwc 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:1596

C:\Windows\system32\taskeng.exe
taskeng.exe {9BB22CBE-B20B-4C94-A6B3-8B95A97F3DD1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV\PuqSOhquDeJkxWB\lUfLVlW.exe
  C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV\PuqSOhquDeJkxWB\lUfLVlW.exe yE /Udidxzwc 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gkMjIJZsy" /SC once /ST 09:32:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gkMjIJZsy"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gkMjIJZsy"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gRoFQWJpS" /SC once /ST 10:08:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:960
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gRoFQWJpS"
    3⤵
    PID:692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gRoFQWJpS"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\GWySJhlKSbDuiomy\QuctZYEw\CxdZVODMWSkUuZQX.wsf"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\GWySJhlKSbDuiomy\QuctZYEw\CxdZVODMWSkUuZQX.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BAJdVDKENAtrC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BAJdVDKENAtrC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2512
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FhsMTvRiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FhsMTvRiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GLXYdpiECluCPYQiXJR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GLXYdpiECluCPYQiXJR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFxCBGtTODaU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFxCBGtTODaU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iFIQBiuMTZUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iFIQBiuMTZUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\DVkSBBtutEOgdaVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\DVkSBBtutEOgdaVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1204
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1904
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2076
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BAJdVDKENAtrC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BAJdVDKENAtrC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FhsMTvRiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FhsMTvRiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GLXYdpiECluCPYQiXJR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GLXYdpiECluCPYQiXJR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFxCBGtTODaU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFxCBGtTODaU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iFIQBiuMTZUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iFIQBiuMTZUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\DVkSBBtutEOgdaVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\DVkSBBtutEOgdaVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:300
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\GWySJhlKSbDuiomy" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "giubtiHZJ" /SC once /ST 05:06:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:784
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "giubtiHZJ"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "giubtiHZJ"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:344
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "FeXuZZpzPKWOhLEOt" /SC once /ST 05:11:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\GWySJhlKSbDuiomy\pbDASbhhELNebkI\TBECDst.exe\" 2o /bTPzdidlC 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Scheduled Task/Job: Scheduled Task
    PID:2544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "FeXuZZpzPKWOhLEOt"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2468
- C:\Windows\Temp\GWySJhlKSbDuiomy\pbDASbhhELNebkI\TBECDst.exe
  C:\Windows\Temp\GWySJhlKSbDuiomy\pbDASbhhELNebkI\TBECDst.exe 2o /bTPzdidlC 525403 /S
  2⤵
  - Executes dropped EXE
  PID:1596

C:\Windows\system32\taskeng.exe
taskeng.exe {31741A82-3236-4A08-B36A-AA5A65143630} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2028

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2008

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2972

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\371N7H1A72G5LV8DGNB4.temp

Filesize
7KB

MD5
26f2704acb37a6b963e0bc571dee6bb9

SHA1
9cd54cfe8668e0056e2acc5d9dc1456be62d4ec4

SHA256
84b67bcc602710a25c1fa1ed6bc179031111836ed5e1d26f51315f9a813faedc

SHA512
08a379dce265489598136ad09365a89e3ee0f5190979e9e2ee384e3cdba8f1ddee5c9ec3dd4b2f3105e27ee4e5987f45465594eda95fb1ea7ac68616edbb2508

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cccf302f62e228680e45124c2345d77e

SHA1
80ac95c1c7eddfb38634f03c48d1c7d25b97b463

SHA256
f6977cf838eb20ebaa5d0001fbc8401877894deb4aad430bbe20307a011b584d

SHA512
d3585011c68dbaac9ea16401ebef0f48ee4956c0057ffec5320d9f3d9df9594eeaa2259e93117cb7a535c44f599ec950cec96d0384f62128f345af882383a315

Download Submit
C:\Windows\Temp\GWySJhlKSbDuiomy\QuctZYEw\CxdZVODMWSkUuZQX.wsf

Filesize
9KB

MD5
993a7ca9bf9be955157f6707c549206a

SHA1
35f86080a78c8b8f091e89a295e44b5742e77e5b

SHA256
09c3db656e01e0f3b98ff9172b1d4e0fbeb95cb514ddedfafa7b0aa7e78f1fd7

SHA512
f9155b22d28ffc0644a7cefe2d806e542b4d28e8217c5d05f4cff25dcb5f13bbe3dcb5d6a936cacf835b0ad24106ecfdbc94b58371e44fe61f4cbe607e0cbd38

Download Submit
C:\Windows\Temp\GWySJhlKSbDuiomy\pbDASbhhELNebkI\TBECDst.exe

Filesize
2.5MB

MD5
660a9bc86350a6608bcc7d5c6f2d5de3

SHA1
da4b0b5a49d776686752ec658312d45f1e92c5b9

SHA256
dc3ff95b82f708dea23fb142d8237650c7454e5a4009799c978016ca49a3b4e5

SHA512
a8e4f37867c3f862102a2d6ee12b017a0ec2a54ee736162f5e44f457037fcf6a4a1cee3a8202f2760c1e10fb957765e13a671d27d2b89c26c1447a92c6800dd9

Download Submit
C:\Windows\Temp\GWySJhlKSbDuiomy\pbDASbhhELNebkI\TBECDst.exe

Filesize
2.1MB

MD5
d81da9510b6fb52e62168a5c597d44b5

SHA1
47c3cf2409b5abc13fa3b82dc254091a45a74e40

SHA256
8e29c323540879c2e3e2c63b290f86e1039347693314176f21b1ee66809cb120

SHA512
36b5efd6156a51aed908e2feae04b31b598614b1a066caf3f47cb5e385f2ff664c1ee82bda2ab8f495981f724fa61d12f3bb8e7cd3825144ed490f4da3bb9123

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3FDE.tmp\Install.exe

Filesize
6.7MB

MD5
28233431ecce9eeb655875f0dae4ff1c

SHA1
d9007d9a4539bdac35931b16eedc3adb9ea60998

SHA256
ac438722efaebae88783430ddda11386fb077c99d28a12d8334da537b7f3d110

SHA512
2610ff7482e59c54b3264641d20eaa8e1700967277c8f4e051c3248edb496b9999a0c07822c345e1e41e35377098cf37f75d6cad515d435e1aaf8d9199995a23

Download Submit
\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV\PuqSOhquDeJkxWB\lUfLVlW.exe

Filesize
2.1MB

MD5
c428fc709f24eed9de350cc07a1cc409

SHA1
5cc632be69e51948a13ee8ab6f901854682de888

SHA256
49122fb608aa202bb846812067d462d784009b5a78b4d35c60cbde06b44b2438

SHA512
a770bd905fc4fb1ea7175ed0c388de2bf0576c27df62e834218ca6d7a61e9cb895225a2bd1128f776e60ff27aabebd965af8016a7b57e85cd9b0cb9ad0f325d8

Download Submit
\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV\PuqSOhquDeJkxWB\lUfLVlW.exe

Filesize
2.2MB

MD5
c96708b08c8282e2126452976f0fad12

SHA1
7fdf01a30e5b20875000702efda104be757b16c9

SHA256
fd0240fd8e009c7c15ad3ac3bf29283f11303f712905838db0a4c16bcc8bf3ce

SHA512
af2bda0eeaf17cff76b62f4908193a5a67d789ca98bf3ac3d2742cba686b5f16b9668123cd9e36762b12724293fcfa4292afdbe6f36b18a111637c78802febfe

Download Submit
\Users\Admin\AppData\Local\Temp\vBQZIWFuokkDzStmV\PuqSOhquDeJkxWB\lUfLVlW.exe

Filesize
2.0MB

MD5
6875c86b1f6f2d672da7531abdd0a22c

SHA1
b7e3459ae06dcbd1c13b40be2bffd7ed30405e81

SHA256
c33903efea1ee75e6c5ab1d069e5b2f4725bfef0f0adc72065da6d990b9a914b

SHA512
d99c4c4d5f389e2a5f5458c2b8f269f257fecf14e89379593214d42b9783a70801a6b88d735a9e09d1ea4d31ce7ec1ab96fc4a3791d6cb4b79b9273e365cb6e4

Download Submit
memory/1940-31-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/1940-30-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2196-41-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2196-40-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2692-10-0x0000000010000000-0x00000000105DF000-memory.dmp

Filesize
5.9MB

Download
memory/2792-21-0x0000000010000000-0x00000000105DF000-memory.dmp

Filesize
5.9MB

Download